sudo in av_scanner script: effective uid is not 0
Dusan Obradovic
dusan at euracks.net
Tue Jul 17 11:53:50 CEST 2018
> On Jul 13, 2018, at 14:47, Andreas Büthe <abuethe at novomind.com> wrote:
>
> The version used is 'amavisd-new 2.11.0-2el7' (CentOS 7 from epel) without chroot. I checked basics like the suid bit on /usr/bin/sudo, the filesystem / where /usr resides on is not mounted 'nosuid', SELinux is currently disabled for testing purposes, etc.
> I somehow assume that my problem has to do with the read-only filesystem remounts in the amavis worker.
Systemd unit file from epel has some interesting security settings.
/usr/lib/systemd/system/amavisd.service:
#the bounding set is reset to the empty capability set
CapabilityBoundingSet=
#mounts /usr /boot /etc directories read-only for processes invoked by this unit
ProtectSystem=full
More information about the amavis-users
mailing list