[systemd-devel] NoNewPrivileges and Postfix
Lennart Poettering
lennart at poettering.net
Fri Jun 20 04:46:52 PDT 2014
On Wed, 18.06.14 16:07, Marco d'Itri (md at Linux.IT) wrote:
> I tried using NoNewPrivileges=yes in my inn package, but then I noticed
> that the daemon was unable to send emails:
>
> Jun 18 07:59:38 bongo boot[4623]: postdrop: warning: mail_queue_enter: create file maildrop/111862.4636: Permission denied
>
> This happens because postdrop is SGID to be able to securely write new
> emails in the incoming queue:
>
> -r-xr-sr-x 1 root postdrop 13636 Mar 2 11:53 /usr/sbin/postdrop
>
> drwx-wx--T 2 postfix postdrop 4096 Jun 18 15:31 /var/spool/postfix/maildrop/
>
> There is a different scheme with no sgid programs and a world writeable
> directory, but it is less secure (it allows some DoS attacks) and I see
> that we do not support it anymore anyway in Debian.
>
> I do not think that Postfix should use the other scheme by default, so
> it looks like we are stuck with not being able to enable NoNewPrivileges
> for daemons that (may) need to send emails.
>
> Is there any other common similar issue with NoNewPrivileges?
Well, SUID and SGID binaries are used all over the place. You can use
NNP only if you know you won't end up with any of those in the process
subtree. In some cases this is obvious (for example: doing NNP on cron
would certainly break a ton of user cronjobs), in others it is more
hidden, where packagers and upstream developers need to be careful.
This isn't any different from CapabilityBoundingSet= btw.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list