[RndTbl] "washing" a fork/exec to force all groups
Gilbert Detillieux
Gilbert.Detillieux at umanitoba.ca
Wed Apr 19 10:37:54 CDT 2023
On 2023-04-18 10:47 p.m., Adam Thompson wrote:
>> In a similar vein, is vim unsafe?
>
> Arguably: yes, OMG yes it's unsafe! Yet it's still included in base for the same reason: it's a critical tool for too many people.
And, as if on cue, Canonical just posted Ubuntu Security Notice
USN-6026-1 for vim early this morning, listing no fewer than 20 CVE's!
>> Postfix ticked me
>> off; and I love a good unix-y problem to boot. If you ever find the
>> rationale for the "feature", post it to the list!
>
> No rationale as yet, but it happens in set_ugid.c: https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/set_ugid.c
>
> The dropping-secondary-groups thing was present in postfix-beta-19990122, which I think would have been somewhere just before v0.8. I haven't been able to find any earlier source code, so it's essentially been there forever. And nary a mention in the HISTORY file about why.
>
> The only clue I have is the original name of Postfix, which is IBM's "The Secure Mailer" as documented in that source code file, and irrevocable operations like this are a common "smell" for "secure" programs. I'm in agreement with you here, it seems unhelpful, so hopefully someone else here can explain why secondary groups are *so* bad for security they need to be nuked from orbit?
They may have had users like me in mind, who (over time) need to be
added to over 16 separate secondary groups (yeah, I was running into
that RPC AUTH_SYS 16-group limit in NFS, long before there was a simple
fix). I only need most of these groups for use within interactive
shells, and also sometime via crontab entries (which might also require
password-less sudo - yikes!), but probably never for e-mail local
delivery agents (where they'd most likely be a bad idea).
Still, Unix/Linux systems are full of "I know the risks"-type exceptions
that can be configured into various services, so I'm not sure why this
is considered so egregiously bad that postfix couldn't include a
configurable option to override the safer default.
--
Gilbert Detillieux E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba Phone: 204-474-8161
Winnipeg MB CANADA R3T 2N2
More information about the Roundtable
mailing list