Re: What are the consequences of disabling chroot in all master services?
This is not specific to postfix, but I cannot pass this opportunity to remind/inform people that chroot is itself a potential source of security vulnerabilities: Please enjoy studying this beautiful local privilege escalation bug in FreeBSD's ftpd, which was enabled by chroot jail: https://www.zerodayinitiative.com/blog/2020/12/21/cve-2020-7468-turning-imprisonment-to-advantage-in-the-freebsd-ftpd-chroot-jail > On 2022-12-13 00:17, Wietse Venema wrote: The chroot feature makes post-exploitation of bugs (in Postfix, libraries, etc) more more difficult, because there are fewer things that an attacker can play with. For example no set-uid root programs, no files in /proc, and no file system races against privileged programs. One could argue that containers provide a minimized environment, but that is not necessarily the case. The ones that do minimize sometimes come with crippled libc implementations that introduce problems of their own. By the way it is rude to post html-only email to a mailing list. Wietse
Re: What are the consequences of disabling chroot in all master services?
I apologize for the email being html-only, not my intention. I'm having trouble getting Thunderbird to do this right as I have to manually do this for every outgoing email. Tools > Settings > Composition > Sending Format > (Automatic || Only Plain Text) and Tools > Account Settings > Composition & Addressing > Compose messages in HTML format
Re: What are the consequences of disabling chroot in all master services?
I apologize for the email being html-only, not my intention. I'm having
trouble getting Thunderbird to do this right as I have to manually do
this for every outgoing email.
Can you please elaborate on what you mean with "problems of their own"?
Anything specific comes to mind?
This whole movement to docker is a big set of trade-offs that I'm still
researching.
Best regards,
Sam
On 13/12/2022 3:17 AM, Wietse Venema wrote:
Sam:
[ text/html is unsupported, treating like TEXT/PLAIN ]
?html style="direction: ltr;"?
?head?
?meta http-equiv="content-type" content="text/html; charset=UTF-8"?
?style id="bidiui-paragraph-margins" type="text/css"?body p {
margin-bottom: 0cm; margin-top: 0pt; } ?/style?
?/head?
?body bidimailui-charset-is-forced="true" style="direction: ltr;"?
?p?Dear postfix experts:?/p?
?p??br?
?/p?
?p?While setting up postfix in a docker container, I have been
getting the error "fatal: unknown service: smtp/tcp" when
attempting to send an email. I investigated the issue, and it
seems it has something to do with setting up chroot inside of
docker container?/p?
?p??br?
?/p?
?p??a class="moz-txt-link-freetext"
href="https://serverfault.com/questions/1052329/fatal-unknown-service-smtp-tcp-from-postfix-in-docker-using-start-fg"?https://serverfault.com/questions/1052329/fatal-unknown-service-smtp-tcp-from-postfix-in-docker-using-start-fg?/a??br?
?/p?
?p??br?
?/p?
?p?The easiest solution to this problem was to just disable chroot,
which worked fine. I'm considering disabling chroot for all the
postfix master services. Is this a bad move considering that
postfix is running in a docker container? I would appreciate your
insight into this.?/p?
The chroot feature makes post-exploitation of bugs (in Postfix,
libraries, etc) more more difficult, because there are fewer things
that an attacker can play with. For example no set-uid root programs,
no files in /proc, and no file system races against privileged programs.
One could argue that containers provide a minimized environment,
but that is not necessarily the case. The ones that do minimize
sometimes come with crippled libc implementations that introduce
problems of their own.
By the way it is rude to post html-only email to a mailing list.
Wietse
Re: What are the consequences of disabling chroot in all master services?
Sam:
[ text/html is unsupported, treating like TEXT/PLAIN ]
> ?html style="direction: ltr;"?
> ?head?
>
> ?meta http-equiv="content-type" content="text/html; charset=UTF-8"?
> ?style id="bidiui-paragraph-margins" type="text/css"?body p {
> margin-bottom: 0cm; margin-top: 0pt; } ?/style?
> ?/head?
> ?body bidimailui-charset-is-forced="true" style="direction: ltr;"?
> ?p?Dear postfix experts:?/p?
> ?p??br?
> ?/p?
> ?p?While setting up postfix in a docker container, I have been
> getting the error "fatal: unknown service: smtp/tcp" when
> attempting to send an email. I investigated the issue, and it
> seems it has something to do with setting up chroot inside of
> docker container?/p?
> ?p??br?
> ?/p?
> ?p??a class="moz-txt-link-freetext"
> href="https://serverfault.com/questions/1052329/fatal-unknown-service-smtp-tcp-from-postfix-in-docker-using-start-fg"?https://serverfault.com/questions/1052329/fatal-unknown-service-smtp-tcp-from-postfix-in-docker-using-start-fg?/a??br?
> ?/p?
> ?p??br?
> ?/p?
> ?p?The easiest solution to this problem was to just disable chroot,
> which worked fine. I'm considering disabling chroot for all the
> postfix master services. Is this a bad move considering that
> postfix is running in a docker container? I would appreciate your
> insight into this.?/p?
The chroot feature makes post-exploitation of bugs (in Postfix,
libraries, etc) more more difficult, because there are fewer things
that an attacker can play with. For example no set-uid root programs,
no files in /proc, and no file system races against privileged programs.
One could argue that containers provide a minimized environment,
but that is not necessarily the case. The ones that do minimize
sometimes come with crippled libc implementations that introduce
problems of their own.
By the way it is rude to post html-only email to a mailing list.
Wietse
What are the consequences of disabling chroot in all master services?
Dear postfix experts: While setting up postfix in a docker container, I have been getting the error "fatal: unknown service: smtp/tcp" when attempting to send an email. I investigated the issue, and it seems it has something to do with setting up chroot inside of docker container https://serverfault.com/questions/1052329/fatal-unknown-service-smtp-tcp-from-postfix-in-docker-using-start-fg The easiest solution to this problem was to just disable chroot, which worked fine. I'm considering disabling chroot for all the postfix master services. Is this a bad move considering that postfix is running in a docker container? I would appreciate your insight into this. Best regards, Sam
