From mpp@mpp.com  Fri Apr 14 08:28:58 1995
Received: from mpp.com (dialup-5-104.gw.umn.edu [128.101.96.104])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id IAA20625
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 14 Apr 1995 08:28:54 -0700
Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id KAA02469; Fri, 14 Apr 1995 10:27:58 -0500
Message-Id: <199504141527.KAA02469@mpp.com>
Date: Fri, 14 Apr 1995 10:27:58 -0500
From: pritc003@maroon.tc.umn.edu
Reply-To: pritc003@maroon.tc.umn.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: lpd can allow users access to all of root's groups
X-Send-Pr-Version: 3.2

>Number:         342
>Category:       bin
>Synopsis:       lpd can allow users access to all of root's groups
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 14 08:30:00 1995
>Closed-Date:    Sat Sep 2 10:53:53 PDT 1995
>Last-Modified:  Sat Sep  2 10:54:45 PDT 1995
>Originator:     Mike Pritchard
>Release:        FreeBSD 2.1.0-Development i386
>Organization:
>Environment:


>Description:

If a /etc/printcap entry is setup to use a filtering program that
allows the user some control over it (e.g. apsfilter), then the user
can run commands as user daemon with all of root's groups.

>How-To-Repeat:

The latest version of apsfilter allows users to create a file
called ~/.apsfilterrc which is then executed by apsfilter anytime
it runs.  During execution, the process is running as daemon with 
all of root's groups.  Verify this by adding a "id > /tmp/id.aps" as the 
first line of the .apsfilterrc file.

>Fix:
	
The following patch fixes lpd to call initgroups() and setgid() to 
restrict its group list anytime it forks off a command.

This still allows users to run as daemon.daemon, which really isn't
desirable either, but changing it to run the filtering programs as the
user would probably break any filters that depend on being daemon to write
accounting files.  At least this is a start.

Apply this patch to /usr/src/usr.sbin/lpr/lpd/printjob.c

*** orig/printjob.c	Fri Apr 14 08:27:42 1995
--- printjob.c	Fri Apr 14 09:22:21 1995
***************
*** 1065,1070 ****
--- 1065,1071 ----
  	int action;
  {
  	register int i, pid;
+ 	struct passwd *pwd;
  
  	for (i = 0; i < 20; i++) {
  		if ((pid = fork()) < 0) {
***************
*** 1074,1081 ****
  		/*
  		 * Child should run as daemon instead of root
  		 */
! 		if (pid == 0)
  			setuid(DU);
  		return(pid);
  	}
  	syslog(LOG_ERR, "can't fork");
--- 1075,1089 ----
  		/*
  		 * Child should run as daemon instead of root
  		 */
! 		if (pid == 0) {
! 			if ((pwd = getpwuid(DU)) == NULL) {
! 				syslog(LOG_ERR, "Can't lookup default uid in password file");
! 				break;
! 			}
! 			initgroups(pwd->pw_name, pwd->pw_gid);
! 			setgid(pwd->pw_gid);
  			setuid(DU);
+ 		}
  		return(pid);
  	}
  	syslog(LOG_ERR, "can't fork");
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Sat Sep 2 10:53:53 PDT 1995 
State-Changed-Why:  
Fixed by: 

/home/ncvs/src/usr.sbin/lpr/lpd/printjob.c,v  <--  printjob.c 
new revision: 1.6; previous revision: 1.5 
>Unformatted:


