I tried using NoNewPrivileges=yes in my inn package, but then I noticed that the daemon was unable to send emails:
Jun 18 07:59:38 bongo boot[4623]: postdrop: warning: mail_queue_enter: create file maildrop/111862.4636: Permission denied This happens because postdrop is SGID to be able to securely write new emails in the incoming queue: -r-xr-sr-x 1 root postdrop 13636 Mar 2 11:53 /usr/sbin/postdrop drwx-wx--T 2 postfix postdrop 4096 Jun 18 15:31 /var/spool/postfix/maildrop/ There is a different scheme with no sgid programs and a world writeable directory, but it is less secure (it allows some DoS attacks) and I see that we do not support it anymore anyway in Debian. I do not think that Postfix should use the other scheme by default, so it looks like we are stuck with not being able to enable NoNewPrivileges for daemons that (may) need to send emails. Is there any other common similar issue with NoNewPrivileges? -- ciao, Marco
signature.asc
Description: Digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
