Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!rutgers!labrea!decwrl!sun!guy
From: guy@sun.uucp (Guy Harris)
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <27485@sun.uucp>
Date: Wed, 9-Sep-87 07:15:05 EDT
Article-I.D.: sun.27485
Posted: Wed Sep  9 07:15:05 1987
Date-Received: Fri, 11-Sep-87 01:36:05 EDT
References: <313@pvab.UUCP> <193@sortac.UUCP> <2028@ihlpe.ATT.COM>
Organization: Sun Microsystems, Inc. - Mtn View, CA
Lines: 27
Xref: mnetor comp.unix.questions:3962 comp.bugs.sys5:195

> There were several responses to this, all of which missed the point: 
> in my opinion, THIS IS A BUG IN LP.
> 
> Lets supply some possible solutions, since this is a more general problem
> in UNIX land.  One possibility is to open the file and fork/exec a
> subprocess that is setuid that does the I/O.  Drawbacks include
> performance problems.

Another possibility, on systems on which a set-UID program can repeatedly
switch between its real and effective UID (this includes System V and
4.[23]BSD, although it's done differently on those two systems), is simply to
have "lp" switch to its real UID when it opens the file to be printed and
switch back as soon as it's opened.

Note, however, that this doesn't handle the case where a link (hard or
symbolic) can be made between the spooling directory and the file, and where
the spooler takes advantage of this.  In this case, the spooler will have to
run set-UID "root" in order to be guaranteed to be able to read the file.

Then again, I rarely give "lpr" a file name; if the printer is being used as a
line printer, I usually feed the file(s) to be printed through "pr", and if
it's a "troff" job the file to be printed is some pile of PostScript fed to
"lpr" as its standard input.
-- 
	Guy Harris
	{ihnp4, decvax, seismo, decwrl, ...}!sun!guy
	guy@sun.com (or guy@sun.arpa)