On Thu, Mar 09, 2023 at 02:46:10PM +0100, Guillem Jover wrote: > Sorry for apparently dropping the ball on this, but was trying to dig > further what was going on, and tried directly on my production system > by doing changes and letting the cron job run as usual, so had to wait > a couple of days to get some of the results. :) > > I think this might have been a problem with the systemd service, which > does not seem to give the same POSIX capabilities as the capsh > invocation. I can probably test this hypothesis by installing aide in > one of my systemd-based systems.
Ah. So it might be possible that I encountered the issue with systemd and then assumed that the capsh-based invocation would have the same issue. That at least explains why I wasn't able to reproduce this with capsh alone. > I think the options here could be to match the POSIX capabilities for > the systemd service to the ones used in capsh, which should then let > the sendmail set-uid-root case work, in addition to the patch I > provided, otherwise that seems like a regression for the systemd case. Supporting plain bsd-mailx in the systemd case would indeed be nice as it would remove the necessity to use s-nail. I think that's too late for bookworm now though, I'd be willing to ease the sysvinit pain for bookworm with non-intrusive patches but that one is too big, I think. > Another option would be to make the disabling for the mail on non-root > case conditional on --systemdservice option passed by the systemd > service. Which should make it work fine with non-systemd's capsh > invocation. I can prepare an update for that. The non-root systemd case works fine with s-nail, making it necessary to have an SMTP listener. > Also another problem is that USER is currently hardcoded to root, so > that makes the directory check fail. Ideally USER would get automatically > set instead of hardcoding it to root though, as that makes a check fail, > say with USER=$(id -u -n) or similar. Will prepare another patch with > that too. USER is a bad variable name anyway, I'm working hard to eliminate that from all my scirpts, but old habits dont die easily. fyi, I'd like to to an upload quite soon. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
