On 2024-12-17 06:41, Michael Tokarev via Postfix-users wrote: > and repeated mentions about systemd and "real security", I decided to
Well, to be honest, mantra must be repeated - "it's not about security", like nothing is being guaranteed (for various reasons) and "real security" must be applied accordingly. But it is for "defense in depth" and sanitization. > capabilities of the service which aren't needed. Obviously, postfix > does not need an ability to reboot a system (does it not? How about > sending a special email which will trigger a reboot?) or to do many Permissions to gracefully reboot system might be granted in polkit via polkit.addAdminRule allowing to start reboot.target (and for example not allowing shutdown.target). Forceful reboot is last-resort admin emergency tool (hanging hardware, kernel bugs, damaged filesystem to recover). BTW: journalctl --no-hostname for less output to paste. > I can add cap_dac_override obviously, and everything will Just Work (tm). > However this is a rather big capability, and actually, it is *only* needed > in the *single* place: where master(8) creates sockets in public/ dir How about direct delivery to /var/mail/$user? Disregarding this (e.g. LMTP, virtual mailboxes only) one could try to directly start with: User=postfix AmbientCapabilities=... which would make in turn this unnecessary: > The actual single *runtime* error is fixed by a simple: > > setfacl -m user:root:rwx $queue_directory/public _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
