On 30 Jan 2011, at 18:46 , Victor Duchovni wrote: > On Mon, Jan 31, 2011 at 08:02:28AM +0530, varad gupta wrote: > >> Thanx for all the replies - I now understand the reason for master >> daemon to run with superuser privileges. They were really helpful. >> >> But then, is postfix not running the same risk as "sendmail" ? > > No. > >> Does it mean, that unless run in a chroot environment, postfix is >> susceptible to the same risks as sendmail and gives an attacker >> capability of causing similar damage (despite having a far better >> system of tasks divided amongst various unprivileged processes >> designed to perform specific tasks) ? > > No. > > -- > Viktor.
I don't know how accurate my interpretation is, but the way I see it, postfix's master process, if hacked, would obviously present a lot of problems. But since it does less, it's also less open to hacks. For example, an empty program that does nothing cannot be hacked or exploited in any way because there is nothing to exploit. By moving most of the functions out of the master process, even if the other processes have flaws, they aren't privileged. Someone else can feel free to correct me. Chris
