On Sat, 2005-04-23 at 06:53 +0900, Tokio Kikuchi wrote: > Hi Developers, > > There is a rumor that mailman security check is not proper and > recommending patch to void our security check. Can someone write > a refutation to this article? (In a fluent English of course ;-)
> Bugs item #1188133, was opened at 2005-04-22 15:58 > Message generated for change (Tracker Item Submitted) made by Item Submitter > You can respond by visiting: > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1188133&group_id=103 I believe Geoff Mottram may be confused with how mailman's security works. Normally when a process is invoked it is run with the owner and group of the process that invoked it. It does not execute with the owner and group belonging to the executable (unless it is setuid or setgid respectively). The mailman executable is setgid mailman. This means no matter who runs it, it will execute with its group set to mailman. Mailman's security is group based, anything mailman attempts to do will only succeed if the process attempting to perform the operation is a member of the mailman group. This is why the mailman "wrapper" is setgid mailman. No matter who invokes it, it runs as if it were a member of the mailman group (not the group of process that invoked it). Thus it has permission to perform mailman operations because it is executing as a member of the mailman group. But wait! That means anybody can invoke the mailman wrapper program and perform mailman operations because the wrapper when it starts to execute will immediately assume the mailman group identity granting it full mailman permissions. Thus we need a way to say "only a select set of trusted processes can invoke me". In other words, if somebody askes me to run and do mailman operations, do I trust the entity that asked me to do this? The trust question is answered by identifying the group of the process that asked me to run, in short, "if you're not a member of a group I trust I refuse to perform mailman operations". The group of the process that invoked mailman is the real group, this is the group that is being validated. If that validity check passes then all further operations occur under the effective group id of mailman, which is exactly what we want. Thus Mr. Mottram has confused the role of the real and effective group id in the validation check because it is the real group id that identifies the process that invoked mailman, and it is this id that we need to validate is a trusted process. If the change he proposes were implemented, to test the effective id, then the trust question become "if I am me", which is trivally true because of the setgid property, then the validty check always succeeds no matter who invoked mailman and all security is defeated. Note: I have only responded to this list, I have not updated the original bug posting. -- John Dennis <[EMAIL PROTECTED]> _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp