Hi! On Thu, 2023-03-09 at 14:07:45 +0100, Marc Haber wrote: > Control: retitle -1 non-root check in dailyaidecheck might be unnecessary > Control: tags -1 patch > Control: severity -1 normal
> On Sun, Mar 05, 2023 at 07:14:14PM +0100, Guillem Jover wrote: > > Something like the attached patch might do I guess? Will test properly > > later today, and further check the README in case there is something > > else to update or so, and probably update the commit message with more > > information. Let me know whether I might have missed something obvious. > > I am totally unsure with this topic at the moment. I cannot reproduce > the behavior that I experienced when building the code, and sadly I do > not have enough documentation about the exact environment that I > experienced this. > > I am however reluctant to apply your patch in bookworm, there is quite > many possibility to add breakage by removing the check, and I'd rather > not do that at this time of the release schedule. I might revisit that > after the bookworm release, and am open to arguments. Sorry for apparently dropping the ball on this, but was trying to dig further what was going on, and tried directly on my production system by doing changes and letting the cron job run as usual, so had to wait a couple of days to get some of the results. :) I think this might have been a problem with the systemd service, which does not seem to give the same POSIX capabilities as the capsh invocation. I can probably test this hypothesis by installing aide in one of my systemd-based systems. I think the options here could be to match the POSIX capabilities for the systemd service to the ones used in capsh, which should then let the sendmail set-uid-root case work, in addition to the patch I provided, otherwise that seems like a regression for the systemd case. Another option would be to make the disabling for the mail on non-root case conditional on --systemdservice option passed by the systemd service. Which should make it work fine with non-systemd's capsh invocation. I can prepare an update for that. The third option I see, which is what I've currently ended up with, is to document that this does not work (currently/it's a regression), but that setting MAILCMD=mail and USER=_aide explicitly in the default file makes this work again. Also another problem is that USER is currently hardcoded to root, so that makes the directory check fail. Ideally USER would get automatically set instead of hardcoding it to root though, as that makes a check fail, say with USER=$(id -u -n) or similar. Will prepare another patch with that too. Thanks, Guillem
