17.12.2024 00:31, Henrik Ahlgren wrote:
On Mon, 2024-12-16 at 21:21 +0300, Michael Tokarev wrote:
It turns out the reason for this is a myth, which we believed to for
25 years - a myth that "On FreeBSD, chroot is painless, but on Linux,
chroot never works and is only suitable for the ones who want pain".
Actually, it looks like, chroot on linux is *exactly* the same as on
FreeBSD, and the pain level completely depends on which features you
use (I mentioned all 3 possible issues in my initial email). It feels
like this is the sole source of this opinion.
I have never heard about such myth. Perhaps you are referring to the
FreeBSD jail feature, which obviously is superiour to plain chroot.
chroot(2) is a very simple and ancient Unix mechanism from 1979 and I
believe it is exactly the same on all Unix/Posix-style systems.
No, we are (me and Wietse whom I quited) referring to chroot(2), and
operations within with might require extra files in the jail (like
presence of /etc/hosts /etc/services etc for host lookups).
Anyway, systemd's hardening features are so easy and effective that I
would really like to see not only postfix, but ALL services use them as
much as possible. Why we still have major packages like nginx shipping
without any hardening out-of-the-box?
It is not the case with postfix, who is a service manager internally, -
it is like a small systemd inside, which does its own hardening. But it
does this within POSIX entirely, not adding any extra layers. Parts of
postfix (the service manager and local delivery agent just to name a
few) needs elevated privs, and most other stuff is running with reduced
privs.
It is definitely not a simple task to reduce postfix privileges above
postfix itself, - it will be either too much so postfix wont do its
work anymore, or it will be just for the sake of doing it, without
actual real gain. For a real solution, postfix need to be made aware
of - for example, capabilities - *inside*, and apply them on a per-
service or per-context basis. Attempts to apply this from outside are
useless.
Thanks,
/mjt
