On Sun, Feb 07, 2021 at 03:26:29PM -0500, Alex wrote:
> > Quoting Zathros, "Cannot say. Saying, I would know. Do not know, so
> > cannot say." It all depends upon your use of sudo. One can't say it
> > won't be secure. The devil is in the details.
>
> I figured that if main.cf was owned by root and group writable, the
> regular user would be able to edit it, then use sudo to reload/restart
> when necessary. Apache is running as user "apache" while the php-fpm
> user is "developer". The developer account is not in the same group as
> the apache user.
Any user who can freely modify either main.cf or master.cf is trivially
able to get root privileges.
As a corrolary, any user who should NOT have root privileges, should NOT
be able to freely modify main.cf or master.cf.
Therefore, the only way to allow non-root users to "tweak" these files
is to build carefully controlled templates, that only admit a set of
"safe" modifications, with the non-root user able to set some parameters
for the template, which are validated by "root" and used as "root" to
construct the "safely" modified main.cf and/or master.cf files.
If you really want a different security model, you can run Postfix in a
container, with no pipe(8), local(8) or virtual(8) based transports,
i.e. all mail delivery via LMTP or SMTP. Then unsafe changes inside
the container might only be able to break email delivery, without
compromising the external system (assuming the virtualisation stack
does not have bugs that enable breaking out of the container).
--
Viktor.
