[3177] in bugtraq
Re: setuid lp script
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Aug 15 15:39:52 1996
Date: Thu, 15 Aug 1996 17:46:45 +0200
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Casper Dik <casper@holland.Sun.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Your message of "Wed, 14 Aug 1996 13:22:01 +1000."
<Pine.GSO.3.93.960814131859.607g-100000@pulse>
>What is the purpose of /etc/lp/alters/printers on a solaris machine?
>It is a setuid lp script. I have run Casper's fix-modes script, but
>this file's permissions were not changed.
The fix-modes script only fixed about 4000+ group writable files/directories.
It doesn't fix set-uid/set-gid programs that shouldn't be.
(Such as sulogin, login, /sbin/su)
I have no idea what /etc/lp/alerts/printers does.
However, I never bothered to get it fixed because it's harmless.
A set-uid shell script that doesn't start with "#!/bin/sh -p" will
cause /bin/sh to reset the euid back to the ruid immediately.
As truss shows:
4423: execve("/etc/lp/alerts/printer", 0xEFFFF7F4, 0xEFFFF7FC) argc = 2
4423: *** SUID: ruid/euid/suid = 1001 / 71 / 71 ***
4423: getuid() = 1001 [71]
4423: getuid() = 1001 [71]
4423: setuid(1001) = 0
(note that getuid() and geteuid() are one and the same system call,
it returns both values in different registers)
Casper
