OpenBSD Journal

lp* no longer set uid root

Contributed by jose on from the chmod-u-s dept.

One thing that happened in the hackathon in Calgary was the removal of the setuid root bit from most of the lp* tools. The commits in the Makefiles read:
Remove setuid root from lp*.  lpr needs to be setuid daemon so the
 files it creates are not owned by the user spooling them but the
 others (lpc, lpq, lprm) can get away with setgid daemon.  lpd runs
 as user daemon for most things, only changing its uid to 0 for
 things that must be done as root.

 For the time being, don't require connections to come from a reserved
 port since lpq/lpr/lprm can't acquire that w/o setuid root.  In the
 near future we will have a mechanism for select non-root processes
 to grab reserved ports.

 The upshot of this is that spool directories must be writable by
 group daemon and the files within the spool dirs must be owned by
 daemon.
This can proactively fix a number of security holes and lead the way by example in privilidge segmentation. Note that lprm(1) is exempt from this list and is still setuid root. For a really good paper on what setuid means, you should read Setuid Demystified by UC Berkeley researcher David Wagner , to be presented at this year's Usenix Security Conference .

We'll have more of the bigger changes from the hackathon as they flesh out.

(Comments are closed)


Comments
  1. By Ben Goren () ben@trumpetpower.com on http://www.trumpetpower.com/

    In the
    near future we will have a mechanism for select non-root processes
    to grab reserved ports.



    I'm especially intriguied by this. Does it really mean what I think it does? Will, for example, named and httpd no longer (be initially) run as root? (I'm guessing that processes that do authentication will still need a window for decrypting /etc/passwd, if nothing else.)

    If so--hallelujah, praise the code!

    b&

  2. By Jeffrey Flowers () jeffrey@jeffreyf.net on mailto:jeffrey@jeffreyf.net

    Is there a non-.ps version available somewhere?


  3. By Anonymous () on

    I have some questions that I hope are not too stupid.

    1. Is it possible to have a Unix system without setuid binaries?

    2. Why do we have "privledged ports" in the first place?

    3. There are several projects to add ACLs to Unix-like systems like FreeBSD and OpenBSD. Not that it is a goal but could a free Unix OS use only ACLs as its only method of security? If so, wouldn't that wreck most existing programs?

    Thanks!

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]