Date: Mon, 20 Apr 1998 00:09:43 +0000 From: Niall Smart <rotel@indigo.ie> To: Marc Slemko <marcs@znep.com>, Niall Smart <rotel@indigo.ie> Cc: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <199804192309.AAA00431@indigo.ie> In-Reply-To: Marc Slemko <marcs@znep.com> "Re: suid/sgid programs" (Apr 19, 3:16pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 19, 3:16pm, Marc Slemko wrote: } Subject: Re: suid/sgid programs > On Sun, 19 Apr 1998, Niall Smart wrote: > > > > But if someone can break the uid that lpr runs as then they can probably > > > break root anyway. > > > > How? > > Because they then have full access to the queue directory that lpd reads > from and lpd does run as root so it can access the files people want to > print. lpr can be setuid "lp" so that it can write to the print spool directory, it has access to the file the user wants to print because that is it's real uid. lpd can be root.wheel 770 and immediately setuid to "lp" after opening the socket. (Or you could just disable this silly priveledged socket scheme) > Also note that if you do change lpr to be setuid to another user, then you > still have to make it schg so someone who compromises it can't replace the > binary. Yes, thats a good point, but not a problem. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org Annoy your enemies and astonish your friends: echo "#define if(x) if (!(x))" >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804192309.AAA00431>