Contributed by jose on from the chmod-u-s dept.
Remove setuid root from lp*. lpr needs to be setuid daemon so the files it creates are not owned by the user spooling them but the others (lpc, lpq, lprm) can get away with setgid daemon. lpd runs as user daemon for most things, only changing its uid to 0 for things that must be done as root. For the time being, don't require connections to come from a reserved port since lpq/lpr/lprm can't acquire that w/o setuid root. In the near future we will have a mechanism for select non-root processes to grab reserved ports. The upshot of this is that spool directories must be writable by group daemon and the files within the spool dirs must be owned by daemon.This can proactively fix a number of security holes and lead the way by example in privilidge segmentation. Note that lprm(1) is exempt from this list and is still setuid root. For a really good paper on what setuid means, you should read Setuid Demystified by UC Berkeley researcher David Wagner , to be presented at this year's Usenix Security Conference .
We'll have more of the bigger changes from the hackathon as they flesh out.
(Comments are closed)