Monit should drop supplementary groups

Dear Monit Team,

We have encountered a security related issue while using Monit. It affects many previous versions, including the latest one.

When monit sets the group id of the child, it should also drop any additional supplementary groups, especially when a group id is specified by the user ("as gid <some_group">). This is for security reasons: children of monit may inherit the "root" (or other privileged) group that can potentially supply them much wider permissions to resources than the user might have intended.

Please refer to the second chapter of this document: https://www.securecoding.cert.org/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

Another significant use case is for example, files with ACLs, where supplementary groups are taken into account when the kernel decides whether to grant or deny access.

Could you please consider making sure that monit drops supplementary groups when creating children? I think a good solution would be to do the following on UID change when the child is forked:

Query supplementary groups corresponding to the new UID
Replace the supplementary group set with the one got from the previous step
Set GID
Set UID

Thank you very much in advance!

Cheers, Gyuri

Comments (4)