16.12.2024 20:55, Michael Tokarev wrote:
16.12.2024 20:08, Russ Allbery wrote:
So, I wouldn't object to undoing that given upstream's stance, but maybe
it would be good to do that in conjunction with adding more hardening to
the default configuration with systemd? systemd-analyze security
postfix@- shows a whole lot of things that could potentially be improved
in hardening settings, and while a lot of those won't work becuase of the
number of things Postfix needs to be able to do, a lot of them are
probably reasonable changes to the defaults if accompanied by instructions
for how to turn them off with an override file. There is some obvious
stuff like ProtectSystem, PrivateDevices, or ProtectKernelTunables that
seems quite unlikely to break anything.
Yes, that's a very good suggestion. I'll definitely take a look at this list.
It'd be nice to have some helping hand there, too.
I gave it a quick try, attacking capabilities (which is the first thing to do
in such cases). The result:
https://marc.info/?l=postfix-users&m=173441390930745&w=2 -
it needs an easy small change to decouple setup from runtime.
Dunno yet if it's a good idea to restrict it this way though: maybe someone
does reboot of their system by sending special email to special address
(which is gone now), or maybe someone run suid binary from ~/.forward,
or something.. but I guess in each such weird case one can add the required
capability locally.
With SystemCallFilter things are much more complex though.
Thanks,
/mjt
