Eduardo is taking a look at this package for the security team and
pointed out that it is doing a setuid to user 'nobody'.
This isn't a safe design. User nobody is strictly for NFS's use and must
not be used by any running processes on the system.
This service probably needs its own user account.
I'm not sure what its goals are by changing to nobody, but we probably also
need to fix the setuid code. (Far better would be to strip the code out and use
systemd's facilities for setting user, group, groups, etc.)
The code currently looks like:
@public
def main(args=None):
parser, args = parseargs(args=args)
if args.setuid: # pragma: nomswin
if pwd is None:
print('Cannot import module "pwd"; try running with -n option.',
file=sys.stderr)
sys.exit(1)
nobody = pwd.getpwnam('nobody').pw_uid
try:
os.setuid(nobody)
except PermissionError:
print('Cannot setuid "nobody"; try running with -n option.',
file=sys.stderr)
sys.exit(1)
The usual practice with changing privs is to set groups, set group, and
then set the user.
I'm a bit curious what the usecase of this tool is -- it also appears to
start a mainloop that will break on keyboard interrupt -- is it meant to
be run in a shell session or something? Why wouldn't it be a daemon? (If
it *is* meant to be run from a terminal, then it also needs to prevent
TIOCSTI use by the processes running with lowered privileges, if that is
indeed why it changed to nobody.)
At a first glance this doesn't feel ready for prime-time.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820212
Title:
[MIR] python-aiosmtpd as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-aiosmtpd/+bug/1820212/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
