Path: utzoo!attcan!uunet!cs.utexas.edu!swrinde!gem.mps.ohio-state.edu!apple!sun-barr!decwrl!shelby!portia!jessica.Stanford.EDU!surak
From: surak@jessica.Stanford.EDU (Jayson Adams)
Newsgroups: comp.sys.next
Subject: Stripping PrintManager's setuid bit
Message-ID: <6748@portia.Stanford.EDU>
Date: 17 Nov 89 19:41:16 GMT
Sender: USENET News System <news@Portia.stanford.edu>
Reply-To: surak@jessica.Stanford.EDU (Jayson Adams)
Organization: Stanford University
Lines: 19


Hola,

Recently, someone mentioned stripping setuid bits from applications
so that ordinary users can't change things (like the machine time
and date).  I don't think changing PrintManager's setuid bit is
enough to prevent someone from exporting/de-exporting a printer
'cause NetInfo relies on a directory's _writers property (this
property specifying which users can modify the directory).  The _writers
property for the printer directory on my machines had one item: "*",
which means ANYONE can modify the printer directory's contents.
So, in addition to removing the setuid bit, you should also change
the "*" entry to "root" (in all relevant NetInfo domains) to prevent
everyone except root from modifying printer export information.

__jayson adams  :-)
Academic Information Resources
Stanford University
surak@jessica.stanford.edu