From owner-freebsd-security  Sun Apr 19 14:23:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA14418
          for freebsd-security-outgoing; Sun, 19 Apr 1998 14:23:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA14326
          for <freebsd-security@FreeBSD.ORG>; Sun, 19 Apr 1998 21:22:48 GMT
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id PAA04053;
	Sun, 19 Apr 1998 15:22:41 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id PAA19448; Sun, 19 Apr 1998 15:16:29 -0600 (MDT)
Date: Sun, 19 Apr 1998 15:16:29 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
Reply-To: Marc Slemko <marcs@znep.com>
To: Niall Smart <rotel@indigo.ie>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: suid/sgid programs
In-Reply-To: <199804191945.UAA01313@indigo.ie>
Message-ID: <Pine.BSF.3.95.980419145340.16057D-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Sun, 19 Apr 1998, Niall Smart wrote:

> > But if someone can break the uid that lpr runs as then they can probably
> > break root anyway.
> 
> How?

Because they then have full access to the queue directory that lpd reads
from and lpd does run as root so it can access the files people want to
print.

Also note that if you do change lpr to be setuid to another user, then you
still have to make it schg so someone who compromises it can't replace the
binary.

Earlier in 2.2.x or something like that, man was made setuid to allow
"secure" caching of formatted man pages. It was setuid to its own user so
it is "safe", the only problem was that it was trivial to compromise that
user and replace the man binary so anyone who uses man is compromised. 
Now man is schg to avoid that, aside from the holes I could find being
fixed. 

The whole issue here is that one of the reasons why man wasn't viewed as a
threat was because "oh, it is safe because it runs as a non-root uid".
Encouraging the changing of other utilities to run as other uids without
being sure all the trust relationships are clear can actually reduce
security.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message