Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!sunybcs!boulder!hao!oddjob!gargoyle!ihnp4!homxb!mtuxo!mtune!codas!killer!academ!uhnix1!sugar!peter
From: peter@sugar.UUCP
Newsgroups: comp.unix.questions,comp.bugs.sys5
Subject: Re: SysV lp spooler a security hole
Message-ID: <712@sugar.UUCP>
Date: Sat, 12-Sep-87 10:55:14 EDT
Article-I.D.: sugar.712
Posted: Sat Sep 12 10:55:14 1987
Date-Received: Sat, 19-Sep-87 06:47:09 EDT
References: <313@pvab.UUCP> <193@sortac.UUCP> <2028@ihlpe.ATT.COM>
Organization: Sugar Land UNIX - Houston, TX
Lines: 23
Xref: utgpu comp.unix.questions:3693 comp.bugs.sys5:220
Summary: It's not a bug in lp. It's a security feature.

That sounds like a joke, but it's for real. The only way the line printer
daemon can read your file is if it has read permission on it, right? It's
not running under your uid, right? Therefore some other uid has to be able
to read the file, right?

Note that I'm talking about the daemon, not the program "lp". Lp can,
of course, spawn off a program to setuid(getuid()) and read the file.
The line printer daemon can't.

Basically, the only way around that would be to give lpd root privilege.
This would be just asking for security problems (lp file, then rm the file
and ln to the protected file you want to get into). Thus the requirement
that the file be publicly readable is a security feature... at least you
are the one to make it available and you (presumably) know what you're doing.

The solution is to either "lp < file" or "lp -c file". The -c flag copies
the file to the spool directory, which is better than catting them all to
the printer 'cos you get the usual nice page breaks at the end of the file
and all that stuff. If lp -c requires the file to be publicly readable,
then that *is* a bug. But for plain lp it is, believe it or not, a feature.
-- 
-- Peter da Silva `-_-' ...!hoptoad!academ!uhnix1!sugar!peter
--                 'U`      ^^^^^^^^^^^^^^ Not seismo!soma (blush)