Date: Mon, 20 Apr 1998 07:29:17 +1000 (EST) From: Peter Jeremy <Peter.Jeremy@alcatel.com.au> To: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <199804192129.HAA12767@gsms01.alcatel.com.au>
next in thread | raw e-mail | index | archive | help
On Sun, 19 Apr 1998 20:45:30 +0000, Niall Smart <rotel@indigo.ie> wrote:
>> But if someone can break the uid that lpr runs as then they can probably
>> break root anyway.
>How?
Well, as a starter, lp{q,r,rm} are setuid root, therefore by
definition once you've broken `the uid that lpr runs as', you've
broken root :-)
Assuming they were setuid something else, the simplest way is with a
couple of trojan lp binaries: as soon as root root prints something,
you've got root access. It may also be possible to get in via lpd
(which is started as root, but needs to run as `lp'.
Peter
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804192129.HAA12767>