Michael Tokarev via Postfix-users:
> 21.12.2024 20:55, Viktor Dukhovni via Postfix-users wrote:
> > On Sat, Dec 21, 2024 at 08:35:29PM +0300, Michael Tokarev via Postfix-users
> > wrote:
> >
> >> 21.12.2024 20:15, Michael Tokarev via Postfix-users wrote:
> >>
> >>> plus a few other workarounds for lack of cap-dac-override.
> >>
> >> It looks like it's hardly possible to get away from cap_dac_override,
> >> because it is relied on in a number of other places. Currently postfix
> >> happily opens non-root-owned maps before chroot_uid() - and these maps
> >> can reside in protected non-root-owned dirs. That will break with no
> >> cap_dac_override obviously.
> >
> > This is quite deliberate (a design feature), pipe aliases in non-root
> > owned aliases databases run with the priviliges of the alias file owner.
>
> Sigh. What I pointed out above has nothing to do with pipe aliases
> expanded by local(8).
Sorry, you mentioned that Postfix happily opens non-root maps,
ignoring that Postfix actually keeps track of ownership where it
can. Viktor's reference to user-owned local aliases is a response
to that point.
> > I suggest you take a break from high-volume extemporising, and come
> > back with narrow, carefully thought out issues or questions tackled
> > one at a time to a conclusion, with some breaks in between.
>
> A break from what?
>
> I'm doing a large cleanup of stuff found in the postfix packaging in
> debian, and come here with somewhat minor questions. This particular
> thread is here because I just wanted to ask if such particular approach
> (adding a new subcommand) is okay or not.
I already said that is OK.
Why are we still here? Because Debian's choice to chroot Postfix
is detrimental.
You raise many good questions that deserve thoughtful discussion
(do a proper analysis, consider the implications, things that
normally precede a decision to implement or not), without getting
distracted by maximalists or other noise.
But this is a bit like dam has burst at a time that Postfx code is
made ready for the next stable Postrfix release early in the year.
> Sure I can take a break, refraining from further questions, and do
> everything the way I can think of, based on my sole experience, - if
> there's no interest from the Postfix authors and community in helping
> with the issues we've been dealing for 25 years due to some old decisions
> made in Debian.
It would be incorrect to claim that there is no interest. If Debian
makes a bad choice (now or in the past) then that is detrimental
to Postfix adoption.
You seem to dislike the suggestion to "just stop doing chroot in
public distributions". I made non-chroot the default 10 years ago
precisely because of all the problems that people were having. It
was just making adoption more dificult without effective benefit
on systems that already have a worse exposure via other services
(such as password-based ssh logins from everywhere, or running an
entire LAMP stack).
Do consider making the Debian distribution non-chroot. I am trying
to improve security by raising the floor, that is, by getting people
to adopt Postfix instead of some other MTA. Trying to appease
maximalists is pointless, because normal people will just replace
Postfix and will use something more convenient instead.
There still is time to make that change in Debian before the next
stable Postfix release.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
