From mpp@mpp.com Fri Apr 14 08:28:58 1995 Received: from mpp.com (dialup-5-104.gw.umn.edu [128.101.96.104]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id IAA20625 for ; Fri, 14 Apr 1995 08:28:54 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id KAA02469; Fri, 14 Apr 1995 10:27:58 -0500 Message-Id: <199504141527.KAA02469@mpp.com> Date: Fri, 14 Apr 1995 10:27:58 -0500 From: pritc003@maroon.tc.umn.edu Reply-To: pritc003@maroon.tc.umn.edu To: FreeBSD-gnats-submit@freebsd.org Subject: lpd can allow users access to all of root's groups X-Send-Pr-Version: 3.2 >Number: 342 >Category: bin >Synopsis: lpd can allow users access to all of root's groups >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 14 08:30:00 1995 >Closed-Date: Sat Sep 2 10:53:53 PDT 1995 >Last-Modified: Sat Sep 2 10:54:45 PDT 1995 >Originator: Mike Pritchard >Release: FreeBSD 2.1.0-Development i386 >Organization: >Environment: >Description: If a /etc/printcap entry is setup to use a filtering program that allows the user some control over it (e.g. apsfilter), then the user can run commands as user daemon with all of root's groups. >How-To-Repeat: The latest version of apsfilter allows users to create a file called ~/.apsfilterrc which is then executed by apsfilter anytime it runs. During execution, the process is running as daemon with all of root's groups. Verify this by adding a "id > /tmp/id.aps" as the first line of the .apsfilterrc file. >Fix: The following patch fixes lpd to call initgroups() and setgid() to restrict its group list anytime it forks off a command. This still allows users to run as daemon.daemon, which really isn't desirable either, but changing it to run the filtering programs as the user would probably break any filters that depend on being daemon to write accounting files. At least this is a start. Apply this patch to /usr/src/usr.sbin/lpr/lpd/printjob.c *** orig/printjob.c Fri Apr 14 08:27:42 1995 --- printjob.c Fri Apr 14 09:22:21 1995 *************** *** 1065,1070 **** --- 1065,1071 ---- int action; { register int i, pid; + struct passwd *pwd; for (i = 0; i < 20; i++) { if ((pid = fork()) < 0) { *************** *** 1074,1081 **** /* * Child should run as daemon instead of root */ ! if (pid == 0) setuid(DU); return(pid); } syslog(LOG_ERR, "can't fork"); --- 1075,1089 ---- /* * Child should run as daemon instead of root */ ! if (pid == 0) { ! if ((pwd = getpwuid(DU)) == NULL) { ! syslog(LOG_ERR, "Can't lookup default uid in password file"); ! break; ! } ! initgroups(pwd->pw_name, pwd->pw_gid); ! setgid(pwd->pw_gid); setuid(DU); + } return(pid); } syslog(LOG_ERR, "can't fork"); >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: mpp State-Changed-When: Sat Sep 2 10:53:53 PDT 1995 State-Changed-Why: Fixed by: /home/ncvs/src/usr.sbin/lpr/lpd/printjob.c,v <-- printjob.c new revision: 1.6; previous revision: 1.5 >Unformatted: