Thanx for all the replies - I now understand the reason for master daemon to run with superuser privileges. They were really helpful.
But then, is postfix not running the same risk as "sendmail" ? As a student, I was told that sendmail is a single monolithic binary, performing all its functions as superuser; therefore if an attacker could control the sendmail process, he/she would have superuser access. Does it mean, that unless run in a chroot environment, postfix is susceptible to the same risks as sendmail and gives an attacker capability of causing similar damage (despite having a far better system of tasks divided amongst various unprivileged processes designed to perform specific tasks) ? Regards On Sun, Jan 30, 2011 at 11:47 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > On Sun, Jan 30, 2011 at 05:22:39PM +0530, varad gupta wrote: > >> Is it not a risk running master as root (the same reason for running >> other processes as unprivileged) ? > > No, quite the opposite. It takes privileges to "drop" privileges. A well > designed system (such as Postfix) is *more* secure by in part using root > privileges to enable it to operate in multiple security contexts. > > My short maxim for this is indebted to a marketing campaign: > > http://en.wikipedia.org/wiki/Frank_Perdue > > "it takes a tough man to make a tender chicken" > > By which I mean that you sometimes need higher privileges to optimally > use lower privileges. > > -- > Viktor. >
