On 2023-04-18 10:47 p.m., Adam Thompson wrote:
In a similar vein, is vim unsafe?
Arguably: yes, OMG yes it's unsafe! Yet it's still included in base for the same reason: it's a critical tool for too many people.
And, as if on cue, Canonical just posted Ubuntu Security Notice USN-6026-1 for vim early this morning, listing no fewer than 20 CVE's!
Postfix ticked me off; and I love a good unix-y problem to boot. If you ever find the rationale for the "feature", post it to the list!
No rationale as yet, but it happens in set_ugid.c: https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/set_ugid.c
The dropping-secondary-groups thing was present in postfix-beta-19990122, which I think would have been somewhere just before v0.8. I haven't been able to find any earlier source code, so it's essentially been there forever. And nary a mention in the HISTORY file about why.
The only clue I have is the original name of Postfix, which is IBM's "The Secure Mailer" as documented in that source code file, and irrevocable operations like this are a common "smell" for "secure" programs. I'm in agreement with you here, it seems unhelpful, so hopefully someone else here can explain why secondary groups are *so* bad for security they need to be nuked from orbit?
They may have had users like me in mind, who (over time) need to be added to over 16 separate secondary groups (yeah, I was running into that RPC AUTH_SYS 16-group limit in NFS, long before there was a simple fix). I only need most of these groups for use within interactive shells, and also sometime via crontab entries (which might also require password-less sudo - yikes!), but probably never for e-mail local delivery agents (where they'd most likely be a bad idea).
Still, Unix/Linux systems are full of "I know the risks"-type exceptions that can be configured into various services, so I'm not sure why this is considered so egregiously bad that postfix couldn't include a configurable option to override the safer default.