Postfix Chroot

DJ Lucas dj at linuxfromscratch.org
Tue Apr 1 21:19:51 PDT 2008


Anyone have objections to forcing all chroot capable postfix daemons to 
run chrooted by default?  I believe there is already precedence to do 
this based on other package instructions.  This should probably wait 
till after 6.3 because we are close to release.  The commands to setup 
the environment would be:


{{{
mkdir -p /var/spool/postfix/{etc,lib,usr/lib/zoneinfo} &&
cp -af /etc/{hosts,localtime,nsswitch.conf,passwd,resolv.conf,services} \
     /var/spool/postfix/etc &&
cp -af /lib/lib{nss*,resolv*} \
     /var/spool/postfix/lib &&
cp -af /etc/localtime /var/spool/postfix/usr/lib/zoneinfo
}}}



And to enable chroot for each service - and fix the two that shouldn't 
be modified.  These commands are are ugly, so I'm open to better 
suggestions (maybe a forindo or such):


{{{
sed -e "s@       -       n@       -       -@" \
     -e "s at proxymap  unix  -       -       - at proxymap  unix  -       - 
      n@" \
     -e "s at proxywrite unix -       -       - at proxywrite unix -       - 
      n@" \
    -i /etc/postfix/master.cf
}}}


Although I'm very confident in the instructions (especially since I just 
tested them on a new box that will replace my existing server), I still 
think it's too close to release for 6.3.  Assuming no objections, I'll 
put these commands (or similar) into the wiki for possible inclusion 
after the release.

-- DJ Lucas




More information about the blfs-dev mailing list