Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!cmcl2!rutgers!labrea!decwrl!pyramid!uccba!hal!ncoast!allbery From: allbery@ncoast.UUCP (Brandon Allbery) Newsgroups: comp.unix.questions,comp.bugs.sys5 Subject: Re: SysV lp spooler a security hole Message-ID: <4484@ncoast.UUCP> Date: Tue, 8-Sep-87 18:02:47 EDT Article-I.D.: ncoast.4484 Posted: Tue Sep 8 18:02:47 1987 Date-Received: Thu, 10-Sep-87 07:05:43 EDT References: <313@pvab.UUCP> Reply-To: allbery@ncoast.UUCP (Brandon Allbery) Followup-To: comp.unix.questions Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 23 Xref: mnetor comp.unix.questions:3958 comp.bugs.sys5:193 As quoted from <313@pvab.UUCP> by robert@pvab.UUCP (Robert Claeson): +--------------- | The System V print spooler runs as a SUID 'lp' command, which | means that the files I want to print must be readable by others or, | if I'm lucky, by the group. This implies that anyone on the system | will be able to print, copy or read the files I want to be able | to print. +--------------- Earlier spoolers (i.e. lpr) were setuid root, which is potentially an even bigger security violation... What I don't understand is why the lp command doesn't fork a child connected by a pipe and have the child lose setuid and read the files to be printed, passing the data over the pipe to the parent which spools them. Yes, it's a little slower (one fork per file), but show me the security holes. -- Brandon S. Allbery, moderator of comp.sources.misc {{harvard,mit-eddie}!necntc,well!hoptoad,sun!mandrill!hal}!ncoast!allbery ARPA: necntc!ncoast!allbery@harvard.harvard.edu Fido: 157/502 MCI: BALLBERY <> All opinions in this message are random characters produced when my cat jumped (-: up onto the keyboard of my PC. :-)