On Sat, 28 Dec 2024 21:15:34 +0000 Richard Lewis <richard.lewis.deb...@googlemail.com> wrote: > On Sun, 15 Dec 2024 22:40:51 +0000 Julian Gilbey <j...@debian.org> wrote: > > On Wed, Dec 11, 2024 at 11:43:18PM +0000, Richard Lewis wrote: > > > [...] > > > I think all it needs is > > > /etc/systemd/system/chkrootkit.service.d/override.conf with > > > > > > [Service] > > > ProtectSystem=strict > > > > > > (you can do "systemctl edit chkrootkit.service" and it will make such > > > a file and reload it, > > > you can then do systemctl start chkrootkit and it should be used) > > > That should solve the problem for the daily check. Can you see if that > > > it works. it's probably useful anyway) > > > > That works perfectly, thank you! > > Quick update: I've been testing this, and whille it usually works it > can prevent the output being emailed with the following: > > Dec 28 00:01:45 hostname chkrootkit-daily[4050677]: mail: > mu_temp_file_stream_create() failed: Read-only file system > Dec 28 00:01:45 hostname chkrootkit-daily[4050677]: mail: > mu_temp_file_stream_create() failed: Read-only file system > Dec 28 00:01:46 hostname exim[4050709]: 2024-12-28 00:01:46 > 1tRKH4-00Gzm1-00 Failed to create spool file > /var/spool/exim4//input//1tRKH4-00Gzm1-00-D: Read-only file system > Dec 28 00:01:46 hostname exim[4050709]: 2024-12-28 00:01:46 > 1tRKH4-00Gzm1-00 Cannot open main log file "/var/log/exim4/mainlog": > Permission denied: euid=109 egid=113 > Dec 28 00:01:46 hostname exim[4050709]: exim: could not open panic log > - aborting: see message(s) above > > I believe this only(?) happens if the report is large enough. i assume > we can allow more of /var to be read-write and avoid this > possibly the first error is from mailutils -- i remember failing to > identify this before, unfortunately without success.
I believe the following is needed in override.conf -- this allows exim to write its logs and send the final email, and mailutils (and others) to have /run/chkrootkit as a writeable TMPDIR while the real /tmp stays "protected". (this last is needed if mail is provided by mailutils, and is sensible anyway) [Service] ProtectSystem=strict ReadWritePaths=-/var/spool -/var/mail -/var/log RuntimeDirectory=chkrootkit Environment=TMPDIR=/run/chkrootkit
