home *** CD-ROM | disk | FTP | other *** search
- From: claude@genethon.fr (Claude Scarpelli)
- Newsgroups: alt.security
- Subject: lpr security problem (getlogin(3) is a security violation?)
- Message-ID: <1992Feb18.122952@genethon.fr>
- Date: 18 Feb 92 11:29:52 GMT
- Organization: Genethon -- CEPHB Human Polymorphism Study Center, Paris, France
-
-
-
- I have discovered a strange behavior in /usr/ucb/lpr, which appears to
- be potentially dangerous. The problem I'll describe occurs on a Sun
- 4/470, SunOS 4.1 PSR_A with the Sun 100305-06 patch (lpd security
- bug).
-
- /usr/ucb/lpr uses /etc/utmp to get the username. First, /etc/utmp is
- world writable on a Sun (This has been discuss several times, and
- doesn't matter for this problem).
-
- Second: in our site, we heavily use xterm, and this one doesn't remove
- its utmp entry each time xterm ends. If a new user logs in the system
- with xterm -utmp (which causes xterm not to create a utmp entry), it
- may take the previous utmp entry for the pseudo terminal. At this time,
- "who am i" returns the wrong username. So, if this user uses lpr (or
- lpq, lprm) he becomes the old user, and then can remove his print jobs
- (and potentially his files with lpr -r, but I haven't tested it yet)
-
-
- The real problem is that lpr doesn't get the username with getuid(2),
- but with something like getlogin(3). I think all the programs which use
- getlogin(3) can't be "secure".
-
- What's your opinion ?
-
- --
- ------------------------------------------------------------------------------
- Claude Scarpelli Internet : claude@genethon.fr
- Human Polymorphism Study Center or : claude@cephb.fr
-
-
