Subject: postfix, chroot, and rc.d
To: None <netbsd-users@netbsd.org>
From: Cheese Lottery <cheeselottery@gmail.com>
List: netbsd-users
Date: 04/24/2005 10:16:31
I'm using the postfix included with NetBSD-2.0.2 (2.0.19, isn't it?).
I'm looking at running some of the postfix daemons under chroot. I
notice that in /etc/rc.d/postfix , postfix_precmd() copies localtime,
resolv.conf, and services from /etc to /var/spool/postfix/etc, which
is nice. However, as seen here:
http://www.postfix.org/INSTALL.html#hamlet
copying those files is not quite enough. Syslogd has to be configured
to create a log socket inside the chroot directory or some of the
postfix daemons may stop logging if syslogd is restarted (This is what
I understand from reading some mailing list archives, please correct
me if I am wrong.)
I see that in /etc/rc.d/syslogd, syslogd_precmd looks for rc.d scripts
that have the 'chrootdir' keyword set to figure out which sockets it
will create. This is how ntpd_chrootdir and named_chrootdir work,
right?
/etc/rc.d/postfix doesn't have the chrootdir keyword, so setting
postfix_chrootdir doesn't work. I added
KEYWORD: chrootdir=20
to /etc/rc.d/postfix and added
postfix_chrootdir=3D"/var/spool/postfix"
to rc.conf. Restarting syslogd, it seems to create
/var/spool/postfix/var/run/log just fine. Are there any problems with
what I have done? Off the top of my head, postfix_chrootdir doesn't
work like ntpd_chrootdir or named_chrootdir because postfix's
master.cf still needs to be edited in order to run the daemons under
chroot. Since it doesn't "just work," I guess it is not appropriate?
I'm also thinking about just adding to syslogd_flags in rc.conf, since
that works just as well, even if it does not take advantage of
/etc/rc.d/syslogd's magic. I also figure I am less likely to
accidentally wipe out changes to rc.conf than a script under
/etc/rc.d/*
What do you guys think?