From owner-freebsd-security Sun Apr 19 17:10:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA17377 for freebsd-security-outgoing; Sun, 19 Apr 1998 17:10:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA17316 for ; Mon, 20 Apr 1998 00:09:48 GMT (envelope-from karl@Mars.mcs.net) Received: from Mars.mcs.net (karl@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id TAA26705; Sun, 19 Apr 1998 19:09:47 -0500 (CDT) Received: (from karl@localhost) by Mars.mcs.net (8.8.7/8.8.2) id TAA16381; Sun, 19 Apr 1998 19:09:46 -0500 (CDT) Message-ID: <19980419190946.52003@mcs.net> Date: Sun, 19 Apr 1998 19:09:46 -0500 From: Karl Denninger To: Peter Jeremy Cc: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs References: <199804200000.KAA16875@gsms01.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: <199804200000.KAA16875@gsms01.alcatel.com.au>; from Peter Jeremy on Mon, Apr 20, 1998 at 10:00:17AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Mon, Apr 20, 1998 at 10:00:17AM +1000, Peter Jeremy wrote: > On Mon, 20 Apr 1998 00:09:43 +0000, Niall Smart wrote: > > lpd can be root.wheel 770 and immediately > >setuid to "lp" after opening the socket. > This means that lpd may not be able to read the user's file. Either > lpr has to always copy the file to be printed (which is slow and may > mean lots of spool space), or you can only print world-readable files. > > Peter > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message Ding ding ding ding. Give that man a cigar. Look at how System V "lp" handled this. Either you make the file world-readable, or lp copied it (you had to tell it to do the second). You can bitch if the file is NOT world-readable when you attempt to queue it, of course; test for that at the time you queue the job. The consequences of not copying the file are non-obvious and burn people all the time. If you queue a file and change the contents before or during the print operation, you're going to get something other than what you expected. If you REMOVE the file, nothign gets printed at all (lpd doesn't hold the FD open, so you get screwed). I've seen plenty of people get "surprised" by this behavior. Finally, lpr is often (perhaps even primarily) used in a pipeline. In that context it has to make a copy of the data. The entire lpd suite needs help anyway. I keep threatening to write a replacement (in my own mind) as all of the ones I've seen, including plp (which is the best of them that I've run into so far) still only get it half right. Part of the problem, though is that you want to maintain backward compatibility with the old protocol for obvious reasons. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message