Date: Fri, 14 Apr 1995 08:30:01 -0700 From: pritc003@maroon.tc.umn.edu To: freebsd-bugs Subject: bin/342: lpd can allow users access to all of root's groups Message-ID: <199504141530.IAA20683@freefall.cdrom.com> In-Reply-To: Your message of Fri, 14 Apr 1995 10:27:58 -0500 <199504141527.KAA02469@mpp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>Number: 342
>Category: bin
>Synopsis: lpd can allow users access to all of root's groups
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs (FreeBSD bugs mailing list)
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 14 08:30:00 1995
>Originator: Mike Pritchard
>Organization:
>Release: FreeBSD 2.1.0-Development i386
>Environment:
>Description:
If a /etc/printcap entry is setup to use a filtering program that
allows the user some control over it (e.g. apsfilter), then the user
can run commands as user daemon with all of root's groups.
>How-To-Repeat:
The latest version of apsfilter allows users to create a file
called ~/.apsfilterrc which is then executed by apsfilter anytime
it runs. During execution, the process is running as daemon with
all of root's groups. Verify this by adding a "id > /tmp/id.aps" as the
first line of the .apsfilterrc file.
>Fix:
The following patch fixes lpd to call initgroups() and setgid() to
restrict its group list anytime it forks off a command.
This still allows users to run as daemon.daemon, which really isn't
desirable either, but changing it to run the filtering programs as the
user would probably break any filters that depend on being daemon to write
accounting files. At least this is a start.
Apply this patch to /usr/src/usr.sbin/lpr/lpd/printjob.c
*** orig/printjob.c Fri Apr 14 08:27:42 1995
--- printjob.c Fri Apr 14 09:22:21 1995
***************
*** 1065,1070 ****
--- 1065,1071 ----
int action;
{
register int i, pid;
+ struct passwd *pwd;
for (i = 0; i < 20; i++) {
if ((pid = fork()) < 0) {
***************
*** 1074,1081 ****
/*
* Child should run as daemon instead of root
*/
! if (pid == 0)
setuid(DU);
return(pid);
}
syslog(LOG_ERR, "can't fork");
--- 1075,1089 ----
/*
* Child should run as daemon instead of root
*/
! if (pid == 0) {
! if ((pwd = getpwuid(DU)) == NULL) {
! syslog(LOG_ERR, "Can't lookup default uid in password file");
! break;
! }
! initgroups(pwd->pw_name, pwd->pw_gid);
! setgid(pwd->pw_gid);
setuid(DU);
+ }
return(pid);
}
syslog(LOG_ERR, "can't fork");
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504141530.IAA20683>