Bug 1094837

Summary: spampd should not be started as root
Product: [Fedora] Fedora Reporter: Erik Logtenberg <erik>
Component: spampdAssignee: Matthias Saou <matthias>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: bojan, i, matthias
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spampd-2.30-20.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-09 03:01:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erik Logtenberg 2014-05-06 14:57:49 UTC 
Description of problem:

The spampd service is started as root by default. The privilege drop to the spampd user/group is left to spampd, which doesn't actually drop privileges before completely initializing all SpamAssassin rule sets, thereby running an enormous amount of perl code from different sources as root.

There is no apparent reason for this, as there are no privileges required for reading the configuration and no privileged port is used either.

Systemd can take care of setting the right user, and should always be used as long as there is no good reason to do otherwise.

The fix is to simply add these two lines to the [Service] section of the spampd unit file, located at /usr/lib/systemd/system/spampd:

User=spampd
Group=spampd

The spampd binary is currently started with the "--u=spampd --g=spampd" options, which can be safely removed after adding the abovementioned lines, but this does cause spampd to try and become uid and gid 12 (mail), resulting in two ugly log lines:

spampd[31243]: Setting gid to "12 12"
spampd[31243]: Couldn't become gid "12": Bewerking niet toegestaan

So my humble advice is to just leave the "--u=spampd --g=spampd" options in there, so the log stays clean (that will prevent spampd from trying to change its uid).
Comment 1 Fedora Update System 2014-05-06 22:13:52 UTC 
spampd-2.30-20.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/spampd-2.30-20.fc20
Comment 2 Fedora Update System 2014-05-08 10:08:51 UTC 
Package spampd-2.30-20.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing spampd-2.30-20.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6114/spampd-2.30-20.fc20
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2014-05-09 03:01:31 UTC 
spampd-2.30-20.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Erik Logtenberg 2014-05-09 09:15:25 UTC 
Thanks for picking this up so quickly,