Jon Trossbach
2020-09-14 19:04:20 UTC
tl;dr:
This idea has not been well received in the past but, with the more recent wide-scale adoption of containerization and the fact that containerization appears to fix the concerns with running Postfix in an unprivileged way, I would like to know if there is any significant desire within the Postfix community to be able to run Postfix in an unprivileged way.
Hi all,
In the past, as you can see from this forum post from a while back, changing Postfix to run in an unprivileged way has been generally looked upon as a bad idea:
https://groups.google.com/g/mailing.postfix.users/c/9endMsNCREo
The two main reasons this was considered to be a bad idea was because running a privileged master process allows Postfix to maintain the following security features:
1) Assume a dedicated user and group ID, to isolate postfix processes
from a large number of attacks by another process on the same system.
2) Revoke Postfix access to a large portion of the file system, to
isolate the system from some attacks by a compromised Postfix.
Please correct me if I am wrong but both of these concerns seem to be generally addressed by containerization alone. So, if containerization solves the security concerns which led to the design decision to allow the Postfix master process to be run with root privileges: why not have a set of compiler directives which allow Postfix to be compiled without needing the master process to have root privileges so that it can be run in an unprivileged container? (For security reasons, privileged containers are not recommended for orchestrated container platforms, e.g. Kubernetes.) Also, if this sounds like a good idea could changes like I am suggesting ever be upstreamed?
I made some ad hoc changes to Postfix myself in the git repo linked below and local mail delivery appears to be the only functionality which I found to be broken but my testing strategy was not extensive. Lastly, does anyone have any predictions about what else (if anything) might break from changing Postfix to run unprivileged?
https://github.com/jontrossbach/postfix
Sincerely,
Jon Trossbach
This idea has not been well received in the past but, with the more recent wide-scale adoption of containerization and the fact that containerization appears to fix the concerns with running Postfix in an unprivileged way, I would like to know if there is any significant desire within the Postfix community to be able to run Postfix in an unprivileged way.
Hi all,
In the past, as you can see from this forum post from a while back, changing Postfix to run in an unprivileged way has been generally looked upon as a bad idea:
https://groups.google.com/g/mailing.postfix.users/c/9endMsNCREo
The two main reasons this was considered to be a bad idea was because running a privileged master process allows Postfix to maintain the following security features:
1) Assume a dedicated user and group ID, to isolate postfix processes
from a large number of attacks by another process on the same system.
2) Revoke Postfix access to a large portion of the file system, to
isolate the system from some attacks by a compromised Postfix.
Please correct me if I am wrong but both of these concerns seem to be generally addressed by containerization alone. So, if containerization solves the security concerns which led to the design decision to allow the Postfix master process to be run with root privileges: why not have a set of compiler directives which allow Postfix to be compiled without needing the master process to have root privileges so that it can be run in an unprivileged container? (For security reasons, privileged containers are not recommended for orchestrated container platforms, e.g. Kubernetes.) Also, if this sounds like a good idea could changes like I am suggesting ever be upstreamed?
I made some ad hoc changes to Postfix myself in the git repo linked below and local mail delivery appears to be the only functionality which I found to be broken but my testing strategy was not extensive. Lastly, does anyone have any predictions about what else (if anything) might break from changing Postfix to run unprivileged?
https://github.com/jontrossbach/postfix
Sincerely,
Jon Trossbach