Hi!
On Sun, 2023-03-05 at 17:31:16 +0100, Guillem Jover wrote:
> Package: aide
> Version: 0.18-2
> Severity: important
> The daily aide cron job warns that it cannot send mail as non-root
> user. Was wondering why or how to change or workaround that, and saw
> commit e82b5c9112d95b5c813ee29c3234733ae0f2c862, but it is not clear
> why mail from non-root was disabled, as I don't see why that would not
> work. In any case I did a local test in case there was something I was
> missing, with:
>
> # echo test | sudo -u _aide mail -s "test mail as aide user" root
>
> And got a mail to root resembling this anonymized fragment:
>
> ,---
> Date: Sun, 05 Mar 2023 17:23:07 +0100
> From: Advanced Intrusion Detection Environment <_aide@$hostname>
> To: root@$fqdn
> Subject: test mail as aide user
> Message-Id: <$msgid>
>
> test
> `---
>
> Could that check be removed to restore daily mails? Perhaps the
> intention was to disable that too for autopkgtests instead?
Ah, after pointing out the README.Debian on the other report, read
that, but it was still not clear why set-uid-root would be an issue,
as users should be able to send mails that way normally.
Rechecking this, I guess the problem might have been with the capsh
call, but just tested to make sure and it seems to work, and it seems
to be adding the required POSIX capabilities to the invocation?
Disabling the non-root check on the system and directly invoking the
cron.daily script correctly sends the mail, and also the following two
test programs send a correct mail too (while using exim4 and capsh):
,--- send-mail ---
#!/bin/sh
echo "test body" | mail -s "test sending mail as non-root" root
`---
,--- exec-mail ---
#!/bin/sh
capsh --caps="cap_dac_read_search,cap_audit_write+eip
cap_setpcap,cap_setuid,cap_setgid+ep" --keep=1 --user=_aide
--addamb=cap_dac_read_search,cap_audit_write -- -c "./send-mail"
`---
Something like the attached patch might do I guess? Will test properly
later today, and further check the README in case there is something
else to update or so, and probably update the commit message with more
information. Let me know whether I might have missed something obvious.
Thanks,
Guillem
From 6a48f5666b7cc24e991509366570592136c277a5 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Sun, 5 Mar 2023 18:47:30 +0100
Subject: [PATCH] Do not prevent using mail(1) from non-root
Closes: #1032387
---
debian/aide-common.README.Debian | 10 +---------
debian/bin/dailyaidecheck | 9 ++-------
2 files changed, 3 insertions(+), 16 deletions(-)
diff --git a/debian/aide-common.README.Debian b/debian/aide-common.README.Debian
index b7a8ef8..a2a7d66 100644
--- a/debian/aide-common.README.Debian
+++ b/debian/aide-common.README.Debian
@@ -125,9 +125,6 @@ If neither is the case, aide runs as root. A non-root aide is
augmented with the cap_dac_read_search capability which allows the
non-root user to read anywhere.
-Running aide as non-root also affects the daily aide check to send out
-mail. See below for details.
-
A significant part of the shell scripts that surround the aide calls
in Debian will still run as root. Patches accepted.
@@ -224,12 +221,7 @@ if systemd is used or is sent via e-mail by the cron daemon). Set
SILENTREPORTS=yes to confirm that you really want the daily aide check
to be silent. Logs are written in either case.
-Some implementations of mail(1) use /usr/lib/sendmail to deliver the
-outgoing message. /usr/lib/sendmail is suid root with some MTAs, and
-this way of privilege escalation is not available when the daily aide
-job is invoked as non-root user.
-
-Hence, the script prefers using s-nail to send out the message via
+The script prefers using s-nail to send out the message via
SMTP to localhost. A working MTA is expected on localhost. With
s-nail, an unqualified recipient address is qualified with the
contents of /etc/mailname to make it acceptable over SMTP.
diff --git a/debian/bin/dailyaidecheck b/debian/bin/dailyaidecheck
index b5b2ac7..f24e9b9 100755
--- a/debian/bin/dailyaidecheck
+++ b/debian/bin/dailyaidecheck
@@ -118,13 +118,8 @@ elif command -v s-nail >/dev/null; then
MAILTO="${MAILTO}@${MAILNAME:-localhost}"
fi
elif command -v mail >/dev/null; then
- if [ "$(id -u)" -eq 0 ]; then
- # we have root and mail(1) is useable
- MAILCMD="mail"
- else
- MAILCMD="true"
- printf >&2 "WARN: it is not possible to use mail(1) unless aide is run as root\n"
- fi
+ # we use mail(1)
+ MAILCMD="mail"
else
MAILCMD="true"
printf >&2 "WARN: mail or s-nail not installed, cannot send mail\n"
--
2.39.2
