On Jul 03, RL <richard.lewis.deb...@googlemail.com> wrote: > (One of the issues for services that send email is that it is very > easy to break exim) NoNewPrivileges breaks by design anything which depends on suid, so Exim and (in the default configuration) Postfix.
I agree that we should do much better in terms on sandboxing, considering that it is so easy with systemd. I am not sure if it can be a release goal, but it definitely should be a best practice. This is a good example of what an almost fully sandboxed service looks like: https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service -- ciao, Marco
signature.asc
Description: PGP signature
