1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108377: chkrootkit: daily system event: mail: /tmp/mail.RsXXXX8kWK

    From Holger Levsen@21:1/5 to Richard Lewis on Sun Jul 6 01:00:01 2025
    control: severity -1 serious
    thanks

    On Mon, Jun 30, 2025 at 07:26:37PM +0100, Richard Lewis wrote:
    I have 2 thoughts, one is that we set ProtectSystem=strict so /tmp is read-only when the unit runs: However, we set Environment=TMPDIR=/run/chkrootkit which should mean things dont write
    to /tmp --- maybe your email sending setup ignores TMPDIR? are you
    using something non-standard?

    I can send mail on these machines using this command:

    $ date| mail -s test root

    Either way you probably shouldn't ignore these lines with logcheck: it
    looks like it is trying to email you and failing

    indeed, hence I'm raising the severity. (Because I believe that warning about probs is chkrootkit's basic function. Feel free to downgrade, I don't mind.)

    Also because I'm seeing this on systems running postfix and (others) running ssmtp.


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    Alles weird gut.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhprQMACgkQCRq4Vgaa qhzHrhAAhlqWBEtuUCMiBJw04hT4K+ZykrJNAfXAhpO3vlqlxIzlL168C7rzGN3z 33jVwKyr/y2ozwkrgjtvLTiMaesa2fRcCX3/PGrhXzObN5UGEy1UjPhcsnUQ27IJ sX/xofKj2vX25TJm6GNzGDMK3eKGQSCDkvUd4NBhznxcbqM9P6a3Nk1P9nwMlJv8 dbb2unZsUEXUcBarYh4pa0xD96GjPDHYT6Y65q8KHTu7y1S78z2jdSYVI1MTn2sS VuukNgF6dtWX9EEd1L0VId+DPfU2tk4MTDpgk45DtwGMCAy9HCarhxt3TC9/KNbW AYTu1wwR8EMlt3/1XvxEA9SWKGWxHl1gc6RadDQTGztJfO2cpWAeeLrek7tMyvYi IwSf/A5Ewhr8/BTAgBcBhz0K8eAOXlhNpjy3AumToFGjM26EeRqbv/zyPVf946te bfwEYczLn0MbGAqJ1aMYho5wYN2YcXQ5KzkGEhW3XYiS5dbrKfrsL5NxmlhxGnze umT33TuMf8PmYU/8QZruZ15yb9azIcU+X723zOoqchXFkVCiE3Gw0H0lEA+uBbme thx4AuuuIe5uoXobNqcxlQRrRcgB7Y53+YAVT89U2R4VoWsd+EhuRVXMCsyHJV3w gSxOOaEcEsLOWpRXv7SeqDBajD1Yiw
  • From Holger Levsen@21:1/5 to Richard Lewis on Sun Jul 6 13:10:01 2025
    On Sun, Jul 06, 2025 at 10:59:18AM +0100, Richard Lewis wrote:
    great -- but this isnt sending mail from a systemd unit with a read-only /tmp or with a different TMPDIR setting

    thats with a writable /tmp

    --- does the systemd workaround in the earlier message work?

    I havent tried cause you said you rather dont want that.

    --- does running /sbin/chkrootkit-daily directly work? (just in case)

    yes

    can you also tell me

    --- how to configure a system to reproduce this in a new container: what packages do i install (postfix? ssmtp? please assume.no knowledge of
    these!)

    either

    and what settings to make (if any? i think we would just need
    "local delivery"): this seems like something we will need to test more, however we reaolve this

    i've configured postfix and ssmtp to send mail to a smarthost.

    --- what provides mail(1) --is it mailx or mailutils etc? (probably doesnt matter, but.)

    bsd-mailx


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    No future.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhqV28ACgkQCRq4Vgaa qhy3zg/+PSyd56ssG8RxhrKsf7eDrxDHPaVWIST3XkKw7ytnIu8yiLmN5AR34PwC FBUW3Ygr0UEhNErdOLBOpJ1NL6S8g/uhqAOXeK0aRUBoBZPdF4xO6C1klA00yweK o9py+H+4VMUwbNM0rJoY1I1CoQr50xKolJja6G4oCibmlCjZAsr+q8pd7r24LpEP iiwrhFJJk2jxIjo9oMyzoegDbDD9NaaILMwwin92mpfwwP+Oz3Zi2qtDhoIgFAG1 LwHfXt/ez46ZOfYNuuw+JZiDd0YETEG9MuwM5G7+z9G8ZFLzTXpudzWV+tWQNkyQ rh8TLvHiyzIGlB9eGEMtp3lwTUPhWm0YzG44X8UpmW755YtifdSPi/Sfbs2Q+gTC S/JHdBX+jN/VbchDSPp091uzP0SUCAJABPbWlFSBMqOr84vL/teQkEJO180xg1rt hqZHNHnqxK1DWbMdoudnwtT2LPPcOJJlckaWPXGhWYGev7Y/zga/OJ+0rM73hP/O 75U1o7GVdqCmxi3px2wFfi+HaHAJ8CK3CfS9xWzaGTypePWXDxLeGjiQtwputJ05 MOc9QyRXMPt6m6JIvRuDxV5tlbqUQfmfHTtcX6w4jIJ18vK+grh983yM95Kb21Vc CE2Gq3RSWwSZqK0y44ESOmct3iVAQwWTZ7B8
  • From Richard Lewis@21:1/5 to Holger Levsen on Sun Jul 6 14:00:01 2025
    On Sun, 6 Jul 2025 at 12:01, Holger Levsen <[email protected]> wrote:
    --- what provides mail(1) --is it mailx or mailutils etc? (probably doesnt matter, but.)

    bsd-mailx

    i'm not sure, but i think this may be the problem --- looking at https://salsa.debian.org/debian/bsd-mailx/-/blob/master/send.c and https://salsa.debian.org/debian/bsd-mailx/-/blob/master/debian/patches/02-Base-fixes-1.patch
    it seems debian has patched bsd-mailx to hardcode /tmp (im not sure
    about this, i only read the code on salsa, and couldnt spot where the
    directory was set)?

    does it work to use mailutils instead?

    does editing /sbin/chkrootkit-daily to use sendmail fix it (something
    like this):

    @@ -105,7 +105,11 @@ if [ -s "$FILE" ]; then
    # run by systemd: product a line on stdout for the journal
    echo "sending alert to $MAILTO: $SUBJECT"
    fi
    - mail -s "$SUBJECT" "$MAILTO" < "$FILE"
    + {
    + echo "$SUBJECT"
    + echo
    + cat "$FILE"
    + } | sendmail "$MAILTO"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)