On Mon, 2024-12-16 at 21:21 +0300, Michael Tokarev wrote: > It turns out the reason for this is a myth, which we believed to for > 25 years - a myth that "On FreeBSD, chroot is painless, but on Linux, > chroot never works and is only suitable for the ones who want pain". > Actually, it looks like, chroot on linux is *exactly* the same as on > FreeBSD, and the pain level completely depends on which features you > use (I mentioned all 3 possible issues in my initial email). It feels > like this is the sole source of this opinion.
I have never heard about such myth. Perhaps you are referring to the FreeBSD jail feature, which obviously is superiour to plain chroot. chroot(2) is a very simple and ancient Unix mechanism from 1979 and I believe it is exactly the same on all Unix/Posix-style systems. Anyway, systemd's hardening features are so easy and effective that I would really like to see not only postfix, but ALL services use them as much as possible. Why we still have major packages like nginx shipping without any hardening out-of-the-box?
