[RndTbl] "washing" a fork/exec to force all groups

Gilbert Detillieux Gilbert.Detillieux at umanitoba.ca
Wed Apr 19 10:37:54 CDT 2023 

On 2023-04-18 10:47 p.m., Adam Thompson wrote:
>> In a similar vein, is vim unsafe?
> 
> Arguably: yes, OMG yes it's unsafe!  Yet it's still included in base for the same reason: it's a critical tool for too many people.

And, as if on cue, Canonical just posted Ubuntu Security Notice 
USN-6026-1 for vim early this morning, listing no fewer than 20 CVE's!

>> Postfix ticked me
>> off; and I love a good unix-y problem to boot.  If you ever find the
>> rationale for the "feature", post it to the list!
> 
> No rationale as yet, but it happens in set_ugid.c: https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/set_ugid.c
> 
> The dropping-secondary-groups thing was present in postfix-beta-19990122, which I think would have been somewhere just before v0.8.  I haven't been able to find any earlier source code, so it's essentially been there forever.  And nary a mention in the HISTORY file about why.
> 
> The only clue I have is the original name of Postfix, which is IBM's "The Secure Mailer" as documented in that source code file, and irrevocable operations like this are a common "smell" for "secure" programs.  I'm in agreement with you here, it seems unhelpful, so hopefully someone else here can explain why secondary groups are *so* bad for security they need to be nuked from orbit?

They may have had users like me in mind, who (over time) need to be 
added to over 16 separate secondary groups (yeah, I was running into 
that RPC AUTH_SYS 16-group limit in NFS, long before there was a simple 
fix).  I only need most of these groups for use within interactive 
shells, and also sometime via crontab entries (which might also require 
password-less sudo - yikes!), but probably never for e-mail local 
delivery agents (where they'd most likely be a bad idea).

Still, Unix/Linux systems are full of "I know the risks"-type exceptions 
that can be configured into various services, so I'm not sure why this 
is considered so egregiously bad that postfix couldn't include a 
configurable option to override the safer default.

-- 
Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2

More information about the Roundtable mailing list