Viktor Dukhovni via Postfix-users wrote in
<zwbf7n98ojo4o...@chardros.imrryr.org>:
|On Fri, Oct 04, 2024 at 09:23:12PM +0200, Steffen Nurpmeso via Postfix-u\
|sers wrote:
|
|>|For good reasons, Postfix 3.x does not enable chroot by default
|>|since 10+ years. If a distro maintainer keeps it on, then they own
|>|the responsibility to inform users of how to solve chroot related
|>|problems. Please complain to yur maintainer.
|>
|> (Very easy on Linux by --bind mounting /etc inside the chroot.
|> This even works in fstab like
|> /var/git /var/anongit/git bind bind,ro,nofail 0 0.)
|
|Making sure that the mount is definitely read-only, otherwise chroot is
|pointless.
Actually i was about to say that you can also bind-mount only the
file. Ie i use iwd(8), which wants config main.conf, which is
bitter unless you create a dedicated directory, whatever, and
i have there
...
[Network]
NameResolvingService=resolvconf
...
and then have my own /root/bin/resolveconf which implements that
protocol, with config
# v hosts/kent/resolveconf
NTP_RDATE=vpn.sdaoden.eu
#NTP_RDATE_INITIAL_ADJTIME=y
and quite messy stuff ie
# ll /run/.resolvconf.wlp1s0*
-rw-r--r-- 1 root root 0 Oct 4 23:32 /run/.resolvconf.wlp1s0
-rw-r--r-- 1 root root 27 Oct 4 23:32 /run/.resolvconf.wlp1s0.dns
#?0|kent:~# cat /run/.resolvconf.wlp1s0*
nameserver 192.168.211.200
that then gets joined (some file-lock taken)
resolv_join_data() {
cat /run/.resolvconf.*.dns > "${REAL_RESOLV}"
if [ ! -s "${REAL_RESOLV}" ]; then
[ -n "${DEBUG}" ] && log "${REAL_RESOLV} empty after joining, cleanup"
rm -f "${REAL_RESOLV}" /run/.rdate.stamp
fi
}
and so it goes
$ ll /etc/resolv*
-rw-r--r-- 1 root root 152 Jan 15 2022 /etc/resolv.conf
-rw-r--r-- 1 root root 27 Oct 4 23:32 /etc/resolv-real.conf
#?0|kent:ietf$ cat /etc/resolv*
nameserver 192.168.211.200
#
# /etc/resolv.conf: resolver configuration file
#
#search <domain.org>
#nameserver <ip-address>
options ndots:0
nameserver 127.0.0.1
# End of file
What a mess. But like that *i* *could* mount only the file, ie,
renewing the mount as necessary.
I use that --bind mount approach increasingly often.
Normally the stuff is then inside a "ip netns" / unshare /
whatever container, which is hopefully a little bit stronger than
chroot(2) alone, but --bind mounting /etc should do no real harm
in a chroot(2), unless the implementation is broken?
The containers btw i then also separate like
mkdir -m 0755 -p ${rundir} || exit 10
mount -t tmpfs -o size=1% tmpfs ${rundir} || exit 11
chown root:${boxuser} ${rundir}
chmod 0750 ${rundir}
mkdir -p ${rundir}/root ${rundir}/storage ${rundir}/work || exit 20
mount -n -t overlay -o
upperdir=${rundir}/storage,lowerdir=/,workdir=${rundir}/work \
overlayfs ${rundir}/root || exit 21
chmod 0755 ${rundir}/root
chmod 1777 ${rundir}/root/tmp
rm -rf \
${rundir}/root/boot \
${rundir}/root/home \
${rundir}/root/media \
${rundir}/root/opt \
${rundir}/root/root \
${rundir}/root/run \
${rundir}/root/var \
# devtmpfs fully populates instead, including log socket etc!!
#mount -n -t devtmpfs dev ${rundir}/root/dev || exit 50
mount -n -t tmpfs -o nosuid,noexec dev ${rundir}/root/dev || exit 50
...
mkdir ${rundir}/root/dev/pts #|| busybox exit 51
[ -z "${BUSYBOX}" ] && gid=,gid=tty || gid=
mount -n -t devpts -o noexec,nosuid${gid},mode=0620 devpts
${rundir}/root/dev/pts || exit 26
mknod -m 666 ${rundir}/root/dev/tty c 5 0
mknod -m 666 ${rundir}/root/dev/null c 1 3
mknod -m 666 ${rundir}/root/dev/zero c 1 5
mknod -m 666 ${rundir}/root/dev/random c 1 8
mknod -m 666 ${rundir}/root/dev/urandom c 1 9
ln -s /proc/self/fd/0 ${rundir}/root/dev/stdin
ln -s /proc/self/fd/1 ${rundir}/root/dev/stdout
ln -s /proc/self/fd/2 ${rundir}/root/dev/stderr
mknod -m 666 ${rundir}/root/dev/ptmx c 5 2
...
if [ ${netns} != priwse ]; then
ns=$(ip address show ${netns} | awk '/inet/{sub(/\/.+/, "", $2);
print $2}')
[ -z "${ns}" ] && ns=127.0.0.1
echo 'nameserver '"${ns}" > ${rundir}/root/etc/resolv.conf
elif [ -f /etc/resolv-real.conf ]; then
cp /etc/resolv-real.conf ${rundir}/root/etc/resolv.conf
fi
etc etc. I do not know, but i no longer use virtual machines
except for testing on some operating systems, and docket and all
that is much too fat, and i would wonder whether that complexity
brings anything compared to the above. Maybe yes.
But compared to the FreeBSD jail(1) that i mentioned in Linux's
chroot(2) manual, it simply uses a single installation of
packages, which are all up-to-date (as soon as possible), whereas
FreeBSD jails until not so long ago where not automatically
updated to the newest packages, they are completely isolated
installations. It is "now" better (i had to look what "now" is
exactly), but separate they are still. Overlay aka null mounts
come more into play, and just recently (and over some time) they
fixed quite some bugs in their unionfs implementation...
My TODO list is super long, and quite some daemons are still not
encapsulated with something like above, .. at all ...
Well --- here this is neither professional not military grade, in
the end. But what exactly is bad on --bind mounting /etc when
there is not kernel bug that allows escaping?
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
