Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!rutgers!labrea!decwrl!pyramid!prls!mips!dce
From: dce@mips.UUCP (David Elliott)
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <668@quacky.UUCP>
Date: Wed, 9-Sep-87 11:58:51 EDT
Article-I.D.: quacky.668
Posted: Wed Sep  9 11:58:51 1987
Date-Received: Fri, 11-Sep-87 04:38:52 EDT
References: <313@pvab.UUCP> <297@axis.fr>
Reply-To: dce@quacky.UUCP (David Elliott)
Organization: MIPS Computer Systems, Sunnyvale, CA
Lines: 29
Keywords: don't let screwups go unfixed
Xref: mnetor comp.unix.questions:3969 comp.bugs.sys5:198

In article <297@axis.fr> philip@axis.fr (Philip Peake) writes:
>In article <313@pvab.UUCP>, robert@pvab.UUCP (Robert Claeson) writes:
>> The System V print spooler runs as a SUID 'lp' command, which
>> means that the files I want to print must be readable by others or,
>> if I'm lucky, by the group. This implies that anyone on the system
>> will be able to print, copy or read the files I want to be able
>> to print.
>
>You feed your program to lp on its standard input.
>Only you have to be able to read the file to do this.
>The file will then be copied into a spool directory readable only
>by lp. No problem.

No problem? Why should we have to workaround a shortcoming of the
system?

The fact is that there is a bug in the system. The documentation
says that lp takes a filename as an argument and prints that file.
It doesn't say that it takes the name of a file that the user lp
can read and prints it, and you can bet that the original author
didn't intend this.

Of course, the current lp spooler can't last much longer. With
networking gradually working its way into System V, it's worth
looking at a nicer printer spooler like the Berkeley spooler or
(best of all) MDQS from BRL.

-- 
David Elliott		{decvax,ucbvax,ihnp4}!decwrl!mips!dce