From owner-freebsd-security  Sun Apr 19 16:15:08 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA03423
          for freebsd-security-outgoing; Sun, 19 Apr 1998 16:15:08 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (root@ts01-10.waterford.indigo.ie [194.125.139.73])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03414
          for <freebsd-security@FreeBSD.ORG>; Sun, 19 Apr 1998 23:14:57 GMT
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id AAA00447;
	Mon, 20 Apr 1998 00:11:17 +0100 (IST)
	(envelope-from rotel@ginseng.indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804192311.AAA00447@indigo.ie>
Date: Mon, 20 Apr 1998 00:11:17 +0000
In-Reply-To: Peter Jeremy <Peter.Jeremy@alcatel.com.au>
       "Re: suid/sgid programs" (Apr 20,  7:29am)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Peter Jeremy <Peter.Jeremy@alcatel.com.au>, freebsd-security@FreeBSD.ORG
Subject: Re: suid/sgid programs
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Apr 20,  7:29am, Peter Jeremy wrote:
} Subject: Re: suid/sgid programs
> On Sun, 19 Apr 1998 20:45:30 +0000, Niall Smart <rotel@indigo.ie> wrote:
> >> But if someone can break the uid that lpr runs as then they can probably
> >> break root anyway.
> >How?
> 
> Well, as a starter, lp{q,r,rm} are setuid root, therefore by
> definition once you've broken `the uid that lpr runs as', you've
> broken root :-)

The above discussion was in the context of lp* which weren't setuid root.

> Assuming they were setuid something else, the simplest way is with a
> couple of trojan lp binaries: as soon as root root prints something,
> you've got root access.  It may also be possible to get in via lpd
> (which is started as root, but needs to run as `lp'.

As Marc Slemko has just pointed out, you can use schg to prevent this,
as was done with man(1).

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org
Annoy your enemies and astonish your friends:
echo "#define if(x) if (!(x))" >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message