Mini-sendmail... in bash

I recently faced an environment where there is no MTA.

WTF? The reason is that people who work there get security audits on a regular basis, and the security people are usually mo...deratly skilled guys who blindly run a set of scripts, e.g. by ordering to disable Apache modules that "where seen enabled in /etc/apache2/mods-available/"...

To avoid spending days arguing with them and nitpicking with non-technical managers, the system is trimmed to the minimum - and there is no MTA. No MTA, so no cron output, so difficulty to understand why last night's cron job failed miserably.

Since it was not my role to reshape the whole business unit, I decided to hack a super-light, but functional way to get my cron output:

cat <<'EOF' > /usr/sbin/sendmail
#!/bin/bash
(
    echo "From me  $(LANG=C date)"
    cat
    echo
) >> /var/mail/all
EOF
chmod 755 /usr/sbin/sendmail

It works!

There is a companion logrotate script, to avoid filling the file system:

cat <<'EOF' > /etc/logrotate.d/mail-all
/var/mail/all {
  daily
  rotate 10
  compress
  delaycompress
  notifempty
  create 622 root mail
}
EOF

Bootstrap with:

touch /var/mail/all
logrotate -f /var/mail/all

You now can check your sys-mails with:

mutt -f /var/mail/all

RSS Atom

exit 1

So, to make things really secure, they remove a standard reporting facility for alerting of configuration or security issues (the MTA)...

Instead, this script was needed, to allow any user to append an executable file owned by root, who would later read it with mutt running only as superuser (create 722 root mail)? Via the shell script, a user could insert extra From lines with spoofed date/time. Or writing directly to the file they could truncate it to delete old messages, and after all this leave no way to see which user ID really wrote any of them.

That aside, this was a nifty idea for scripting something useful with only basic tools.

Comment by Anonymous — Tue Feb 14 01:07:10 2012

Nifty idea

I've dealt with places like that before and share your pain. Sometimes an evil script is a much simpler solution than trying to bang your head against a wall convincing them otherwise.

Comment by Anonymous — Tue Feb 14 03:56:04 2012

Typo

722 should be 622, typo.

Indeed, even if though those systems do not offer local access, this isn't super-secure :P

Comment by beuc — Tue Feb 14 08:05:00 2012

Better scripting

Instead of the subshell, consider this:

#!/bin/bash
exec >> /var/mail/all
echo "From me  $(LANG=C date)"
cat
echo
chmod 755 /usr/sbin/sendmail

– madduck

Comment by Anonymous — Tue Feb 14 10:33:02 2012

sed s/cat/sed/

If the message body contains a line starting with "From " then this will fail a little bit. Suggest replacing "cat" with

sed -e 's/^([>]*From )/>\1/'

Comment by barak — Tue Feb 14 16:47:33 2012

Re: better scripting

Nifty. I didn't know about "exec >> io-redirected.txt"

Comment by beuc — Tue Feb 14 19:29:04 2012

You cna use cron without a MTA

There was a rather long discussion about the topic of having no MTA on Fedora by default : https://fedoraproject.org/wiki/Features/NoMTA

And the outcome was that cronie ( a cron daemon ) can be used without a mta. So maybe switching to this would help you ?