From owner-freebsd-bugs Fri Apr 14 08:30:02 1995 Return-Path: bugs-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA20690 for bugs-outgoing; Fri, 14 Apr 1995 08:30:02 -0700 Received: (from gnats@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA20683 ; Fri, 14 Apr 1995 08:30:01 -0700 Date: Fri, 14 Apr 1995 08:30:01 -0700 Message-Id: <199504141530.IAA20683@freefall.cdrom.com> From: pritc003@maroon.tc.umn.edu Reply-To: pritc003@maroon.tc.umn.edu To: freebsd-bugs Subject: bin/342: lpd can allow users access to all of root's groups In-Reply-To: Your message of Fri, 14 Apr 1995 10:27:58 -0500 <199504141527.KAA02469@mpp.com> Sender: bugs-owner@FreeBSD.org Precedence: bulk >Number: 342 >Category: bin >Synopsis: lpd can allow users access to all of root's groups >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs (FreeBSD bugs mailing list) >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 14 08:30:00 1995 >Originator: Mike Pritchard >Organization: >Release: FreeBSD 2.1.0-Development i386 >Environment: >Description: If a /etc/printcap entry is setup to use a filtering program that allows the user some control over it (e.g. apsfilter), then the user can run commands as user daemon with all of root's groups. >How-To-Repeat: The latest version of apsfilter allows users to create a file called ~/.apsfilterrc which is then executed by apsfilter anytime it runs. During execution, the process is running as daemon with all of root's groups. Verify this by adding a "id > /tmp/id.aps" as the first line of the .apsfilterrc file. >Fix: The following patch fixes lpd to call initgroups() and setgid() to restrict its group list anytime it forks off a command. This still allows users to run as daemon.daemon, which really isn't desirable either, but changing it to run the filtering programs as the user would probably break any filters that depend on being daemon to write accounting files. At least this is a start. Apply this patch to /usr/src/usr.sbin/lpr/lpd/printjob.c *** orig/printjob.c Fri Apr 14 08:27:42 1995 --- printjob.c Fri Apr 14 09:22:21 1995 *************** *** 1065,1070 **** --- 1065,1071 ---- int action; { register int i, pid; + struct passwd *pwd; for (i = 0; i < 20; i++) { if ((pid = fork()) < 0) { *************** *** 1074,1081 **** /* * Child should run as daemon instead of root */ ! if (pid == 0) setuid(DU); return(pid); } syslog(LOG_ERR, "can't fork"); --- 1075,1089 ---- /* * Child should run as daemon instead of root */ ! if (pid == 0) { ! if ((pwd = getpwuid(DU)) == NULL) { ! syslog(LOG_ERR, "Can't lookup default uid in password file"); ! break; ! } ! initgroups(pwd->pw_name, pwd->pw_gid); ! setgid(pwd->pw_gid); setuid(DU); + } return(pid); } syslog(LOG_ERR, "can't fork"); >Audit-Trail: >Unformatted: