> On Feb 25, 2021, at 1:53 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> Also, fixed-unprivileged mode can make Postfix LESS secure: root
> privileges are used by none of the Postfix programs in your forwarding
> path as they handle email. In fixed-unprivileged mode, a compromised
> Postfix daemon process can corrupt other fixed-unprivileged Postfix
> daemon processes by using ptrace and so on, something that should
> not be possible now because every non-root Postfix daemon process
> switches from root to non-root during process initialization.
Indeed, my one-line mnemonic for this is from a long-ago advertising
campaign[1]:
- It takes a tough man to make a tender chicken
Which in this context is intended to remind one that on Posix systems
it takes privilege to be able to drop privileges and thereby be able
to compartmentalise tasks executed in separate processes.
Non-root processes are also sometimes subject to modest default resource
limits (file descriptor, child process, ...) that are not necessarily
good for a busy, but mostly I/O bound MTA that scales through concurrency.
--
Viktor.
https://en.wikipedia.org/wiki/Frank_Perdue#Advertising
