On 12/16/24 17:45, rhys wrote: > However, privilege escalation is still a serious issue and should not be > minimized by its likelihood.
I didn't, my point is that I think they are better/more effectively adressed with other mechanims (systemd unit hardening) than chroot. > The "REAL" danger is the system takeover, as it is much more damaging to > surrounding systems, harder to detect, and harder to recover from. compromised mail relays can happen (as with any other system) but they are relatively easy to spot, taken out of service and resetup automatically, ymmv. > Using chroot is sometimes used as an excuse to leave things UNsafe, for > obvious reasons. Better to fix the underlying issues and have a less complex > system. Less complexity means easier to support, troubleshoot, AND keep > secure. which is why I'm in favour of dropping chroot here. > But let us not minimize the importance of keeping our systems "un-pwned" by > botnet operators. It's not about YOU. It's not about YOUR data. It's about > not allowing your resources to become tools for malicious actors to use > against everyone else. nobody disagrees that the security of our/our users data and systems matter and is of importance to us. thanks nevertheless for putting an emphasis on it. Regards, Daniel
