Subject: bin/2597: lpr and NFS-non-root-exported fails
To: None <gnats-bugs@NetBSD.ORG>
From: Michael Graff <explorer@flame.org>
List: netbsd-bugs
Date: 07/02/1996 16:35:14
>Number: 2597
>Category: bin
>Synopsis: lpr and NFS-non-root-exported fails
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jul 2 17:35:06 1996
>Last-Modified:
>Originator: Michael Graff
>Organization:
flame.org: yes, we do know everything
>Release: -current<NetBSD-current source date>
>Environment:
System: NetBSD zhaneel.flame.org 1.2A NetBSD 1.2A (ZHANEEL) #0: Tue Jul 2 11:28:09 EDT 1996 explorer@zhaneel.flame.org:/usr/src/sys/arch/i386/compile/ZHANEEL i386
>Description:
When printing a mode 600 file, owned by ``explorer'' on an NFS mounted
directory which does NOT export root=0, lpr cannot print the file.
Note that I can't see the point of using seteuid(0) just before open()
is called on the input file... That seems like a security hole
waiting to happen.
I believe these patches are correct. In any case, they should either
break lpr or strengthen security, since I added no seteuid() calls,
and modified only to lower the priveledges obtained.
>How-To-Repeat:
See above.
>Fix:
Apply this patch:
Index: lpr.c
===================================================================
RCS file: /a/cvsroot/src/usr.sbin/lpr/lpr/lpr.c,v
retrieving revision 1.10
diff -c -r1.10 lpr.c
*** lpr.c 1996/03/21 18:12:25 1.10
--- lpr.c 1996/07/02 20:28:01
***************
*** 354,360 ****
}
if (sflag)
printf("%s: %s: not linked, copying instead\n", name, arg);
! seteuid(euid);
if ((i = open(arg, O_RDONLY)) < 0) {
seteuid(uid);
printf("%s: cannot open %s\n", name, arg);
--- 355,361 ----
}
if (sflag)
printf("%s: %s: not linked, copying instead\n", name, arg);
! seteuid(uid);
if ((i = open(arg, O_RDONLY)) < 0) {
seteuid(uid);
printf("%s: cannot open %s\n", name, arg);
***************
*** 457,465 ****
register int ret;
if (*file != '/') {
- seteuid(euid);
if (getcwd(buf, BUFSIZ) == NULL) {
- seteuid(uid);
return(NULL);
}
while (file[0] == '.') {
--- 458,464 ----
***************
*** 587,593 ****
register int fd;
register char *cp;
! seteuid(euid);
if (access(file, 4) < 0) {
printf("%s: cannot access %s\n", name, file);
goto bad;
--- 586,592 ----
register int fd;
register char *cp;
! seteuid(uid);
if (access(file, 4) < 0) {
printf("%s: cannot access %s\n", name, file);
goto bad;
>Audit-Trail:
>Unformatted: