[Mailman-Developers] [Fwd: [ mailman-Bugs-1188133 ] CGI group id not properly tested]

John Dennis jdennis at redhat.com
Sat Apr 23 21:27:43 CEST 2005

On Sat, 2005-04-23 at 06:53 +0900, Tokio Kikuchi wrote:
> Hi Developers,
> There is a rumor that mailman security check is not proper and 
> recommending patch to void our security check.  Can someone write
> a refutation to this article? (In a fluent English of course ;-)

> Bugs item #1188133, was opened at 2005-04-22 15:58
> Message generated for change (Tracker Item Submitted) made by Item Submitter
> You can respond by visiting:
> https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1188133&group_id=103

I believe Geoff Mottram may be confused with how mailman's security

Normally when a process is invoked it is run with the owner and group of
the process that invoked it. It does not execute with the owner and
group belonging to the executable (unless it is setuid or setgid

The mailman executable is setgid mailman. This means no matter who runs
it, it will execute with its group set to mailman. Mailman's security is
group based, anything mailman attempts to do will only succeed if the
process attempting to perform the operation is a member of the mailman
group. This is why the mailman "wrapper" is setgid mailman. No matter
who invokes it, it runs as if it were a member of the mailman group (not
the group of process that invoked it). Thus it has permission to perform
mailman operations because it is executing as a member of the mailman

But wait! That means anybody can invoke the mailman wrapper program and
perform mailman operations because the wrapper when it starts to execute
will immediately assume the mailman group identity granting it full
mailman permissions. Thus we need a way to say "only a select set of
trusted processes can invoke me". In other words, if somebody askes me
to run and do mailman operations, do I trust the entity that asked me to
do this? The trust question is answered by identifying the group of the
process that asked me to run, in short, "if you're not a member of a
group I trust I refuse to perform mailman operations".

The group of the process that invoked mailman is the real group, this is
the group that is being validated. If that validity check passes then
all further operations occur under the effective group id of mailman,
which is exactly what we want.

Thus Mr. Mottram has confused the role of the real and effective group
id in the validation check because it is the real group id that
identifies the process that invoked mailman, and it is this id that we
need to validate is a trusted process. If the change he proposes were
implemented, to test the effective id, then the trust question become
"if I am me", which is trivally true because of the setgid property,
then the validty check always succeeds no matter who invoked mailman and
all security is defeated.

Note: I have only responded to this list, I have not updated the
original bug posting.

John Dennis <jdennis at redhat.com>

More information about the Mailman-Developers mailing list