On 10/28/20 11:36 AM, PGNet Dev wrote:
On 10/28/20 11:30 AM, Viktor Dukhovni wrote:
You might start with:
# grep -r NoNewPrivileges /etc/systemd
i couldn't find any direct, relevant postdrop/maildrop, or NoNewPrivileges,
references i chased sendmail usage instances instead.
i've clamav-milter in my milter chain on this box.
my clamav-milter.conf includes
VirusAction /usr/local/etc/clamav/scripts/virus-alert.sh
where that script _does_ invoke sendmail.
found this process
ps ax | grep virus
15670 ? S 0:00 /bin/bash
/usr/local/etc/clamav/scripts/virus-alert.sh Sanesecurity.Jurlbl.Auto.85a586.UNOFFICIAL
4DLaEC42Q6z2Q ngocquyen...@gmail.com myu...@example.com Engineer Tee Shirt & Science
Tee Shirt <cabnrqxe7tkmzabnw1av14uj1o5_egdaczdrzu-umk9ezkyo...@mail.gmail.com> Tue,
27 Oct 2020 17:29:06 -0700
hanging around, obviously dealing with a spammy "Engineer Tee Shirt & Science Tee
Shirt" send.
i killed it & verified that the current stream of
warning: mail_queue_enter: create file maildrop/731085.15673:
Permission denied
in postfix logs indeed stops.
so, seems like a likely bet!
clamav-milter does NOT have the
NoNewPermissions=true
set, and therefore defaults to
NoNewPermissions=false
That^ 'virus-alert.sh' -- exec'ing 'via' clamav-milter, obviously included in
my postfix config -- needs to be given appropriate permissions for sending via
sendmail.postfix.
The question is:
what/where is the correct method, so as NOT to break my postfix security
model in some foolish manner ?
