Emond Papegaaij:
> Hi all,
>
> We are hardening our services and would like to run postfix as a
> non-root user.
Good luck with that. Postfix is a general-purpose MTA for POSIX
environments and requires privieleges for certain operations.
- Opening a privileged network port
- Changing privileges to those of a local recipient
- Revoking file system access (chroot)
- Revoking configuration file write privileges
- Revoking configuration file open privileges (for private keys)
Those are just a few things, off the top of my head.
You could do an experiment with an LD_PRELOADed shared object that
intercepts the problematic getuid() call, and that returns a result
that makes Postfix happy. Then you can see what breaks.
preload.c:
#include <sys/types.h>
#include <unistd.h>
/* Add other calls as needed. */
uid_t getuid(void) { return (0); }
Commands:
cc -c -fPIC preload.c
ld -o preload.so -shared -fPIC preload.o
In the script that invokes the postfix command
export LD_PRELOAD=/path/to/preload.so
In /usr/libexec/postfix/postfix-script
export LD_PRELOAD=/path/to/preload.so
In /etc/postfix/main.cf:
import_environment = LD_PRELOAD=/path/to/preload.so ...other vars...
There are currently no plans for a so-called 'fixed-unprivileged
mode' because somoene would have to update every affected Postfix
feature and its documentation, and because this mode would need to
be supported for eternitity (updated and tested before every release).
Also, fixed-unprivileged mode can make Postfix LESS secure: root
privileges are used by none of the Postfix programs in your forwarding
path as they handle email. In fixed-unprivileged mode, a compromised
Postfix daemon process can corrupt other fixed-unprivileged Postfix
daemon processes by using ptrace and so on, something that should
not be possible now because every non-root Postfix daemon process
switches from root to non-root during process initialization.
Wietse
