From owner-freebsd-stable  Thu Dec  9 15:19: 9 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7])
	by hub.freebsd.org (Postfix) with ESMTP id 3D64F1575B
	for <stable@FreeBSD.ORG>; Thu,  9 Dec 1999 15:19:04 -0800 (PST)
	(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id SAA81926;
	Thu, 9 Dec 1999 18:18:55 -0500
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <v04210105b475e8305ccd@[128.113.24.47]>
In-Reply-To: <Pine.BSF.4.21.9912091427240.4557-100000@fw.wintelcom.net>
References: <Pine.BSF.4.21.9912091427240.4557-100000@fw.wintelcom.net>
Date: Thu, 9 Dec 1999 18:24:45 -0500
To: Alfred Perlstein <bright@wintelcom.net>,
	Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: NO! Re: [PATCHES] Two fixes for lpd/lpc for review and test
Cc: Warner Losh <imp@village.org>, stable@FreeBSD.ORG
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Note:  I'm sending this to just the -current list, since it's pretty
clear that this change won't be ready for -stable anytime this year...

(hopefully Alfred is in -current?)

At 3:02 PM -0800 12/9/99, Alfred Perlstein wrote:
>On Thu, 9 Dec 1999, Andre Albsmeier wrote:
> > On Tue, 07-Dec-1999 at 14:55:37 -0800, Alfred Perlstein wrote:
> > > please do not, the patch in PR 11997 introduces a major security flaw.
> > >
> > > someone can hardlink to any file and clobber it with a file owned by
> > > them:
> >
> > I think the (really big) security hole can be closed by not doing
> > the chown/chmod commands. I inserted them because I wanted the
> > file in the spool directory to appear exactly as if lpr would
> > have copied it.
>
>I don't have too much time to think about this, argue me this:
>
>     why should I allow a user to print any file on the system?
>
>the race condition is still there.


I think the general goal of the patch is a good idea (ie, doing
a 'mv' instead of a 'cp & rm' when we can).  And, in fact, I'd
like the chown/chmod's to be done so the file is owned and
permitted the same way as if it was cp'ed.

I don't have any time to really look at the patch right now
though (it's end-of-semester, things breaking, students around
here in a frenzy, etc, etc).  I might try to suggest something
this weekend, depending on how things go.  I think we can afford
to do whatever checking is necessary to get this right, as the
checking can't possibly be more expensive than copying the whole
file and removing the old one.  (in my environment we have people
printing thru samba or CAP, and who are sending >100meg files.
If I can use 'mv' instead of 'cp', that has to save a lot of
cpu time!).  Of course, the security implications of such a
change are also pretty important in our environment here...


---
Garance Alistair Drosehn           =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message