Monit should drop supplementary groups

Issue #278 resolved
Gyorgy Demarcsek
created an issue

Dear Monit Team,

We have encountered a security related issue while using Monit. It affects many previous versions, including the latest one.

When monit sets the group id of the child, it should also drop any additional supplementary groups, especially when a group id is specified by the user ("as gid <some_group">). This is for security reasons: children of monit may inherit the "root" (or other privileged) group that can potentially supply them much wider permissions to resources than the user might have intended.

Please refer to the second chapter of this document: https://www.securecoding.cert.org/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

Another significant use case is for example, files with ACLs, where supplementary groups are taken into account when the kernel decides whether to grant or deny access.

Could you please consider making sure that monit drops supplementary groups when creating children? I think a good solution would be to do the following on UID change when the child is forked:

  1. Query supplementary groups corresponding to the new UID
  2. Replace the supplementary group set with the one got from the previous step
  3. Set GID
  4. Set UID

Thank you very much in advance!

Cheers, Gyuri

Comments (4)

  1. Tildeslash repo owner

    fix Issue #278 : Reinitialize supplementary groups in "exec" action when executing as different user. Note: monit 5.15 partialy fixed the the problem (for "check program"), but the exec action was left intact.

    → <<cset 4005cb121369>>

  2. Log in to comment