While looking for ways to improve HestiaCP’s mail subsystem, I noticed that SpamAssassin spamd runs as root:
root@myserver:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 170648 6468 ? Ss 2021 9:53 /sbin/init
root 38 0.0 0.1 83540 38824 ? Ss 2021 5:35 /lib/systemd/systemd-journald
[...]
root 361 0.0 0.0 102124 10076 ? Ss 2021 27:28 /usr/bin/perl -T -w /usr/sbin/spamd -d --pidfile=/var/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir
root 404 0.0 0.0 102124 6052 ? S 2021 0:12 spamd child
root 405 0.0 0.0 102124 6712 ? S 2021 0:11 spamd child
clamav 407 0.0 3.7 1462456 1220068 ? Ssl 2021 13:33 /usr/sbin/clamd --foreground=true
Debian-+ 660 0.0 0.0 33560 7440 ? Ss 2021 0:03 /usr/sbin/exim4 -bd -q30m
www-data 2678 0.0 0.0 53500 5660 ? S Jan15 0:01 nginx: worker process
www-data 2679 0.0 0.0 53500 4036 ? S Jan15 0:00 nginx: worker process
[...]
There exists a system user “debian-spamd” with shell access but it isn’t used by default. The spamd (perl) daemon binds to tcp/783 where Exim4 connects.
root@myserver:~# fgrep spam /etc/passwd
debian-spamd:x:113:117::/var/lib/spamassassin:/bin/sh
root@myserver:~# netstat -ntlp -4|fgrep 783
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 361/perl
root@myserver:~#
root@myserver:~# grep -v ^# /etc/default/spamassassin |grep -v ^$
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=0
root@myserver:~#
root@myserver:~# fgrep 783 /etc/exim4/exim4.conf.template
spamd_address = 127.0.0.1 783
root@myserver:~#
At first thought, it seems that HestiaCP security on Debian 11 hosts can be improved by having spamd run as an unprivileged user (e.g. debian-spamd). For this we would need to have spamd bind to a higher port (e.g. tcp/1783)
By changing /etc/default/spamassassin accordingly e.g.
OPTIONS="-u debian-spamd -p 1783 --create-prefs --max-children 5 --helper-home-dir"
I will also have to check if there are differences with previous supported Debian releases (9 and 10) and how SA is configured under Ubuntu.