Date: Sun, 19 Apr 1998 15:16:29 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: Niall Smart <rotel@indigo.ie> Cc: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <Pine.BSF.3.95.980419145340.16057D-100000@alive.znep.com> In-Reply-To: <199804191945.UAA01313@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 19 Apr 1998, Niall Smart wrote: > > But if someone can break the uid that lpr runs as then they can probably > > break root anyway. > > How? Because they then have full access to the queue directory that lpd reads from and lpd does run as root so it can access the files people want to print. Also note that if you do change lpr to be setuid to another user, then you still have to make it schg so someone who compromises it can't replace the binary. Earlier in 2.2.x or something like that, man was made setuid to allow "secure" caching of formatted man pages. It was setuid to its own user so it is "safe", the only problem was that it was trivial to compromise that user and replace the man binary so anyone who uses man is compromised. Now man is schg to avoid that, aside from the holes I could find being fixed. The whole issue here is that one of the reasons why man wasn't viewed as a threat was because "oh, it is safe because it runs as a non-root uid". Encouraging the changing of other utilities to run as other uids without being sure all the trust relationships are clear can actually reduce security. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980419145340.16057D-100000>