On Mon, 30 Jun 2025 at 19:26, Richard Lewis <richard.lewis.deb...@googlemail.com> wrote: > > On Fri, 27 Jun 2025 at 10:17, Holger Levsen <hol...@debian.org> wrote: > > > since I've upgraded systems to trixie, logcheck mails me daily system > > events like these: > > > > Jun 27 00:01:21 hostname chkrootkit-daily[2588815]: sending alert to root: > > [chkrootkit] alert for hostname.example.org > > Jun 27 00:01:21 hostname chkrootkit-daily[2589917]: mail: > > /tmp/mail.RsXXXX8kWKZT: Read-only file system > > > Obviously I can rather easily ignore those in logcheck but I would like to > > know > > what's going on first. Do you have any idea? > > I have 2 thoughts, one is that we set ProtectSystem=strict so /tmp is > read-only when the unit runs: However, we set > Environment=TMPDIR=/run/chkrootkit which should mean things dont write > to /tmp --- maybe your email sending setup ignores TMPDIR? are you > using something non-standard? > > You should be able to fix this with running systemctl edit chkrootkit > and making a drop-in with > > [Service] > ReadWritePaths=/tmp > > That should fix it. Depending on how unusual your system is, we might > want to add this for trixie, (or maybe disable the protectsystem)
just remembered -- this is not an ideal solution for most users: a read-only /tmp was added to prevent all files in /tmp being marked as "used" by the scan as that would defeat systemd's automatic "cleanup" of /tmp. So we really dont want to revert this setting (which was added in february to fix #1089588) --- we really want to find a way to make the mail system not use /tmp
