On 12/2/11 2:19 PM, Wietse Venema wrote: > Philip Prindeville: >> Would it make sense to add a parameter of additional gid's that >> you want smtpd to retain? > > Perhaps you can use a class "inet" socket on 127.0.0.1. That > will have less impact on the Postfix security architecture. > With 64k ports, you won't run out of them quickly. > > Wietse
Yes, but I'd have to run a customized SElinux policy which I'm trying to avoid. I'm just wondering why the socket can't be opened before the set_ugid() drops the additional groups. That would make life a lot simpler. -Philip
