Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <6410@brl-smoke.ARPA>
Date: Wed, 9-Sep-87 11:05:19 EDT
Article-I.D.: brl-smok.6410
Posted: Wed Sep  9 11:05:19 1987
Date-Received: Fri, 11-Sep-87 03:45:38 EDT
References: <313@pvab.UUCP>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 11
Xref: mnetor comp.unix.questions:3966 comp.bugs.sys5:197

In article <313@pvab.UUCP> robert@pvab.UUCP (Robert Claeson) writes:
>The System V print spooler runs as a SUID 'lp' command, which
>means that the files I want to print must be readable by others ...

I don't know much about System V "lp" (we use MDQS), but just because
the spooler is set-UID non-root does NOT necessarily imply a security
hole.  System V is capable of switching back and forth between the real
UID and the effective UID as required; if the spooler is correctly
implemented, it should be able to open your file when you spool it,
in order to make a copy without requiring global read permission on the
file.  (The snarfed-away spool copy should be inaccessible to others.)