Red Hat Bugzilla – Bug 143189
spamassassin run as root and doesn't have accessible config directory
Last modified: 2007-11-30 17:10:57 EST
Please create special user account for running spamd with home
directory in /var/lib/spamassassin. Create an option in
/etc/sysconfig/spamassassin (for example SPAMDRUNAS=spamd) and modify
/etc/init.d/spamassassin (parameter -u user for spamd).
This is more secure than run Spamassassin as root even spamd fallback
to nobody after started as root.
The second reason is to have spamd database in another directory than
root's own because when spamd fallback to nobody it is impossible to
read contents of /root/.spamassassin (Bayes database for example).
spamd will already setuid to drop privileges based on the email for
whom it is being invoked. in other words, when user joe runs spamc,
spamd will setuid to become joe so it can access joe's own bayes
scores, configs, etc.
so althrough spamd is started as root, it doesn't do the majority of
its operations as root, and it being root lets it have added
functionality that otherwise would be missing