open(/var/dcc/map): Permission denied

Aldo Necci necci@dia.uniroma3.it
Fri Sep 23 09:57:15 UTC 2011


On Thu, September 22, 2011 21:26, Vernon Schryver wrote:

>> SpamAssassin is configured to use the right path, this is its
>> configuration:
>> use_dcc 1
>> dcc_path /usr/local/bin/dccproc
>> dcc_home /var/dcc
>> dcc_dccifd_path /var/dcc/dccifd
>
> Are you using a current version of SpamAssassin?

Yes I have SpamAssassin 3.3.1 and this is its output:
# spamassassin -V
SpamAssassin version 3.3.1
  running on Perl version 5.10.1

> Have you tried the SpamAssassin DCC test?   I've forgotten how to
> invoke it and do not see it mentioned in
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_DCC.html

I try this method of testing DCC with Spamassassin as described somewhere:
# spamassassin -D < /usr/share/doc/spamassassin-3.3.1/sample-nonspam.txt

and I got a lot of output, but this is the most important:
Sep 23 10:12:38.503 [2790] dbg: dcc: dccifd local socket chosen:
/var/dcc/dccifd
Sep 23 10:12:38.503 [2790] dbg: dns: entering helper-app run mode
Sep 23 10:12:38.503 [2790] dbg: dcc: connecting to a local socket
/var/dcc/dccifd
Sep 23 10:12:38.640 [2790] dbg: dcc: dccifd got response:
X-DCC-dcc1-Metrics: mbox2 1182; Body=many Fuz1=many Fuz2=many
Sep 23 10:12:38.640 [2790] dbg: dns: leaving helper-app run mode
Sep 23 10:12:38.642 [2790] dbg: dcc: listed: BODY=999999/999999
FUZ1=999999/999999 FUZ2=999999/999999 REP=0/90
Sep 23 10:12:38.644 [2790] dbg: rules: ran eval rule DCC_CHECK ======> got
hit (1)

So It seems to work right! There is *NOT* any warning like:
open(/var/dcc/map): Permission denied
in all the output and neither in the log file (in that moment of test
was running). But I got that warning, one for every incoming e-mail
processed by spamassassin.

> I understood that the SpamAssassin people were going to ship the
> new version of the SpamAssassin DCC plugin in
> /usr/var/dcc/build/dcc/misc/DCC.pm
> If that file differs from the DCC.pm you are using,
> it might be entertaining to try it.

I haven't any directory named "dcc" under the directory /var
# ls /usr/var/dcc/build/dcc/misc/DCC.pm
ls: cannot access /usr/var/dcc/build/dcc/misc/DCC.pm: No such file or
directory

I have this inside the package "spamassassin":
# rpm -ql spamassassin | grep -i dcc
/usr/share/man/man3/Mail::SpamAssassin::Plugin::DCC.3pm.gz
/usr/share/perl5/Mail/SpamAssassin/Plugin/DCC.pm
/usr/share/spamassassin/25_dcc.cf

>> I don't see any UDP connection after dccifd started,
>> the output of the command "netstat -pu" is empty and
>> there isn't any firewall (I disabled the default software firewall).
>
> Is dccifd running?  If dccifd is running and SpamAssassin can reach
> the UNIX domain socket at /var/dcc/dccifd, then SpamAssassin should
> never try dccproc.  Since SpamAssassin cannot use dccproc to reach
> /var/dcc/map, one might expect problems reaching /var/dcc/dccifd.

The dccifd program is running, I show only the two lines of output:
# ps -ef
root      1505     1  0 09:45 ?        00:00:00 /var/dcc/libexec/dccifd
-tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -A -SHELO -Smail_host
-SSend
root      1506  1505  0 09:45 ?        00:00:00 /var/dcc/libexec/dccifd
-tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -A -SHELO -Smail_host
-SSend

As I show before in the output of debugging Spamassassin, there is
the right socket under /var/dcc/dccifd:
srw-rw-rw-. 1 root root 0 Sep 23 09:45 /var/dcc/dccifd
but it seems that every incoming e-mail causes Spamassassin to
ignore it and invoke dccproc. I think that /var/dcc/map is locked
by dccifd daemon and dccproc can't access it so the warning:
open(/var/dcc/map): Permission denied
This can be the right explanation, I think...
Oh no! I try to disable dccifd on his config file /var/dcc/dcc_conf:
DCCIFD_ENABLE=off
and restart all the server. After the boot, the dccifd daemon wasn't
started but in the log file /var/log/maillog there was that warnig:
# last
reboot   system boot  2.6.32-131.12.1. Fri Sep 23 11:06 - 11:25  (00:19)
and inside the /var/log/maillog (I replace the real name of server with
"-----")
Sep 23 11:26:13 ----- dccproc[2024]: open(/var/dcc/map): Permission denied

> If dccifd is not running, then perhaps /var/dcc/libexec/rcDCC has
> not been sym-linked to the right /etc/rc* directories.

I also did as usual all the right links after installation of DCC:
lrwxrwxrwx. 1 root root 22 Sep 21 13:27 /etc/init.d/dcc ->
/var/dcc/libexec/rcDCC
lrwxrwxrwx. 1 root root 13 Sep 21 13:28 /etc/rc3.d/S40dcc -> ../init.d/dcc
This last link was made by the command "chkconfig dcc on" after the
command "chkconfig --add dcc".
Dccifd starts as well at the boot time, but *WHY* there is not any
connection on UDP even if I got this output from cdcc command:
# /usr/local/bin/cdcc "info -N"
# 09/23/11 11:00:45 CEST  /var/dcc/map
# Re-resolve names after 11:12:54  Check RTTs after 11:15:44
# 351.82 ms threshold, 224.35 ms average    12 total, 12 working servers
IPv6 on   version=3

dcc1.dcc-servers.net,-      RTT+1000 ms  anon
#  80.91.36.101,-         dcc1.aftenposten.no       dcc1.aftenposten.no ID
1215
#     100% of 11 requests ok  143.56+1000 ms RTT       100 ms queue wait
#  137.208.8.26,-         samantha.wu-wien.ac.at              wuwien ID 1290
#     100% of 11 requests ok  124.02+1000 ms RTT       100 ms queue wait
#  209.169.14.30,-        h5-vjs.colo.indra.com        x.dcc-servers ID 104
#     100% of 11 requests ok  250.56+1000 ms RTT       100 ms queue wait

dcc2.dcc-servers.net,-      RTT+1000 ms  anon
#  64.254.89.30,-         dcc-public.dmv.com                 dmv.com ID 1181
#     protocol version 9
#     100% of 11 requests ok  211.34+1000 ms RTT       100 ms queue wait
#  208.82.128.50,-        dcc.quonix.net                             ID 1282
#     protocol version 9
#     100% of 11 requests ok  212.86+1000 ms RTT       100 ms queue wait

dcc3.dcc-servers.net,-      RTT+1000 ms  anon
#  209.169.14.26,-        h1-vjs.colo.indra.com        x.dcc-servers ID 104
#     100% of 11 requests ok  250.87+1000 ms RTT       100 ms queue wait

dcc4.dcc-servers.net,-      RTT+1000 ms  anon
#  200.81.186.149,-       dcc1.sion.com                         SION ID 1111
#     protocol version 9
#     100% of 11 requests ok  356.52+1000 ms RTT       100 ms queue wait

dcc5.dcc-servers.net,-      RTT+1000 ms  anon
#  136.199.199.102,-      urts102.uni-trier.de                   URT ID 1060
#     100% of 11 requests ok  123.44+1000 ms RTT       100 ms queue wait
#  193.166.171.33,-       dcc1.stat.fi              STAT_FI_X86_64_VIRTUAL
ID 1245
#     100% of 11 requests ok  156.64+1000 ms RTT       100 ms queue wait

dcc.to.infn.it,-            RTT+0 ms    anon
#  192.84.137.21,-        birubiru.to.infn.it                INFN-TO ID 1233
#     100% of 11 requests ok  251.82+0 ms RTT          100 ms queue wait

dcc1.pa.iasf.cnr.it,-       RTT+0 ms    anon
# *194.119.212.6,-        mail2.ifc.inaf.it                     dcc1 ID 1182
#     100% of 20 requests ok  124.78+0 ms RTT          100 ms queue wait

dcc.ba.infn.it,-            RTT+0 ms    anon
#  192.135.10.194,-       dcc.ba.infn.it                      debian ID 1169
#     protocol version 9
#     100% of 11 requests ok  127.36+0 ms RTT          100 ms queue wait

################
# 09/23/11 11:00:46 CEST  greylist /var/dcc/map
# Re-resolve names after 11:21:30  Check RTTs after 11:15:44
# 1 total, 0 working servers
# continue not asking greylist server 31 seconds after 1 failures

@,-                         Greylist 32768 secret1425104514y957
# *127.0.0.1,6276         localhost
#      not answering

>> > Are you doing anything with "jails" or chroot in mail processing?
>>
>> No, I let the default settings.
>
> Do the default settings involve jails or chroot?
> I cannot guess after some Google for Scientific Linux.
> Are you using sendmail, postfix, or something else?

I use postfix and it is not chrooted, but I don't' know about jails.
The warning appears even when Spamassassin starts (I replace the real name
of server with "-----"):
Sep 23 11:34:10 ----- spamd[2719]: logger: removing stderr method
Sep 23 11:34:14 ----- dccproc[2722]: open(/var/dcc/map): Permission denied
Sep 23 11:34:16 ----- spamd[2721]: spamd: server started on port 783/tcp
(running version 3.3.1)
Sep 23 11:34:16 ----- spamd[2721]: spamd: server pid: 2721
Sep 23 11:34:16 ----- spamd[2721]: spamd: server successfully spawned
child process, pid 2724
Sep 23 11:34:16 ----- spamd[2721]: spamd: server successfully spawned
child process, pid 2726

>> > What happens with a manual invocation of dccproc like mine above?
>>
>> Nothing, the log directory under /var/dcc/ is also empty.
>
> What kind of nothing happens?  When you feed `dccproc -C` a test
> message like
>     asdf: asdf
>
>     asdf
> does dccproc emit the X-DCC header?  Or do you see the complaint
> about /var/dcc/map that SpamAssassin sees?

I try this:
# /usr/local/bin/dccproc -C
asdf: asdf

asdf
^C#
the last line is a CTRL-C I pressed to exit from shell (how I can close
the shell?). There is no output.

>> Yes I think the same because on previous versions of Linux I used
>> (Scientific Linux 5) and previous
>> version of DCC everything was OK. The commands "./configure" and
>
> Could you re-install DCC to use the username/UID used by SpamAssassin?
> That should make the setuid bit on /usr/local/bin/dccproc irrelevant.

Yes, I tried it as a last change, but it still remains the problem.


Thanks,
Aldo Necci




-----------------------------------------
This email was sent using SquirrelMail.
https://webmail.dia.uniroma3.it
Web Site: http://www.squirrelmail.org




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.