On Tue, Feb 06, 2024 at 10:22:35PM +0100, Timo Sigurdsson wrote:
> Package: aide
> Version: 0.18.3-1+deb12u2
Just for the record: Changing this in bookworm won't happen.
> since Debian Bookworm, aide refuses to send emails by default if
> s-nail is not installed.
This is not correct, MAILCMD is honored. Documentation says:
| The daily aide check will automatically select the method of sending
| mail according to the rules documented above. The variable MAILCMD in
| /etc/default/aide can be used to override these rules. If you know
| that your mail(1) works in a scenario where the automatism refuses to
| use mail(1), setting MAILCMD to the path to mail(1) manually will force
| the script to use mail(1). If you need more flexibility and/or would
| prefer to have additional methods of delivering the report supported
| by the package, please file a wishlist bug.
> The documentation (README.Debian.gz in aide-common) falsely claims
> that /usr/lib/sendmail requires suid and that this affects bsd-mailx.
> Well, first of all, bsd-mailx doesn't even provide /usr/lib/sendmail,
> so this is misleading.
as far as I know, bsd-mailx invokes /usr/lib/sendmail.
> In addition, there are (popular) MTAs that don't install
> /usr/lib/sendmail with the suid bit set, e.g. postfix.
The default MTA does it this way.
> I have postfix configured to send out mail via a smarthost only,
> without any local mail delivery. I also disabled the smtpd daemon
> listening on port 25, so mail is sent via mailx/sendmail. And that
> works just fine with aide, even as non-root under systemd. I have set
> MAILCMD="/usr/bin/mailx" in /etc/default/aide in order to "convince"
> aide to send mail despite not having s-nail installed.
That is the way it is documented to work, yes.
> The downside is
> that my custom MAILSUBJ is ignored now since Debian Bookworm.
MAILSUBJ is honored in the code of dailyaidecheck:
if [ -n "${MAILCMD:-}" ]; then
eval "${MAILCMD} -s \"${MAILSUBJ}\" \"${MAILTO}\"" || RET=$?
mailx is documented to honor the -s parameter. Please verify that mailx
is called correctly by our code and file an appropriate bug either
against aide or mailx.
> I would suggest to not hardcode a (soft) dependency on s-nail into the
> script. I think it would be better to merely warn people upon
> upgrading that sending mail may not work as non-root under systemd if
> the MTA requries suid and that s-nail might solve that. But don't add
> artificial restrictions or checks. If mail delivery breaks for some,
> then they know they need s-nail, but the rest can just keep using
> their known MTA setup.
This is impossible to get right since there are millions of ways to
configure local mail. Setting MAILCMD to a non-empty version is the
documented way to tell the script "use this, I know it works". Does this
work, or does it not work?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
