From owner-freebsd-security Mon Apr 20 16:07:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20135 for freebsd-security-outgoing; Mon, 20 Apr 1998 16:07:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA20057 for ; Mon, 20 Apr 1998 23:06:55 GMT (envelope-from marcs@znep.com) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id RAA17994; Mon, 20 Apr 1998 17:06:37 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id RAA29148; Mon, 20 Apr 1998 17:06:44 -0600 (MDT) Date: Mon, 20 Apr 1998 17:06:44 -0600 (MDT) From: Marc Slemko To: Niall Smart cc: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs In-Reply-To: <199804202201.XAA00941@indigo.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Mon, 20 Apr 1998, Niall Smart wrote: > On Apr 19, 6:25pm, Marc Slemko wrote: > } Subject: Re: suid/sgid programs > > On Mon, 20 Apr 1998, Niall Smart wrote: > > > > > > > But if someone can break the uid that lpr runs as then they can probably > > > > > > break root anyway. > > > > > > > > > > How? > > > > > > > > Because they then have full access to the queue directory that lpd reads > > > > from and lpd does run as root so it can access the files people want to > > > > print. > > > > > > lpr can be setuid "lp" so that it can write to the print spool > > > directory, it has access to the file the user wants to print because > > > that is it's real uid. lpd can be root.wheel 770 and immediately > > > setuid to "lp" after opening the socket. (Or you could just disable > > > this silly priveledged socket scheme) > > > > Not unless you are willing to lose "lpr -s" and the ability to print to > > remote printers. > > lpr hands print jobs for remote printers off to lpd, so it doesn't > need to be setuid. lpd accepts connections from any port number, > so the sending lpd doesn't have to stay root so it can open > connections to remote printers from a privledged port. FreeBSD lpd may accept such connections, others don't. > > Yes, you lose the ability to lpr -s but security comes at a price, > and this is a small price IMO. Many people don't even know about > lpr -s, especially the twits with 16Mb of 32-bit color images > embedded in their print jobs. > > > "this silly privileged socket scheme" may be silly but throwing it out > > without replacing it isn't the answer. > > The replacements, cryptography and credential passing over UNIX > domain sockets, are ready and willing! First, that isn't being advocated here. What is being advocated is saying that "oh, it can do everything just as well as some other user so just make it do the same thing as some other user." Second, life isn't as easy as that. Trying to put cryptography in the base code of any freely available program is difficult, especially in the US, and can seriously limit exportability, usability and compatibility. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message