From owner-freebsd-security  Sun Apr 19 16:15:33 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA03520
          for freebsd-security-outgoing; Sun, 19 Apr 1998 16:15:33 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (root@ts01-10.waterford.indigo.ie [194.125.139.73])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03440
          for <freebsd-security@FreeBSD.ORG>; Sun, 19 Apr 1998 23:15:12 GMT
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id AAA00431;
	Mon, 20 Apr 1998 00:09:44 +0100 (IST)
	(envelope-from rotel@ginseng.indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804192309.AAA00431@indigo.ie>
Date: Mon, 20 Apr 1998 00:09:43 +0000
In-Reply-To: Marc Slemko <marcs@znep.com>
       "Re: suid/sgid programs" (Apr 19,  3:16pm)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Marc Slemko <marcs@znep.com>, Niall Smart <rotel@indigo.ie>
Subject: Re: suid/sgid programs
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Apr 19,  3:16pm, Marc Slemko wrote:
} Subject: Re: suid/sgid programs
> On Sun, 19 Apr 1998, Niall Smart wrote:
> 
> > > But if someone can break the uid that lpr runs as then they can probably
> > > break root anyway.
> > 
> > How?
> 
> Because they then have full access to the queue directory that lpd reads
> from and lpd does run as root so it can access the files people want to
> print.

lpr can be setuid "lp" so that it can write to the print spool
directory, it has access to the file the user wants to print because
that is it's real uid.  lpd can be root.wheel 770 and immediately
setuid to "lp" after opening the socket.  (Or you could just disable
this silly priveledged socket scheme)

> Also note that if you do change lpr to be setuid to another user, then you
> still have to make it schg so someone who compromises it can't replace the
> binary.

Yes, thats a good point, but not a problem.

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org
Annoy your enemies and astonish your friends:
echo "#define if(x) if (!(x))" >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message