From owner-freebsd-security  Sun Apr 19 14:30:08 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA15582
          for freebsd-security-outgoing; Sun, 19 Apr 1998 14:30:08 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA15508
          for <freebsd-security@FreeBSD.ORG>; Sun, 19 Apr 1998 21:29:59 GMT
          (envelope-from Peter.Jeremy@alcatel.com.au)
Received: from mfg1.cim.alcatel.com.au ([139.188.23.1])
 by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695)
 with ESMTP id <01IW31LT1ZKW0002Z4@gatekeeper.alcatel.com.au> for
 freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:26 +1000
Received: from cbd.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #U2695)
 with ESMTP id <01IW31LM7BI8DDYPRC@cim.alcatel.com.au> for
 freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:17 +1000
Received: from gsms01.alcatel.com.au by cbd.alcatel.com.au (PMDF V5.1-7 #U2695)
 with ESMTP id <01IW31LNR7R4AZTSJV@cbd.alcatel.com.au> for
 freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:19 +1100
Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3)
 id HAA12767 for freebsd-security@FreeBSD.ORG; Mon,
 20 Apr 1998 07:29:17 +1000 (EST)
Date: Mon, 20 Apr 1998 07:29:17 +1000 (EST)
From: Peter Jeremy <Peter.Jeremy@alcatel.com.au>
Subject: Re: suid/sgid programs
To: freebsd-security@FreeBSD.ORG
Message-id: <199804192129.HAA12767@gsms01.alcatel.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Sun, 19 Apr 1998 20:45:30 +0000, Niall Smart <rotel@indigo.ie> wrote:
>> But if someone can break the uid that lpr runs as then they can probably
>> break root anyway.
>How?

Well, as a starter, lp{q,r,rm} are setuid root, therefore by
definition once you've broken `the uid that lpr runs as', you've
broken root :-)

Assuming they were setuid something else, the simplest way is with a
couple of trojan lp binaries: as soon as root root prints something,
you've got root access.  It may also be possible to get in via lpd
(which is started as root, but needs to run as `lp'.

Peter

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message