Date: Mon, 20 Apr 1998 00:11:17 +0000 From: Niall Smart <rotel@indigo.ie> To: Peter Jeremy <Peter.Jeremy@alcatel.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <199804192311.AAA00447@indigo.ie> In-Reply-To: Peter Jeremy <Peter.Jeremy@alcatel.com.au> "Re: suid/sgid programs" (Apr 20, 7:29am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 20, 7:29am, Peter Jeremy wrote:
} Subject: Re: suid/sgid programs
> On Sun, 19 Apr 1998 20:45:30 +0000, Niall Smart <rotel@indigo.ie> wrote:
> >> But if someone can break the uid that lpr runs as then they can probably
> >> break root anyway.
> >How?
>
> Well, as a starter, lp{q,r,rm} are setuid root, therefore by
> definition once you've broken `the uid that lpr runs as', you've
> broken root :-)
The above discussion was in the context of lp* which weren't setuid root.
> Assuming they were setuid something else, the simplest way is with a
> couple of trojan lp binaries: as soon as root root prints something,
> you've got root access. It may also be possible to get in via lpd
> (which is started as root, but needs to run as `lp'.
As Marc Slemko has just pointed out, you can use schg to prevent this,
as was done with man(1).
Niall
--
Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org
Annoy your enemies and astonish your friends:
echo "#define if(x) if (!(x))" >> /usr/include/stdio.h
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804192311.AAA00447>