> You could of course populate:
>
> /var/spool/ccerts//chain.pem
Thanks, that's perfect. Each PHP pool runs as a separate user and that'd
provide equivalent accountability to SO_PEERCRED.
It's never worth it until you get victimized by StealRat or some other
piece of malicious code that b
On Thu, Jul 23, 2020 at 07:36:01PM -0500, Matt Saladna wrote:
> > Replace local submission with some IPC-based mechanism, e.g. SMTP.
>
> If my understanding is correct, submitting via SMTP would require
> credentials then to avoid anonymity of TCP unless there's a specific
> service that would
> Replace local submission with some IPC-based mechanism, e.g. SMTP.
If my understanding is correct, submitting via SMTP would require
credentials then to avoid anonymity of TCP unless there's a specific
service that would work over a UDS so it can pass SO_PEERCRED along to
Postfix.
Is there
On Thu, Jul 23, 2020 at 07:17:19PM -0500, Matt Saladna wrote:
> Bit of a pickle here with systemd in CentOS 8. Certain protective
> directives, such as DynamicUser= or PrivateDevices=yes implicitly sets
> NoNewPrivileges=true (systemd/systemd #12476). In turn that's blocking
> setgid with /usr/
