oss-security - Re: Short notes on qmail security guarantee

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 22 May 2020 19:01:10 +0200
From: Arrigo Triulzi <arrigo@...hemistowl.org>
To: oss-security@...ts.openwall.com
Subject: Re: Short notes on qmail security guarantee

On 22 May 2020, at 17:45, Georgi Guninski <gguninski@...il.com> wrote:
> I am not professional admin, but does postfix require limits?
> Do many widely used daemons need limits?

Well, normally these limits are enforced at the OS level. Depending on your OS of choice there are different ways in which this is done. On BSD-derived systems it is most often in /etc/login.conf via login classes, e.g.:

daemon:\
        :ignorenologin:\
        :datasize=infinity:\
        :maxproc=infinity:\
        :openfiles-max=2048:\
        :openfiles-cur=1024:\
        :stacksize-cur=8M:\
        :localcipher=blowfish,a:\
        :tc=default:

whereby the user under which Postfix runs would be assigned to the daemon class (or, of course, a class which you define with suitable restrictions) and have the limits above (“tc=default” means “inherit what is not explicitly defined above from the “default” class, rest is self-evident, I hope).

Arrigo

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.