Michael Tokarev via Postfix-users:
> On 17.12.2024 18:14, Wietse Venema via Postfix-users wrote:
> > Did you verify the non-daemon programs, specifically that all
> > featrues work as promised in sendmail, postdrop, postqueue, postsuper,
> > postmap, postalias, and postcat? Be sure to also test as a non-root
> > and non-postfix user.
> >
> > Did you test the privilege-changing features of local(8), pipe(8)
> > and spawn(8)?
>
> Yes, it all works fine. All dirs need extra ACL to allow root access
> (initially I found only public/ but actually all postfix-owned dirs
> needs the same acl since all other daemons tries to open things as
> root while cap_dac_override is missing.
>
> Well. It really depends on the context. We don't know which other
> software people run from their .forward etc files. Just dropping
> ability to run setuid programs will break alot of things, I guess.
>
> I definitely don't plan to implement such more advanced controls
> at this time. We had enough with chroot already (and enough myths
> too).
>
> Though to me, I've no idea how postmap or postdrop or other mentioned
> software could NOT work. It' just the postfix master process and
> all the daemons started by it are running with restricted privs,
> not everything outside of this context.
Fine, so you haven't restricted the scope of local IPC (who can
talk to who).
Just for the record, Postfix requires that a system behaves as
defined in POSIX (and ANSI C). That remains the baseline for what
calls are expected to succeed, and for what calls are expected to
fail.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
