Dear Monit Team,
We have encountered a security related issue while using Monit. It affects many previous versions, including the latest one.
When monit sets the group id of the child, it should also drop any additional supplementary groups, especially when a group id is specified by the user ("as gid <some_group">). This is for security reasons: children of monit may inherit the "root" (or other privileged) group that can potentially supply them much wider permissions to resources than the user might have intended.
Please refer to the second chapter of this document: https://www.securecoding.cert.org/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
Another significant use case is for example, files with ACLs, where supplementary groups are taken into account when the kernel decides whether to grant or deny access.
Could you please consider making sure that monit drops supplementary groups when creating children? I think a good solution would be to do the following on UID change when the child is forked:
- Query supplementary groups corresponding to the new UID
- Replace the supplementary group set with the one got from the previous step
- Set GID
- Set UID
Thank you very much in advance!