Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!ut-sally!im4u!rutgers!mtune!akgua!sortac!pls
From: pls@sortac.UUCP (Pat Sullivan)
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <193@sortac.UUCP>
Date: Tue, 8-Sep-87 08:27:38 EDT
Article-I.D.: sortac.193
Posted: Tue Sep  8 08:27:38 1987
Date-Received: Wed, 9-Sep-87 04:00:34 EDT
References: <313@pvab.UUCP>
Reply-To: pls@sortac.UUCP (Pat Sullivan)
Organization: AT&T Southern Region, Atlanta
Lines: 27
Xref: mnetor comp.unix.questions:3940 comp.bugs.sys5:187

In article <313@pvab.UUCP> robert@pvab.UUCP (Robert Claeson) writes:
>The System V print spooler runs as a SUID 'lp' command, which
>means that the files I want to print must be readable by others or,
>if I'm lucky, by the group. This implies that anyone on the system
>will be able to print, copy or read the files ...

Not really; all you need to do is "lp < secretstuff".

You should be aware, however, that lp spools its requests in cat'able files
"/usr/spool/lp/request/[class]/d0-[sequence]", but these are normally
readable only by user "lp" and group "bin".

If you are really paranoid, you can play games to make the "d0-" files
nonsense (sorry about crypt ...) - "lp" doesn't care what they contain
when it spools them), and put a translator in the printer interface
(/usr/spool/lp/interface/[printer]).  The translator could be made to
work only when the user is "lp" and the output file is your printer.
Then you just have to make sure that you get to the printer before
anyone else (:-).

>SNAIL:	Robert Claeson, PVAB, P.O. Box 4040, S-171 04 Solna, Sweden
>UUCP:	{seismo,mcvax,munnari}!enea!pvab!robert
>ARPA:	enea!pvab!robert@seismo.arpa

My opinions, not AT&T's, etc. etc.
============================================================
Pat Sullivan - {akgua|ihnp4}!sortac!pls - voice 404-257-7382