Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!ut-sally!im4u!rutgers!ukma!david
From: david@ms.uky.edu (David Herron -- Resident E-mail Hack)
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <7233@e.ms.uky.edu>
Date: Tue, 8-Sep-87 14:19:56 EDT
Article-I.D.: e.7233
Posted: Tue Sep  8 14:19:56 1987
Date-Received: Wed, 9-Sep-87 05:59:07 EDT
References: <313@pvab.UUCP> <193@sortac.UUCP>
Reply-To: david@ms.uky.edu (David Herron -- Resident E-mail Hack)
Organization: U of Kentucky, Mathematical Sciences
Lines: 20
Xref: mnetor comp.unix.questions:3941 comp.bugs.sys5:188

In article <193@sortac.UUCP> pls@sortac.UUCP (Pat Sullivan) writes:
>In article <313@pvab.UUCP> robert@pvab.UUCP (Robert Claeson) writes:
>>The System V print spooler runs as a SUID 'lp' command, which
>>means that the files I want to print must be readable by others or,
>>if I'm lucky, by the group. This implies that anyone on the system
>>will be able to print, copy or read the files ...
>Not really; all you need to do is "lp < secretstuff".

Sorry, this isn't acceptible.  I want to have the file name on the
banner page and "lp" has no way of finding out the file name.

Why can't lp do some IPC to a priviledged process to tell it 
to print things?


-- 
----- David Herron,  Local E-Mail Hack,  david@ms.uky.edu, david@ms.uky.csnet
-----                    {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET
----- 
----- Je parle francais comme une vache espagnole.