netbsd-bugs: bin/2597: lpr and NFS-non-root-exported fails

Subject: bin/2597: lpr and NFS-non-root-exported fails
To: None <gnats-bugs@NetBSD.ORG>
From: Michael Graff <explorer@flame.org>
List: netbsd-bugs
Date: 07/02/1996 16:35:14
>Number:         2597
>Category:       bin
>Synopsis:       lpr and NFS-non-root-exported fails
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul  2 17:35:06 1996
>Last-Modified:
>Originator:     Michael Graff
>Organization:
flame.org:  yes, we do know everything
>Release:        -current<NetBSD-current source date>
>Environment:
	
System: NetBSD zhaneel.flame.org 1.2A NetBSD 1.2A (ZHANEEL) #0: Tue Jul 2 11:28:09 EDT 1996 explorer@zhaneel.flame.org:/usr/src/sys/arch/i386/compile/ZHANEEL i386


>Description:
When printing a mode 600 file, owned by ``explorer'' on an NFS mounted
directory which does NOT export root=0, lpr cannot print the file.

Note that I can't see the point of using seteuid(0) just before open()
is called on the input file...  That seems like a security hole
waiting to happen.

I believe these patches are correct.  In any case, they should either
break lpr or strengthen security, since I added no seteuid() calls,
and modified only to lower the priveledges obtained.

>How-To-Repeat:
See above.
	
>Fix:
	
Apply this patch:

Index: lpr.c
===================================================================
RCS file: /a/cvsroot/src/usr.sbin/lpr/lpr/lpr.c,v
retrieving revision 1.10
diff -c -r1.10 lpr.c
*** lpr.c	1996/03/21 18:12:25	1.10
--- lpr.c	1996/07/02 20:28:01
***************
*** 354,360 ****
  		}
  		if (sflag)
  			printf("%s: %s: not linked, copying instead\n", name, arg);
! 		seteuid(euid);
  		if ((i = open(arg, O_RDONLY)) < 0) {
  			seteuid(uid);
  			printf("%s: cannot open %s\n", name, arg);
--- 355,361 ----
  		}
  		if (sflag)
  			printf("%s: %s: not linked, copying instead\n", name, arg);
! 		seteuid(uid);
  		if ((i = open(arg, O_RDONLY)) < 0) {
  			seteuid(uid);
  			printf("%s: cannot open %s\n", name, arg);
***************
*** 457,465 ****
  	register int ret;
  
  	if (*file != '/') {
- 		seteuid(euid);
  		if (getcwd(buf, BUFSIZ) == NULL) {
- 			seteuid(uid);
  			return(NULL);
  		}
  		while (file[0] == '.') {
--- 458,464 ----
***************
*** 587,593 ****
  	register int fd;
  	register char *cp;
  
! 	seteuid(euid);
  	if (access(file, 4) < 0) {
  		printf("%s: cannot access %s\n", name, file);
  		goto bad;
--- 586,592 ----
  	register int fd;
  	register char *cp;
  
! 	seteuid(uid);
  	if (access(file, 4) < 0) {
  		printf("%s: cannot access %s\n", name, file);
  		goto bad;
>Audit-Trail:
>Unformatted: