17.12.2024 13:25, Tomasz Pala via Postfix-users wrote:
On 2024-12-17 06:41, Michael Tokarev via Postfix-users wrote:
and repeated mentions about systemd and "real security", I decided to
Well, to be honest, mantra must be repeated - "it's not about security",
like nothing is being guaranteed (for various reasons) and "real
security" must be applied accordingly.
That's why I used "true security" in quotes. Treat it like a joke.
I can add cap_dac_override obviously, and everything will Just Work (tm).
However this is a rather big capability, and actually, it is *only* needed
in the *single* place: where master(8) creates sockets in public/ dir
How about direct delivery to /var/mail/$user?
I'm not sure I understand. What are you talking about here? Postfix's
local(8) can do direct delivery just fine. If the talk is about invoking
a setgid-mail program from ~/.forward, that one really depends on working
setgid, -- this is where I misunderstood you in previous mail, I thought
you're talking about maildrop the setgid command.
Disregarding this (e.g. LMTP, virtual mailboxes only) one could try to
directly start with:
User=postfix
AmbientCapabilities=...
which would make in turn this unnecessary:
The actual single *runtime* error is fixed by a simple:
setfacl -m user:root:rwx $queue_directory/public
Actually this is not enough, since a few other daemons will try to
access other subdirs as root in a hope root can do anything. All
subdirs with sockets should have this acl entry.
Speaking of User=postfix, this wont work for setuid(), will it?
Anyway. This was just a small experiment. This is a complex topic,
and the correct setup might require big changes, I'm not sure it is
worth the effort. Since Postfix already has excellent process control
and privilege separation implemented internally, - carefully crafted
by hand.
Thanks,
/mjt
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
