Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 586994 - mail-mta/postfix: systemd hardening
Summary: mail-mta/postfix: systemd hardening
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Net-Mail Packages
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2016-06-25 04:01 UTC by Craig Andrews
Modified: 2016-08-13 21:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Andrews gentoo-dev 2016-06-25 04:01:13 UTC 
mail-mta/postfix's systemd service, postfix.service, should use systemd's hardening features:
* PrivateTmp=true should be used
* CapabilityBoundingSet= should be set (I haven't determined exactly to what value yet)
* ProtectSystem=full (or at least true)
* PrivateDevices=true
Comment 1 Craig Andrews gentoo-dev 2016-06-27 15:16:59 UTC 
https://github.com/gentoo/gentoo/pull/1770
Comment 2 Craig Andrews gentoo-dev 2016-06-27 15:21:39 UTC 
BTW, on another note, I feel like upstream should be distributing the systemd service (with distributions free to customize it, of course!) so I've made a mailing list post requesting they do so: https://groups.google.com/d/msg/list.postfix.users/doN4fj9t41Q/9nrz-zYGAgAJ
Comment 3 Eray Aslan gentoo-dev 2016-06-30 05:42:11 UTC 
Adding systemd to cc to get their input
Comment 4 Richard Freeman gentoo-dev 2016-06-30 11:14:43 UTC 
Obviously the details need to be worked out, but I think it is completely reasonable to have services drop capabilities/etc.  These are all fairly low-risk settings to use from a compatibility standpoint.  I don't think postfix writes to /etc, but that would need to be confirmed.

I'd be happy to do testing of any proposed units.

And I agree with the desire to upstream this - I'd think that anything we do with these settings would work on any distro.
Comment 5 Craig Andrews gentoo-dev 2016-06-30 13:03:24 UTC 
(In reply to Richard Freeman from comment #4)
> Obviously the details need to be worked out, but I think it is completely
> reasonable to have services drop capabilities/etc.  These are all fairly
> low-risk settings to use from a compatibility standpoint.  I don't think
> postfix writes to /etc, but that would need to be confirmed.
As far as I can tell in my testing, postfix doesn't write to /etc.
> 
> I'd be happy to do testing of any proposed units.
The unit I proposed is in the PR I linked to in my previous comment 1. Can you please test and merge if it works well for you?
> 
> And I agree with the desire to upstream this - I'd think that anything we do
> with these settings would work on any distro.
I haven't received a response from the mailing list post I made. Is there anyone at Gentoo who is a postfix developer/committee who can add this systemd unit for the long term solution?
Comment 6 Richard Freeman gentoo-dev 2016-07-09 12:53:52 UTC 
Ok, I've been testing this for a week on the stable version with no issues.  I can't vouch for ~arch, though I see no reason it wouldn't work there.  Do you want me to go ahead and revbump both for this?
Comment 7 Eray Aslan gentoo-dev 2016-07-13 05:55:02 UTC 
(In reply to Richard Freeman from comment #6)
> Do you want me to go ahead and revbump both for this?

Yes, please.
Comment 8 Richard Freeman gentoo-dev 2016-08-13 21:04:40 UTC 
merged into gentoo