Drop privileges
Consider the following security measures:
- Drop to a lower account/group
- Enter a chroot environment
Account could be axe-in
, axe-group
, axe-out
, which may be shared with other protocols than SMTP, at least when they also run as isolated, self-supporting filter programs. They need similar resources and are a mere pass-through channel.
Group could use these or the following names, and offer no more permissions than minimally required
-
arpa2in
reads the MTA key for ARPA2 Signed Identities and reads ARPA2 Communication Access -
arpa2out
reads the MTA key for ARPA2 Signed Identities and??? updates ARPA2 Communication Access -
arpa2group
reads ARPA2 Groups
These groups may also be used in, say, a module for a SIP server like Kamailio. This server needs rights for other purposes and so cannot be used with protocol-agnostic accounts like axe-in
.
Chroot would not need the key for ARPA2 Signed Identities; it can be injected from the outside over a file descriptor. It may do the same trick with LMDB access, but that needs more research.