On Tue, Feb 06, 2024 at 10:22:35PM +0100, Timo Sigurdsson wrote: > Package: aide > Version: 0.18.3-1+deb12u2
Just for the record: Changing this in bookworm won't happen. > since Debian Bookworm, aide refuses to send emails by default if > s-nail is not installed. This is not correct, MAILCMD is honored. Documentation says: | The daily aide check will automatically select the method of sending | mail according to the rules documented above. The variable MAILCMD in | /etc/default/aide can be used to override these rules. If you know | that your mail(1) works in a scenario where the automatism refuses to | use mail(1), setting MAILCMD to the path to mail(1) manually will force | the script to use mail(1). If you need more flexibility and/or would | prefer to have additional methods of delivering the report supported | by the package, please file a wishlist bug. > The documentation (README.Debian.gz in aide-common) falsely claims > that /usr/lib/sendmail requires suid and that this affects bsd-mailx. > Well, first of all, bsd-mailx doesn't even provide /usr/lib/sendmail, > so this is misleading. as far as I know, bsd-mailx invokes /usr/lib/sendmail. > In addition, there are (popular) MTAs that don't install > /usr/lib/sendmail with the suid bit set, e.g. postfix. The default MTA does it this way. > I have postfix configured to send out mail via a smarthost only, > without any local mail delivery. I also disabled the smtpd daemon > listening on port 25, so mail is sent via mailx/sendmail. And that > works just fine with aide, even as non-root under systemd. I have set > MAILCMD="/usr/bin/mailx" in /etc/default/aide in order to "convince" > aide to send mail despite not having s-nail installed. That is the way it is documented to work, yes. > The downside is > that my custom MAILSUBJ is ignored now since Debian Bookworm. MAILSUBJ is honored in the code of dailyaidecheck: if [ -n "${MAILCMD:-}" ]; then eval "${MAILCMD} -s \"${MAILSUBJ}\" \"${MAILTO}\"" || RET=$? mailx is documented to honor the -s parameter. Please verify that mailx is called correctly by our code and file an appropriate bug either against aide or mailx. > I would suggest to not hardcode a (soft) dependency on s-nail into the > script. I think it would be better to merely warn people upon > upgrading that sending mail may not work as non-root under systemd if > the MTA requries suid and that s-nail might solve that. But don't add > artificial restrictions or checks. If mail delivery breaks for some, > then they know they need s-nail, but the rest can just keep using > their known MTA setup. This is impossible to get right since there are millions of ways to configure local mail. Setting MAILCMD to a non-empty version is the documented way to tell the script "use this, I know it works". Does this work, or does it not work? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421