Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!munnari!mimir!wacsvax!frank From: frank@wacsvax.OZ (Frank O'Connor) Newsgroups: comp.bugs.sys5 Subject: Re: SysV lp spooler a security hole (a fix) Message-ID: <664@wacsvax.OZ> Date: Tue, 22-Sep-87 06:25:59 EDT Article-I.D.: wacsvax.664 Posted: Tue Sep 22 06:25:59 1987 Date-Received: Thu, 24-Sep-87 03:29:53 EDT References: <313@pvab.UUCP> Reply-To: frank@wacsvax.uwa.oz.OZ (Frank O'Connor) Organization: Comp Sci, University of Western Australia Lines: 56 Summary: Then change it! In article <313@pvab.UUCP> robert@pvab.UUCP (Robert Claeson) writes: >The System V print spooler runs as a SUID 'lp' command, which >means that the files I want to print must be readable by others or, >if I'm lucky, by the group. This implies that anyone on the system >will be able to print, copy or read the files ... I didn't like what it did either, and after persuading from other people in the department, I got in and CHANGED it. I know, you probably don't have the source code licence. Most of the changes involved changing the ownership and access permissions of the programs, and the lp spool directory hierarchy. There were only minor changes to the programs. First, I created a group called daemon, and made all the programs owned by group daemon, and most of the files in the spool directory. Specifically, the programs were changed as follows : /usr/bin/cancel 2755 lp daemon /usr/bin/disable 6750 lp daemon /usr/bin/enable 6750 lp daemon /usr/bin/lp 2755 lp daemon /usr/bin/lpstat 2755 lp daemon /usr/lib/accept 6750 lp daemon /usr/lib/lpadmin 6750 root daemon * /usr/lib/lpmove 6750 lp daemon /usr/lib/lpsched 6750 root daemon * /usr/lib/lpshut 6750 lp daemon /usr/lib/reject 6750 lp daemon And the files were all changed to owner 'lp', group 'daemon', mode 660 for files, and 770 for directories, with the exceptions of : .../lp/FIFO owned by root .../lp/SCHEDLOCK owned by root, mode 444 .../lp/log owned by root .../lp/oldlog owned by root .../lp/outputq owned by root .../lp/interface/lp0 mode 770 The changes to the code were to allow for the group being 'daemon', the owner of lpadmin and lpsched being 'root', and to change the default file creation modes to the above. I made changes to the makefile to reflect the above. The changes were not difficult once I had made up my mind that they should be done (it took a while to convince myself anyone would release a system with such an obvious bug!). There are no security loopholes that I know of. 'lp' still checks for permission to be able to print the file, and therefore lpsched doesn't need to. Users can't write to the spool directory, or read files in it, so security of the spool files are maintained. I hope this helps. I am surprised noone else has done it. I am a long way from being a Unix guru. I would be interested in any comments. etc.