sudo in av_scanner script: effective uid is not 0

Dusan Obradovic dusan at euracks.net
Tue Jul 17 11:53:50 CEST 2018


> On Jul 13, 2018, at 14:47, Andreas Büthe <abuethe at novomind.com> wrote:
> 
> The version used is 'amavisd-new 2.11.0-2el7' (CentOS 7 from epel) without chroot. I checked basics like the suid bit on /usr/bin/sudo, the filesystem / where /usr resides on is not mounted 'nosuid', SELinux is currently disabled for testing purposes, etc.
> I somehow assume that my problem has to do with the read-only filesystem remounts in the amavis worker.

Systemd unit file from epel has some interesting security settings.

/usr/lib/systemd/system/amavisd.service:

#the bounding set is reset to the empty capability set 
CapabilityBoundingSet=

#mounts /usr /boot /etc directories read-only for processes invoked by this unit
ProtectSystem=full


More information about the amavis-users mailing list