So, after the discussion about chroot, and - as it turns out - some people objecting against turning it off, saying it is a useful feature - and repeated mentions about systemd and "real security", I decided to make a little experiment: to try the very first step in this direction.
One of the first things usually done in such cases is to restrict capabilities of the service which aren't needed. Obviously, postfix does not need an ability to reboot a system (does it not? How about sending a special email which will trigger a reboot?) or to do many other tasks. For its own work, it needs: - cap_net_bind_service to be able to bind to privileged ports - cap_setuid cap_setgid - to drop root when run from master and for local(8) to run as user - cap_sys_chroot to be able to chroot to $queue_directory. That's it, nothing more. But this very first thing gave me this: Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/active': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/bounce': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/corrupt': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/defer': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/deferred': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/flush': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/hold': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/incoming': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/private': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/public': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/saved': Permission denied Dec 17 07:26:33 gandalf postfix[1219346]: find: '/var/spool/postfix/trace': Permission denied Dec 17 07:26:33 gandalf postfix[1219506]: find: 'corrupt': Permission denied Dec 17 07:26:33 gandalf postfix[1219508]: postfix/postlog: starting the Postfix mail system Dec 17 07:26:33 gandalf postfix/postfix-script[1219508]: starting the Postfix mail system Dec 17 07:26:33 gandalf postfix/master[1219510]: warning: master_wakeup_timer_event: service pickup(public/pickup): Permission denied Dec 17 07:26:33 gandalf postfix/master[1219510]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Permission denied Dec 17 07:26:33 gandalf postfix/master[1219510]: daemon started -- version 3.9.1, configuration /etc/postfix This is clear lack of cap_dac_override: all these cases are accessing directories owned by postfix user, with restricted perms, as root, which should normally be allowed access as it has dac_override. I can add cap_dac_override obviously, and everything will Just Work (tm). However this is a rather big capability, and actually, it is *only* needed in the *single* place: where master(8) creates sockets in public/ dir (the two last errors). The rest - everything from find(1) above - should be run with full privs anyway, as it requires much more than is needed for normal operations. So, we've a classical (in such cases) issue: setup procedure tightly coupled with runtime procedure, and setup requiring much more privs than runtime. The solution for this would be to split the two. In the systemd terms: ExecStartPre = + postfix check ExecStart = postfix quick-start CapabilityBoundingSet = cap_net_bind_service cap_setuid cap_setgid cap_sys_chroot (note the "+" in the ExecStartPre: this gives full permissions with full capabilities too). Here, `quick-start' is an imaginary thing which omits running postfix-script chech-fatal check-warn, exactly like what $queue_directory/quick-start flag does, - since this is already done by ExecStartPre. However, I guess exposing such a "quick-start" option isn't something what is welcome. The actual single *runtime* error is fixed by a simple: setfacl -m user:root:rwx $queue_directory/public to allow root user to access this directory the same way owner can do it (without relying on cap_dac_override). Just for fun, FWIW, etc. And unlike with many other software, this classical coupling of setup and runtime in postfix is actually very well done. Thanks, /mjt _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
