DCC -- Distributed Checksum Clearinghouse

Aldo Necci | 19 Sep 2011 16:25

Picon

open(/var/dcc/map): Permission denied


Hi,

does anyone know why the following would appear in the logs:
dccproc[2304]: open(/var/dcc/map): Permission denied

I'm using last version (dcc-1.3.140) on Scientific Linux release 6.1
and when spamassassin (ver 3.3.1) process an e-mail I get that message.

The same configuration on Scientific Linux CERN SLC release 5.7
and DCC version 1.3.134 works without that message:
DCCD_ENABLE=off
DCCM_ENABLE=off
DCCIFD_ENABLE=on

thanks,
Aldo Necci

-----------------------------------------
This email was sent using SquirrelMail.
https://email.dia.uniroma3.it
Web Site: http://www.squirrelmail.org

Vernon Schryver | 19 Sep 2011 18:10

Re: open(/var/dcc/map): Permission denied

> From: "Aldo Necci" <necci@...>

> does anyone know why the following would appear in the logs:
> dccproc[2304]: open(/var/dcc/map): Permission denied

The /var/dcc/map file must be private and readable only by owner,
because it can contain client-IDs and passwords for accessing private
DCC servers.  (The anonmous client-ID of 1 does not use a password.)

`make install` installs dccproc set-UID to the UID specified with
`./configure --with-uid=UID`  The default UID is 0 or root.

It is quite possible that running /var/dcc/libexec/updatedcc
would fix the problem.  Configure builds updatedcc with the
./configure parameters including with-uid.
After fetching the tarball, updatedcc uses `./configure` and `make
install` to `chown` and so forth.
Updatedcc checks to see if it needs to be run by root so that `make`
can `chown` and so forth.

/var/dcc/dcc_conf-new is also built by updatedcc,
and can usually be installed as /var/dcc/dcc_conf

Vernon Schryver    vjs@...

Aldo Necci | 21 Sep 2011 17:36

Picon

Re: open(/var/dcc/map): Permission denied

On Mon, September 19, 2011 18:10, Vernon Schryver wrote:
>> From: "Aldo Necci" <necci@...>
>
>> does anyone know why the following would appear in the logs:
>> dccproc[2304]: open(/var/dcc/map): Permission denied
>
> The /var/dcc/map file must be private and readable only by owner,
> because it can contain client-IDs and passwords for accessing private
> DCC servers.  (The anonmous client-ID of 1 does not use a password.)
>
> `make install` installs dccproc set-UID to the UID specified with
> `./configure --with-uid=UID`  The default UID is 0 or root.

OK. The UID is root and that file is private:
-rw-------. 1 root root 7668 Sep 21 17:21 /var/dcc/map

> It is quite possible that running /var/dcc/libexec/updatedcc
> would fix the problem.  Configure builds updatedcc with the
> ./configure parameters including with-uid.
> After fetching the tarball, updatedcc uses `./configure` and `make
> install` to `chown` and so forth.
> Updatedcc checks to see if it needs to be run by root so that `make`
> can `chown` and so forth.
>
> /var/dcc/dcc_conf-new is also built by updatedcc,
> and can usually be installed as /var/dcc/dcc_conf

I have done all. But the problem is still there:
dccproc[9126]: open(/var/dcc/map): Permission denied

(Continue reading)

John R. Levine | 21 Sep 2011 18:11

Re: open(/var/dcc/map): Permission denied

> OK. The UID is root and that file is private:
> -rw-------. 1 root root 7668 Sep 21 17:21 /var/dcc/map

The dcc process usually runs as user "dcc", so the file should belong to 
dcc, not to root.

This is a familiar problem when an update doesn't work quite right.

Regards,
John Levine, johnl@..., Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

Vernon Schryver | 21 Sep 2011 18:45

Re: open(/var/dcc/map): Permission denied

> From: "Aldo Necci" <necci@...>

> OK. The UID is root and that file is private:
> -rw-------. 1 root root 7668 Sep 21 17:21 /var/dcc/map

> I have done all. But the problem is still there:
> dccproc[9126]: open(/var/dcc/map): Permission denied
>
> The dccproc file is:
> -r-sr-xr-x. 1 root bin 496487 Sep 21 17:21 /usr/local/bin/dccproc

What is the significance of the period (.) after the permission bits?

Just now I tried:
   pax -rzf ...
   cd dcc-1.3.*
   ./configure --homedir=/tmp/dcc --bindir=/tmp/dcc/bin --mandir=/tmp/dcc
   make install

That made:
  -r-sr-xr-x  1 root  wheel  919480 Sep 21 16:18 bin/dccproc*
  -rw-------  1 root  wheel    7668 Sep 21 16:18 map

I see no problems with dccproc:
    % bin/dccproc -C
    asdf: asdf

    asdf
    X-DCC--Metrics: calcite.rhyolite.com 0; Body=1
				reported: 1               checksum

(Continue reading)

Aldo Necci | 22 Sep 2011 10:26

Picon

Re: open(/var/dcc/map): Permission denied

On Wed, September 21, 2011 18:45, Vernon Schryver wrote:

>
> What is the significance of the period (.) after the permission bits?
>

Scientific Linux 6 uses the dot after the permission bits as a symbol
of "this is the end of permission bits".

>
> Just now I tried:
>    pax -rzf ...
>    cd dcc-1.3.*
>    ./configure --homedir=/tmp/dcc --bindir=/tmp/dcc/bin --mandir=/tmp/dcc
>    make install
>
> That made:
>   -r-sr-xr-x  1 root  wheel  919480 Sep 21 16:18 bin/dccproc*
>   -rw-------  1 root  wheel    7668 Sep 21 16:18 map
>
> I see no problems with dccproc:
>     % bin/dccproc -C
>     asdf: asdf
>
>     asdf
>     X-DCC--Metrics: calcite.rhyolite.com 0; Body=1
> 				reported: 1               checksum
> 		   Message-ID: d41d8cd9 8f00b204 e9800998 ecf8427e
>
> Does the `cdcc` command also fail?  Cdcc is also installed set-UID

(Continue reading)

Vernon Schryver | 22 Sep 2011 21:26

Re: open(/var/dcc/map): Permission denied

> From: "Aldo Necci" <necci@...>
> To: dcc@...

> SpamAssassin is configured to use the right path, this is its configuration:
> use_dcc 1
> dcc_path /usr/local/bin/dccproc
> dcc_home /var/dcc
> dcc_dccifd_path /var/dcc/dccifd

Are you using a current version of SpamAssassin?

Have you tried the SpamAssassin DCC test?   I've forgotten how to
invoke it and do not see it mentioned in
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_DCC.html

I understood that the SpamAssassin people were going to ship the
new version of the SpamAssassin DCC plugin in
/usr/var/dcc/build/dcc/misc/DCC.pm
If that file differs from the DCC.pm you are using, 
it might be entertaining to try it.

> I don't see any UDP connection after dccifd started,
> the output of the command "netstat -pu" is empty and
> there isn't any firewall (I disabled the default software firewall).

Is dccifd running?  If dccifd is running and SpamAssassin can reach
the UNIX domain socket at /var/dcc/dccifd, then SpamAssassin should
never try dccproc.  Since SpamAssassin cannot use dccproc to reach
/var/dcc/map, one might expect problems reaching /var/dcc/dccifd.

(Continue reading)

Aldo Necci | 23 Sep 2011 11:57

Picon

Re: open(/var/dcc/map): Permission denied

On Thu, September 22, 2011 21:26, Vernon Schryver wrote:

>> SpamAssassin is configured to use the right path, this is its
>> configuration:
>> use_dcc 1
>> dcc_path /usr/local/bin/dccproc
>> dcc_home /var/dcc
>> dcc_dccifd_path /var/dcc/dccifd
>
> Are you using a current version of SpamAssassin?

Yes I have SpamAssassin 3.3.1 and this is its output:
# spamassassin -V
SpamAssassin version 3.3.1
  running on Perl version 5.10.1

> Have you tried the SpamAssassin DCC test?   I've forgotten how to
> invoke it and do not see it mentioned in
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_DCC.html

I try this method of testing DCC with Spamassassin as described somewhere:
# spamassassin -D < /usr/share/doc/spamassassin-3.3.1/sample-nonspam.txt

and I got a lot of output, but this is the most important:
Sep 23 10:12:38.503 [2790] dbg: dcc: dccifd local socket chosen:
/var/dcc/dccifd
Sep 23 10:12:38.503 [2790] dbg: dns: entering helper-app run mode
Sep 23 10:12:38.503 [2790] dbg: dcc: connecting to a local socket
/var/dcc/dccifd
Sep 23 10:12:38.640 [2790] dbg: dcc: dccifd got response:

(Continue reading)

Vernon Schryver | 23 Sep 2011 16:28

Re: open(/var/dcc/map): Permission denied

> From: "Aldo Necci" <necci@...>

>> Are you using a current version of SpamAssassin?
>
> Yes I have SpamAssassin 3.3.1 and this is its output:

According to http://spamassassin.apache.org/downloads.cgi
the current version is 3.3.2.  But I doubt that matters.

> Sep 23 10:12:38.503 [2790] dbg: dcc: connecting to a local socket
> /var/dcc/dccifd
> Sep 23 10:12:38.640 [2790] dbg: dcc: dccifd got response:
> X-DCC-dcc1-Metrics: mbox2 1182; Body=many Fuz1=many Fuz2=many
> Sep 23 10:12:38.640 [2790] dbg: dns: leaving helper-app run mode
> Sep 23 10:12:38.642 [2790] dbg: dcc: listed: BODY=999999/999999
> FUZ1=999999/999999 FUZ2=999999/999999 REP=0/90

That shows that the problem is related to how dccproc is run for
real mail by postfix+SpamAssassin.  It also shows that postfix+SpamAssassin
is breaking access to the /var/dcc/dccifd socket.

> I haven't any directory named "dcc" under the directory /var

That is my mistake.  /usr/var/dcc/build/dcc exists only after running
/var/dcc/libexec/updatedcc.  You can find DCC.pm in the dcc-1.3.140/misc
directory of the DCC tarball that you expanded and after you run ./configure.

I trust you used the DCC source tarball from
http://www.dcc-servers.net/dcc/#download or
http://www.dcc-servers.net/dcc/source/dcc.tar.Z

(Continue reading)

Group

gmane.mail.spam.dcc.

Project Web Page

DCC -- Distributed Checksum Clearinghouse

Search Archive

Page

1

Articles in period: 9

September 2011

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

DCC version 1.3.141/2.3.141 released (10 Jan 2012)
DCC and SpamAssassin (10 Nov 2011)
open(/var/dcc/map): Permission denied (19 Sep 2011)
Using "ok env_From" to whitelist mail from whole domain (27 Aug 2011)
[PATCH] Parsing clientwhitelist: unrecognized "option no-forced-discar (3 Aug 2011)
[DOC-PATCH] Error in man page (3 Aug 2011)
[PATCH] Create the socket of dccifd in the rundir (3 Aug 2011)
errors in mail log (5 Jul 2011)
completely disable logging (21 Jun 2011)
DCC version 1.3.140/2.3.140 released (21 May 2011)
Whitelisting a range of addresses, except these ... (5 May 2011)
DCC version 1.3.139/2.3.139 released (28 Mar 2011)
local vs. global counts for checksums (21 Mar 2011)
future DCC updates (21 Mar 2011)
Trouble building dccm (1 Mar 2011)
(unknown) (2 Feb 2011)
DCC version 1.3.136/2.3.136 released (30 Jan 2011)
DCC version 1.3.135/2.3.135 released (12 Jan 2011)
Whitelisting on a per domain basis (14 Dec 2010)
upgrade bug in DCC for version 1.3.134-1.8 (27 Nov 2010)
DCC version 1.3.133/2.3.133 released (8 Nov 2010)

Archives

3	January 2012
1	November 2011
9	September 2011
6	August 2011
2	July 2011
2	June 2011
2	May 2011
15	March 2011
6	February 2011
10	January 2011
5	December 2010
20	November 2010
2	October 2010
1	September 2010
9	August 2010
10	July 2010
22	June 2010
8	May 2010
43	April 2010
17	March 2010
8	February 2010
1	January 2010
1	November 2009
18	October 2009
5	September 2009
11	August 2009
3	July 2009
20	June 2009
23	May 2009
6	March 2009
13	February 2009
12	January 2009
6	December 2008
6	November 2008
13	October 2008
21	September 2008
2	August 2008
13	July 2008
7	June 2008
3	May 2008
26	April 2008
17	March 2008
7	February 2008
10	January 2008
1	December 2007
6	November 2007
31	October 2007
15	September 2007
6	August 2007
13	July 2007
16	June 2007
14	May 2007
17	April 2007
21	March 2007
47	February 2007
26	January 2007
7	December 2006
20	November 2006

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template