[Techtalk] Using Debian Testing (Sarge) on production servers
Devdas Bhagat
devdas at dvb.homelinux.org
Sun Mar 7 18:11:14 EST 2004
On 06/03/04 16:58 +1100, Rasjid Wilcox wrote:
<snip>
> There will be no local users, all users are 'virtual' and only exist in a
> MySQL database.
I personally prefer the firewall type config with Postfix and Cyrus.
Instead of setting virtual_*_maps, set relay_recipient_maps and a
transport_maps entry for the domain talking lmtp directly.
> Postfix can be run chrooted. In fact, given all the users are 'virtual', I'm
> not sure that any of the Postfix componets that run as root are used.
master will run as root.
>From man 8 virtual:
SECURITY
The virtual delivery agent is not security sensitive, pro-
vided that the lookup tables with recipient user/group ID
information are adequately protected. This program is not
designed to run chrooted.
> I think that the saslauthd daemon is the only process involved in the mail
> process that needs to run as root.
>
> My biggest concern is actually Apache and PHP. Can anyone explain why there
> is always one apache process running as root, while the rest run as
> 'www-data'?
The Apache parent process, which needs to be root to bind to port 80,
and then chroot and drop privileges.
> My other option is to go with Mandrake or Slackware, or build my own SuSE
> user-mode-linux image. My main critera is that I have reasonably up-to-date
> packages and easy to get and install security updates that don't cost the
Gentoo?
Devdas Bhagat
More information about the Techtalk
mailing list