I've set up Rspamd with dovecot sieve to learn_spam/ham when a user moves an email to Junk or out of Junk. It's working (using the steps here with some modifications), but I've had to modify the ownership/permissions below. My question is whether this poses any security risks?
/usr/local/bin/dovecot-sieve/learn-spam.sh (and learn-ham.sh) looks like:
When an email is moved and triggers the sieve action, /usr/local/bin/dovecot-sieve/learn-spam.sh (or learn-ham.sh) is run as user:mail and was failing with 'permission denied'. To fix this I changed:
Then, the rspamc command in the script was failing with 'permission denied' because /etc/rspamd/local.d/worker-controller.inc sets 'bind_socket = "/var/run/rspamd/rspamd_controller.sock mode=0600 owner=_rspamd";' (and the rspamc command is being run as user:mail). To fix this I changed it to:
I fear that changing the rspamd bind_socket permission allows unauthorised users too much access? Can anyone see any issues with the permission changes above, or have any better ideas to get this working without permissions changes? Thanks
/usr/local/bin/dovecot-sieve/learn-spam.sh (and learn-ham.sh) looks like:
#!/bin/bash
inputmail=`/usr/bin/cat`
echo "${inputmail}" | rspamc -h /var/run/rspamd/rspamd_controller.sock learn_spam
When an email is moved and triggers the sieve action, /usr/local/bin/dovecot-sieve/learn-spam.sh (or learn-ham.sh) is run as user:mail and was failing with 'permission denied'. To fix this I changed:
chown mail. /usr/local/bin/dovecot-sieve/learn-{spam,ham}.sh;
chmod 750 /usr/local/bin/dovecot-sieve/learn-{spam,ham}.sh;
Then, the rspamc command in the script was failing with 'permission denied' because /etc/rspamd/local.d/worker-controller.inc sets 'bind_socket = "/var/run/rspamd/rspamd_controller.sock mode=0600 owner=_rspamd";' (and the rspamc command is being run as user:mail). To fix this I changed it to:
bind_socket = "/var/run/rspamd/rspamd_controller.sock mode=0622 owner=_rspamd";
I fear that changing the rspamd bind_socket permission allows unauthorised users too much access? Can anyone see any issues with the permission changes above, or have any better ideas to get this working without permissions changes? Thanks
Last edited: