On Sat, 5 Jul 2025, 23:54 Holger Levsen, <holger@layer-acht.org> wrote:

On Mon, Jun 30, 2025 at 07:26:37PM +0100, Richard Lewis wrote:

I have 2 thoughts, one is that we set ProtectSystem=strict so /tmp is read-only when the unit runs: However, we set Environment=TMPDIR=/run/chkrootkit which should mean things dont write
to /tmp --- maybe your email sending setup ignores TMPDIR? are you
using something non-standard?

I can send mail on these machines using this command:

$ date| mail -s test root

great -- but this isnt sending mail from a systemd unit with a read-only
/tmp or with a different TMPDIR setting



--- does the systemd workaround in the earlier message work?

--- does running /sbin/chkrootkit-daily directly work? (just in case)

can you also tell me

--- how to configure a system to reproduce this in a new container: what packages do i install (postfix? ssmtp? please assume.no knowledge of
these!) and what settings to make (if any? i think we would just need
"local delivery"): this seems like something we will need to test more,
however we reaolve this

--- what provides mail(1) --is it mailx or mailutils etc? (probably doesnt matter, but.)

<div dir="auto"><div>On Sat, 5 Jul 2025, 23:54 Holger Levsen, &lt;<a href="mailto:holger@layer-acht.org">holger@layer-acht.org</a>&gt; wrote:</div><div dir="auto"><div class="gmail_quote gmail_quote_container" dir="auto"><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On Mon, Jun 30, 2025 at 07:26:37PM +0100, Richard Lewis wrote:<br>
&gt; I have 2 thoughts, one is that w

On Sun, Jul 06, 2025 at 11:01:09AM +0000, Holger Levsen wrote:

--- does running /sbin/chkrootkit-daily directly work? (just in case)

yes

it also does send an email. :)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

It will get worse, before it will get worse.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhqWDYACgkQCRq4Vgaa qhwFpQ//QZqs0nk0aOJZw1dh9EXjvVFIGb7WnagfSTYCt9kT/m7vPaw6trsEFXMZ s/WCfGc9bHNdP0NJ2FQCN41Fp09IkUy+du4b8DTii7Q1YZItCdNYHMZs0BdBvvxH s4JKzWALGOLY0ElHbAE+ttWNfI3vynhvhkuXBlCC9UgN621mdAQ3f85aJGy4jC4h JPMkEPuQ6oU5wYawUzQlk+uOXswQRvVILgPpMxjWxMWuJ5j7nwhmn6dDNy/qlzee 9S165IqpvCuAv3XiCzS9j3oBAIzVex4IYIo/UjKGb8gUcKEbaEv97P3DSQ+xGEv8 10r9Vd+8kwEWsjtDF3QeTgsj41CLlDUoZbFr6Veg9+ow4kSS92EID5/NyVN1GYCx iSncFNCQIg8+5WZK09YExgBFAmmMzWn6KF/C6o8D3fr/3OfbKdwtvucVYSZoe3bb VeztFqVKQSGp1IyLXXsT9Yg6IZAo/qvlK1Ukaw49AYJVfSO/5p5y5vpDM9GwUARU BQz5QeM1hKHAvr1dckd2C50A9pR9o7JEaQuXVobUTwNz+jGBrZaGLNofAk8J5XcT eDvDQ9rVIIuLtEclmj7bvgCh0NkgvPVFri/G8SHtWb7me7QUpzKis/RkOm4ef7QR
Q0

control: reassign -1 bsd-mailx
control: debian has patched bsd-mailx to hardcode /tmp
control: affects -1 logcheck
thanks

On Sun, Jul 06, 2025 at 12:47:36PM +0100, Richard Lewis wrote:

On Sun, 6 Jul 2025 at 12:01, Holger Levsen <holger@layer-acht.org> wrote:

--- what provides mail(1) --is it mailx or mailutils etc? (probably doesnt
matter, but.)

bsd-mailx

i'm not sure, but i think this may be the problem --- looking at https://salsa.debian.org/debian/bsd-mailx/-/blob/master/send.c and https://salsa.debian.org/debian/bsd-mailx/-/blob/master/debian/patches/02-Base-fixes-1.patch
it seems debian has patched bsd-mailx to hardcode /tmp (im not sure
about this, i only read the code on salsa, and couldnt spot where the directory was set)?

ic!

does it work to use mailutils instead?

installing it on a system atm. didnt help, because i also had to remove bsd-mailx. then it worked \o/

does editing /sbin/chkrootkit-daily to use sendmail fix it (something
like this):

i'd rather not edit files in /sbin :)

thanks!


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

Everyone is entitled to their own opinion, but not their own facts.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhqbMQACgkQCRq4Vgaa qhzYDhAAncKZe6N31qRpwxm4XUblaNlv85uJveXzqXM7xDgIYE8GGKJfrjVAMApW vUEZ+Z5fZ5ZT+hmBKooOaZszJ9oiUk4cJhxuYYJUWqCw05CAWKGE58pU+fYbOiBB aBFEkZuntSjjuLoikPLiHINCSsXDruAaGgRlekLNayoUllK097yDj43PHRAqhnfs ALEkCd8VKo2cZg54B+KR8D4mgobkvcSJ9UkxVntQiKJrfEiDexTm6JXOj9uYJC+W upfcqqTIAOGGl1TcXCrogTm/aDQWsL+R8e6yl2poOq2T/t9VvWt+JKX6aNsDnuOg icrgmEpCijhdh3reXR/UZ9KuehNaSfqpu1Ly5OFb67cFQHMuEmhiSBiqZsjA7LxR 1sPUglWTzxCys4V2QJ7s0uYs5q7BQVaeAZs2MVokHkMNbP1Kkb8P6pjN24JEA+Gz zzD8Fs0X3BeZ7c70CkCh37DRwCNlIgX1GwzVBCYooa23IXYFZ3TkvHJkL/W/7ohN 4hF1KnUiWhivIayp/y+xtAGcuxJlxRbP8GzPpBODxhPDJOpzeu++hvmA4f7+2967 /KmuRW6PfRCCssx3le8xZ6PjvB5cJ+iLaTnlqaj97vMRI

--vmYBimy6cssK3iAL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi everyone,

On Sun, Jul 06, 2025 at 12:32:09PM +0000, Holger Levsen wrote:

On Sun, Jul 06, 2025 at 12:47:36PM +0100, Richard Lewis wrote:

On Sun, 6 Jul 2025 at 12:01, Holger Levsen <holger@layer-acht.org> wrote:

bsd-mailx

i'm not sure, but i think this may be the problem --- looking at https://salsa.debian.org/debian/bsd-mailx/-/blob/master/send.c and https://salsa.debian.org/debian/bsd-mailx/-/blob/master/debian/patches/02-Base-fixes-1.patch
it seems debian has patched bsd-mailx to hardcode /tmp (im not sure
about this, i only read the code on salsa, and couldnt spot where the directory was set)?

ic!

I've come along and done the easy bit... the attached patch causes mailx
to honour the TMPDIR environment variable, if set. Does this do enough
to fix your originally-failing scenario?

(I don't see that Debian overrode anything so much as setting an
otherwise undefined but required build-time definition for the default.)

Andrew

--vmYBimy6cssK3iAL
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="honour-tmpdir.patch" Content-Transfer-Encoding: quoted-printable

From fe60bc9a58b31197791451097cf3550fb5542b85 Mon Sep 17 00:00:00 2001
From: Andrew Bower <andrew@bower.uk>
Date: Wed, 9 Jul 2025 22:44:53 +0100
Subject: [PATCH] Patch to honour TMPDIR. (Closes: #1108377)

All the hard work was done diagnosing the issue by Richard Lewis and Holger Levsen on the BTS; the patch was the easy bit!
---
debian/patches/36-Honour-TMPDIR.patch | 26 ++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 27 insertions(+)
create mode 100644 debian/patches/36-Honour-TMPDIR.patch

diff --git a/debian/patches/36-Honour-TMPDIR.patch b/debian/patches/36-Honour-TMPDIR.patch
new file mode 100644
index 0000000..dfb0012
--- /dev/null
+++ b/debian/patches/36-Honour-TMPDIR.patch
@@ -0,0 +1,26 @@
+From: Andrew Bower <andrew@bower.uk>
+Date: Wed, 9 Jul 2025 22:28:37 +0100
+Bug-Debian: https://bugs.debian.org/1108377
+Forwarded: no
+Subject: Honour TMPDIR environment variable
+
+Thanks: diagnosis by Richard Lewis and Holger Levsen.
+
+---
+ temp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/temp.c b/temp.c
+index b2c6308..b88aaa4 100644
+--- a/temp.c
++++ b/temp.c
+@@ -47,7 +47,8 @@ tinit(void)
+ {
+ char *cp;
+
+- tmpdir = _PATH_TMP;
++ if ((tmpdir = getenv("TMPDIR")) == NULL)
++ tmpdir = _PATH_TMP;
+ if ((tmpdir = str

On Wed, 9 Jul 2025 at 23:02, Andrew Bower <andrew@bower.uk> wrote:

Hi everyone,

On Sun, Jul 06, 2025 at 12:32:09PM +0000, Holger Levsen wrote:

On Sun, Jul 06, 2025 at 12:47:36PM +0100, Richard Lewis wrote:

On Sun, 6 Jul 2025 at 12:01, Holger Levsen <holger@layer-acht.org> wrote:

bsd-mailx

i'm not sure, but i think this may be the problem --- looking at https://salsa.debian.org/debian/bsd-mailx/-/blob/master/send.c and https://salsa.debian.org/debian/bsd-mailx/-/blob/master/debian/patches/02-Base-fixes-1.patch
it seems debian has patched bsd-mailx to hardcode /tmp (im not sure
about this, i only read the code on salsa, and couldnt spot where the directory was set)?

ic!

I've come along and done the easy bit... the attached patch causes mailx
to honour the TMPDIR environment variable, if set.

Thanks - this looks a good solution to me

Does this do enough to fix your originally-failing scenario?

I tested a bsd-mailx with your patch applied in a systemd-nspawn
container (unstable), with exim, and it fixed the original issue
(which i could reproduce)

i also installed postfix and it continued to work (but i didnt try
this with the unpatched bsd-mailx).
i tried to install ssmtp but it failed to install (seems unrelated,
but i didnt investigate)

(I don't see that Debian overrode anything so much as setting an
otherwise undefined but required build-time definition for the default.)

ah yes!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: retitle -1 bsd-mailx: allow TMPDIR env to override /tmp

On Thu, Jul 10, 2025 at 12:48:26AM +0100, Richard Lewis wrote:

On Wed, 9 Jul 2025 at 23:02, Andrew Bower <andrew@bower.uk> wrote:

On Sun, Jul 06, 2025 at 12:32:09PM +0000, Holger Levsen wrote:

On Sun, Jul 06, 2025 at 12:47:36PM +0100, Richard Lewis wrote:

On Sun, 6 Jul 2025 at 12:01, Holger Levsen <holger@layer-acht.org> wrote:

bsd-mailx

i'm not sure, but i think this may be the problem --- looking at https://salsa.debian.org/debian/bsd-mailx/-/blob/master/send.c and https://salsa.debian.org/debian/bsd-mailx/-/blob/master/debian/patches/02-Base-fixes-1.patch
it seems debian has patched bsd-mailx to hardcode /tmp (im not sure about this, i only read the code on salsa, and couldnt spot where the directory was set)?

ic!

I've come along and done the easy bit... the attached patch causes mailx
to honour the TMPDIR environment variable, if set.

Thanks - this looks a good solution to me

Does this do enough to fix your originally-failing scenario?

I tested a bsd-mailx with your patch applied in a systemd-nspawn
container (unstable), with exim, and it fixed the original issue
(which i could reproduce)

Fantastic! (I know I'm a total fraud offering to help at this last
stage when you had done all the work but I couldn't resist...)

I've placed a suitable source package on mentors for convenience in case
it's not possible to reach the maintainer in a timely fashion with corresponding git commits also available:

https://mentors.debian.net/package/bsd-mailx/
https://salsa.debian.org/abower/bsd-mailx/-/commits/honour-tmpdir

I suspect a pre-request will not be needed for this change?

[...]

(I don't see that Debian overrode anything so much as setting an
otherwise undefined but required build-time definition for the default.)

ah yes!

I'm retitling to reflect - hope that's ok!

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEMKYZL6LI55lncG11uqgO2W94h+kFAmhvBCwACgkQuqgO2W94 h+mskhAAlABhATd0gdezd2JE2zgYI2ck6KWrqLbKfsT8SYWLSeWFC31bHh8pVzmy X3D+zVJMmJEtX2n/IXdpwY1OnTE1cNaOyUmrD65dhnRQErRN5Zf72pXTevp25vhg ryD9/eadpl3DmFkJVzeP6pMRYWHeDGoYnN7VJjVoxoObDtqgkNUyOqhkpIamRklI Xm+B7/vdFbUV4k5cjPtVeGQ2GSz5nOuZIM2wiJsdfW8Ono0KDliOvjLb4MH0IKqC r+7Ekk7K44x+FL7nonXxIcOy8qxB9GdXUtHkC5TXLIZB+XkOQrE+/OT3GtI5GeDy wVt3G9IQ72Yq8IYbEKOBadcKdvotfmxEDHvKcnBubiSjm8mlOXHwDVaYHhRtiNEG qCGoTnOGpsdkzqnJ6iUePuZe3Dops+vq2YFbGeduVDoXQks5NLPRwpN//tD21YPj x0RX4pKkdtjULRHo2lPjWt2h1DKF9UoRSM6fw7qjAajOWur6DheLS7PrQ25xe0Zk aUDA3Ela5jaJDNPsB7ewIfXOZB07iYJn7HJ2xXCpXyKknzrO1cVkcupm0748ltFT HBgXcyXtK77p1s9ppcvzHmbV590bJh3LSKln76RAY8VmvVPQhtHlCGBKZuI+j1Ad bv3u/PdPobs70+FPbE3tAa7g8FvN3g5pX7Rzbxtu/toqtINAgco=
=8xQd
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jul 10, 2025 at 12:48:26AM +0100, Richard Lewis wrote:

I tested a bsd-mailx with your patch applied in a systemd-nspawn
container (unstable), with exim, and it fixed the original issue
(which i could reproduce)

i also installed postfix and it continued to work (but i didnt try
this with the unpatched bsd-mailx).

great!

(fwiw, i currently cannot access the systems were i have been seeing this problem...)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

If you say you love freedom, but want to restrict certain groups, you don't love freedom, you love privilege. (Tim Waltz)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhvriUACgkQCRq4Vgaa qhxNGg/9HRoCVXCFC2W73FLUot0FmM05tA00Ye1NCHES4O/dU1XBUmexiKPoxErC d/fT4nKGzMXpcy5soiaRFjwfFcJL5viInXrj7qM+96IH9HSthxvbUIKhc3ZAjqkd Jeftz/3poZ0y4xfN6d5EpnU7qjJ73bhSsX1kqgJLMojfSRT+iTFNr+tlxgKueK8e coo2r0e0jukbPUeSePSAtG/7I061kqi99vK8v/QuxNnm7fo8IoeY85wUGZfT7C7q M6Vf/aoZkE2OL0nkKh5oanby6rsx7zHQTVA866YAQABjBd3s6OosFO/HdhjrhOum VLKpD9ME969asXhsrxGE8VMYBsJKqQgeQSFy+WbpooqVkZ5Is15gQsYcNTypW1Du j/VpDG+LIHH7mASX/O0Nd117pca/qNBlpBXRzGr9yvvCmxmyEKtRShbNERcouClm aiSbjcUWsu4Q95in9hznnVEMg/bXpN1IEUOOeP64guT/cqrRLSBzndEYKfD1Injx RqSq2E+8cv/6GEB+NxXe5Rdi9O7HO5RyS640sFcrgIrPrTf4LZ3WHTlK