Permission denied /.spamassassin/bayes_* R/O

mih · February 23, 2024, 8:39am

HestiaCp latest version, Debian 12 bookworm, SpamAssassin version 4.0.0. I made the changes but after a while the error reappears. I don’t understand why?!

drwx------ 3 debian-spamd debian-spamd    4096 Feb 23 06:25 .
drwxr-xr-x 6 debian-spamd debian-spamd    4096 Nov 30 21:22 ..
-rwxr-xr-x 1 debian-spamd debian-spamd  327680 Feb 23 06:25 bayes_seen
-rw------- 1 root         root         4501504 Feb 23 06:25 bayes_toks
drwxr-xr-x 2 debian-spamd debian-spamd    4096 Aug  1  2023 sa-compile.cache
-rw-r--r-- 1 debian-spamd debian-spamd    1912 Aug  1  2023 user_prefs

cannot open bayes databases /var/lib/spamassassin/.spamassassin/bayes_* R/O: tie failed: Permission denied

$ chown debian-spamd:debian-spamd bayes_toks
$ service spamd restart

eris · February 23, 2024, 8:56am

I don’t know why Hestia should not touch anything in /var/lib/spamassassin/

sahsanu · February 23, 2024, 2:21pm

Do you have any cron task or plugin in roundcube executing sa-learn to learn from ham/spam mails?

mih · February 23, 2024, 2:33pm

Yes
Auto-Learn spam/ham installer
v-hestiacp-sieve

root@panel:/etc/cron.daily# ls -lh
total 52K
-rwxr-xr-x 1 root root 1.5K May 25  2023 apt-compat
-rwxr-xr-x 1 root root  263 Sep 20 15:12 crowdsec
-rwxr-xr-x 1 root root  123 Mar 27  2023 dpkg
-rwxr-xr-x 1 root root 4.7K May  4  2021 exim4-base
-rwxr-xr-x 1 root root  377 Dec 14  2022 logrotate
-rwxr-xr-x 1 root root 1.4K Mar 13  2023 man-db
-rwxr-xr-x 1 root root  280 Aug  1  2023 php-session-cleanup
-rwxr-xr-x 1 root root  349 Feb  9  2021 quota
-rwxr-xr-x 1 root root   35 Feb 21 22:50 quotacheck
-rwxr-xr-x 1 root root 1.7K Apr 30  2023 spamassassin
-rwxr-xr-x 1 root root   59 Feb  6 16:13 spamham
-rwxr-xr-x 1 root root  518 Dec  4  2022 sysstat
root@panel:/etc/cron.daily#

sahsanu · February 23, 2024, 2:41pm

grep SPAMD_USER /etc/dovecot/sieve/scan_reported_mails
cat /etc/cron.daily/spamham

mih · February 23, 2024, 2:48pm

root@panel:~# grep SPAMD_USER /etc/dovecot/sieve/scan_reported_mails
export SPAMD_USER='debian-spamd'
export SPAMD_USER_HOMEDIR="$(eval echo ~${SPAMD_USER})"
export SA_LEARN="sa-learn -u ${SPAMD_USER} --dbpath ${SPAMD_USER_HOMEDIR}/.spamassassin"

root@panel:~# cat /etc/cron.daily/spamham
#!/usr/bin/env bash
/etc/dovecot/sieve/scan_reported_mails
root@panel:~#

sahsanu · February 23, 2024, 2:50pm

That looks fine so I don’t know what’s going on

mih · February 23, 2024, 2:56pm

It happens about once a week randomly. And I don’t understand why or what makes him like that.

sahsanu · February 23, 2024, 3:44pm

You could audit the file with auditd

apt install auditd
echo '-w /var/lib/spamassassin/.spamassassin/bayes_toks -p wa -k monitor-bayes' >> /etc/audit/rules.d/audit.rules
systemctl restart auditd

With auditctl -l you will see the new watch added.

With auditctl -i -k monitor-bayes you will see all the events that happened to that file and you will see the command and the user that changed it.

With aureport -k you will see a simple list of the events.

mih · February 23, 2024, 5:33pm

Thank you. I’ll be back with an update.

mih · February 24, 2024, 10:28am

Update.

type=PATH msg=audit(1708748717.012:10797): item=0 name="/var/lib/spamassassin/.spamassassin/" inode=17175316 dev=fd:00 mode=040700 ouid=110 ogid=118 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="debian-spamd" OGID="debian-spamd"
type=PATH msg=audit(1708748717.012:10797): item=1 name="/var/lib/spamassassin/.spamassassin/" inode=17175316 dev=fd:00 mode=040700 ouid=110 ogid=118 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="debian-spamd" OGID="debian-spamd"
type=PATH msg=audit(1708748717.012:10797): item=2 name="/var/lib/spamassassin/.spamassassin/bayes_toks.expire1193403" inode=17182240 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PATH msg=audit(1708748717.012:10797): item=3 name="/var/lib/spamassassin/.spamassassin/bayes_toks" inode=17181409 dev=fd:00 mode=0100600 ouid=110 ogid=118 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="debian-spamd" OGID="debian-spamd"
type=PATH msg=audit(1708748717.012:10797): item=4 name="/var/lib/spamassassin/.spamassassin/bayes_toks" inode=17182240 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PROCTITLE msg=audit(1708748717.012:10797): proctitle=2F7573722F62696E2F7065726C002D54202D77002F62696E2F73612D6C6561726E002D750064656269616E2D7370616D64002D2D646270617468002F7661722F6C69622F7370616D617373617373696E2F2E7370616D617373617373696E002D2D7370616D002F7661722F6D61696C2F696D617073696576655F636F70792F70
type=SYSCALL msg=audit(1708748717.128:10798): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=557f632252a0 a2=2 a3=0 items=1 ppid=1193380 pid=1193403 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7177 comm="sa-learn" exe="/usr/bin/perl" subj=unconfined key="monitor-bayes"ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1708748717.128:10798): cwd="/"

type=PATH msg=audit(1708748719.928:10800): item=0 name="/var/lib/spamassassin/.spamassassin/bayes_toks" inode=17182240 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PROCTITLE msg=audit(1708748719.928:10800): proctitle=2F7573722F62696E2F7065726C002D54202D77002F62696E2F73612D6C6561726E002D750064656269616E2D7370616D64002D2D646270617468002F7661722F6C69622F7370616D617373617373696E2F2E7370616D617373617373696E002D2D7370616D002F7661722F6D61696C2F696D617073696576655F636F70792F70
type=CRED_DISP msg=audit(1708748720.004:10801): pid=1192778 uid=0 auid=0 ses=7177 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="root"
type=USER_END msg=audit(1708748720.004:10802): pid=1192778 uid=0 auid=0 ses=7177 subj=unconfined msg='op=PAM:session_close grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="root"
type=USER_ACCT msg=audit(1708748761.010:10803): pid=1193409 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="admin" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
type=CRED_ACQ msg=audit(1708748761.010:10804): pid=1193409 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="admin" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
type=LOGIN msg=audit(1708748761.010:10805): pid=1193409 uid=0 subj=unconfined old-auid=4294967295 auid=1001 tty=(none) old-ses=4294967295 ses=7182 res=1UID="root" OLD-AUID="unset" AUID="admin"

sahsanu · February 24, 2024, 2:37pm

Ok, seems the culprit is sa-learn. Checking the time…

$ date -u -d @1708748717
Sat Feb 24 04:25:17 UTC 2024

we see 04:25 UTC and usually cron.daily runs at 06:25 (so your time zone should be UTC+2), I suppose some task defined in cron.daily is causing this and there are two options, spamham or spamassassin.

spamassassin task executes /usr/sbin/spamassassin-maint that it updates spam db but it should not use sa-learn so I suppose spamham is the one causing this.

Check the syslog to view if the time is the same for the spamham launch:

grep scan_reported_mails /var/log/syslog

Yesterday we checked the user used by the script launched by spamham and I couldn’t see errors so no idea where the issue is.

Could you please show the output of these commands?

ls -l /etc/cron.hourly/spamham
md5sum /etc/cron.hourly/spamham

ls -l /etc/dovecot/conf.d/20-spamham.conf
md5sum /etc/dovecot/conf.d/20-spamham.conf

ls -l /etc/dovecot/sieve/scan_reported_mails
md5sum /etc/dovecot/sieve/scan_reported_mails

namei -mo /var/lib/spamassassin/.spamassassin/bayes_toks

mih · February 24, 2024, 5:08pm

grep scan_reported_mails /var/log/syslog

2024-02-20T06:25:19.675678+02:00 panel scan_reported_mails: [SPAM] Learned tokens from 4 message(s) (4 message(s) examined)
grep: /var/log/syslog: binary file matches

ls -l /etc/cron.hourly/spamham
ls: cannot access '/etc/cron.hourly/spamham': No such file or directory

 md5sum /etc/cron.hourly/spamham
 /etc/cron.hourly/spamham: No such file or directory

ls -l /etc/dovecot/conf.d/20-spamham.conf
-rw-r--r-- 1 root root 841 Feb  6 16:13 /etc/dovecot/conf.d/20-spamham.conf

md5sum /etc/dovecot/conf.d/20-spamham.conf
b9f86e205338e3996c4cee05759ffed6  /etc/dovecot/conf.d/20-spamham.conf

ls -l /etc/dovecot/sieve/scan_reported_mails
-rwxr-xr-x 1 root root 4082 Feb  6 16:13 /etc/dovecot/sieve/scan_reported_mails

md5sum /etc/dovecot/sieve/scan_reported_mails
a7747eb06878cf39eb27f2ef2462ce76  /etc/dovecot/sieve/scan_reported_mails

namei -mo /var/lib/spamassassin/.spamassassin/bayes_toks
f: /var/lib/spamassassin/.spamassassin/bayes_toks
 drwxr-xr-x root         root         /
 drwxr-xr-x root         root         var
 drwxr-xr-x root         root         lib
 drwxr-xr-x debian-spamd debian-spamd spamassassin
 drwx------ debian-spamd debian-spamd .spamassassin
 -rw------- debian-spamd debian-spamd bayes_toks

This line looks like this:
-rw------- root  root bayes_toks

sahsanu · February 24, 2024, 9:05pm

Ok, that seems to be the culprit.

mih:

ls -l /etc/cron.hourly/spamham
ls: cannot access '/etc/cron.hourly/spamham': No such file or directory

 md5sum /etc/cron.hourly/spamham
 /etc/cron.hourly/spamham: No such file or directory

Sorry, I used thw wrong dir, it is cron.daily:

ls -l /etc/cron.daily/spamham
md5sum /etc/cron.daily/spamham

This is ok.

That is ok too.

I’ve the same conf and my bayes_toks file has always the same user and group (debian-spamd:debian-spamd) never has been changed when the file is modified

mih · February 24, 2024, 11:19pm

I disabled cron.daily for spamham. I triggered it manually and the result is the same. It happens randomly.

sahsanu · February 25, 2024, 4:22am

I can’t reproduce it on my system so here the workaround.

Edit /etc/dovecot/sieve/scan_reported_mails and add this code before the last line :

# Workaround to sa-learn changing owner of bayes_toks to root
BAYES_TOKS="${SPAMD_USER_HOMEDIR}/.spamassassin/bayes_toks"
if ! stat -c %U "${BAYES_TOKS}" | grep -q "${SPAMD_USER}"; then
    chown "${SPAMD_USER}":"${SPAMD_USER}" "${BAYES_TOKS}"
fi

So you will have something like:

[...]
rmdir ${SPOOL_LEARN_HAM_DIR} &>/dev/null
if [[ X"$?" != X'0' ]]; then
    output="$(${SA_LEARN} --ham ${SPOOL_LEARN_HAM_DIR})"
    rm -rf ${SPOOL_LEARN_HAM_DIR} &>/dev/null
    ${LOG} '[CLEAN]' ${output}
fi

# Workaround to sa-learn changing owner of bayes_toks to root
BAYES_TOKS="${SPAMD_USER_HOMEDIR}/.spamassassin/bayes_toks"
if ! stat -c %U "${BAYES_TOKS}" | grep -q "${SPAMD_USER}"; then
    chown "${SPAMD_USER}":"${SPAMD_USER}" "${BAYES_TOKS}"
fi

rm -f ${LOCK_FILE} &>/dev/null

mih · February 25, 2024, 6:52am

I added the code. It seems to be fine. Thank you @sahsanu

system · March 26, 2024, 6:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.