Ralph Seichter via Postfix-users wrote in <87a5i6pesk....@ra.horus-it.com>: |* Steffen Nurpmeso: | |>>I think it is more than "a bit flakey". You ask Wietse to support |>>something which introduces a significant security risk. |> |> Now you exaggerate a bit. | |Not really, the original example of invoking "iptables" directly |requires root provileges. That could be mitigated by using sudo, but |this step was not included in the example. Wietse could provide a
Only because spawn explicitly avoids support of root. |security wrapper, but why should he bother? The core argument as far as Well i mean basically because it is only fewest syscalls that make up a difference, and he practically has them because he needs them, anyway. He "only" does not give admins the possibility to use them. For example i see "his" set_eugid(), setgroups(), closefrom(), setsid(), he has anything to cleanup environment (src/util/environ.c), he would only need to add a one that throws away most of it. Ie a slightly extended variant of his chroot_uid(), to be entered for a specific new command to be used in combination, ie REJECT-EXEC, or DUNNO-EXEC, or whatever. That is: theoretically. |I am concerned is that it is not part of Postfix's responsibilities to |trigger external processes when a login error occurs or somebody targets |a honeypot address. Postfix writes to a log, and I think that's enough. For discussion-partie's sake only i disagree. Because in practice he gives away the responsibility, and requires people to program fully fledged server applications, each and every one of which needs to understand and implement the full security dance on its own; in addition each of those needs to be administrated aka be driven as a system service, and all of the time. And this is true even for help applications which are satellites of postfix only, and cannot be used for any other purpose, never. Ie, *i* could think about starting off in a cleaned environment as root just in order to be able to do a few things, then do a terminating sete?*id() (actually i better search for "how to give up all user and group privileges" first) to give up all privileges. |An interested party could hook into syslog, removing the need to scan |log files (although the latter is easy enough). That would have the |added benefit of also taking care of other software, like Dovecot or |OpenLDAP. The analysis I require is not limited to Postfix logs, and I |don't think I am alone in this regard. Where is the difference in between parsing the log file and hooking into the syslog daemon, except for a possible speed improvement as the data is read at the pipe/socket? Or do you mean syslog(3)? You want to hook into the C library via LD_PRELOAD, d-oh?? You sneaky thing you!! Environment cleanup is missing in postfix per se me things. |> Heck my mailing-lists still use mailman2 and python2 [...] | |Mailman2 was written for Python 2.x. That is different from people |asking me to retroactively add Python 3.6 support for software I wrote |for versions >= 3.7. Ok. Sure. (Also it, i think, is only local.) Ciao. And good night! --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
