From owner-freebsd-security Sun Apr 19 14:30:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA15582 for freebsd-security-outgoing; Sun, 19 Apr 1998 14:30:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA15508 for ; Sun, 19 Apr 1998 21:29:59 GMT (envelope-from Peter.Jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ([139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IW31LT1ZKW0002Z4@gatekeeper.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:26 +1000 Received: from cbd.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #U2695) with ESMTP id <01IW31LM7BI8DDYPRC@cim.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:17 +1000 Received: from gsms01.alcatel.com.au by cbd.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IW31LNR7R4AZTSJV@cbd.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:19 +1100 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id HAA12767 for freebsd-security@FreeBSD.ORG; Mon, 20 Apr 1998 07:29:17 +1000 (EST) Date: Mon, 20 Apr 1998 07:29:17 +1000 (EST) From: Peter Jeremy Subject: Re: suid/sgid programs To: freebsd-security@FreeBSD.ORG Message-id: <199804192129.HAA12767@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Sun, 19 Apr 1998 20:45:30 +0000, Niall Smart wrote: >> But if someone can break the uid that lpr runs as then they can probably >> break root anyway. >How? Well, as a starter, lp{q,r,rm} are setuid root, therefore by definition once you've broken `the uid that lpr runs as', you've broken root :-) Assuming they were setuid something else, the simplest way is with a couple of trojan lp binaries: as soon as root root prints something, you've got root access. It may also be possible to get in via lpd (which is started as root, but needs to run as `lp'. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message