Bug#544940: smartmontools: It seems to be a capabilities issue (w/ demo)

[Matijs van Zuijlen]

Package: smartmontools
Version: 5.38+svn2920-2
Severity: normal

The attached python script demonstrates that this problem originates in the
62_lowcap.patch patch, which is intended to limit smartd's capabilities to
those deemed necessary. The script uses libcap-ng's python bindings to drop
capabilities to smartd's level, then runs pscap to demonstrate this and
finally tries to send mail.

For this demo to work, do the following:
- install python-cap-ng
- put the attached test.py somewhere
- create a world-readable file testmail.txt in the same directory
- become root
- run 'python test.py'

On my system, I get the following result:

  1843  2319  root        python            sys_rawio, sys_admin
  1     18588 root        smartd            sys_rawio, sys_admin
  exim: setgroups() failed: Operation not permitted
  Can't send mail: sendmail process failed with error code 1

Regards,
Matijs van Zuijlen
--, Package-specific info:
Output of /usr/share/bug/smartmontools:
# CONFIG_IDE_TASK_IOCTL is not set

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages smartmontools depends on:
ii  debianutils                   3.2.1      Miscellaneous utilities specific t
ii  libc6                         2.9-26     GNU C Library: Shared libraries
ii  libcap-ng0                    0.6.1-1    Development and header files for l
ii  libgcc1                       1:4.4.1-4  GCC support library
ii  libselinux1                   2.0.85-4   SELinux runtime shared libraries
ii  libstdc++6                    4.4.1-4    The GNU Standard C++ Library v3
ii  lsb-base                      3.2-23     Linux Standard Base 3.2 init scrip

Versions of packages smartmontools recommends:
ii  bsd-mailx [mailx]  8.1.2-0.20090911cvs-1 simple mail user agent

Versions of packages smartmontools suggests:
pn  gsmartcontrol                 <none>     (no description available)
ii  powersaved                    0.15.20-6  power management daemon
pn  smart-notifier                <none>     (no description available)

-- no debconf information

import capng
import os

capng.capng_clear(capng.CAPNG_SELECT_BOTH)
capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_SYS_ADMIN)
capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_SYS_RAWIO)
capng.capng_apply(capng.CAPNG_SELECT_BOTH)

os.system('pscap | grep "\(python\|smartd\)"')
os.system('mail mat...@matijs.net < testmail.txt')