Date: Thu, 9 Dec 1999 18:24:45 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Alfred Perlstein <bright@wintelcom.net>, Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Cc: Warner Losh <imp@village.org>, stable@FreeBSD.ORG Subject: Re: NO! Re: [PATCHES] Two fixes for lpd/lpc for review and test Message-ID: <v04210105b475e8305ccd@[128.113.24.47]> In-Reply-To: <Pine.BSF.4.21.9912091427240.4557-100000@fw.wintelcom.net> References: <Pine.BSF.4.21.9912091427240.4557-100000@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Note: I'm sending this to just the -current list, since it's pretty clear that this change won't be ready for -stable anytime this year... (hopefully Alfred is in -current?) At 3:02 PM -0800 12/9/99, Alfred Perlstein wrote: >On Thu, 9 Dec 1999, Andre Albsmeier wrote: > > On Tue, 07-Dec-1999 at 14:55:37 -0800, Alfred Perlstein wrote: > > > please do not, the patch in PR 11997 introduces a major security flaw. > > > > > > someone can hardlink to any file and clobber it with a file owned by > > > them: > > > > I think the (really big) security hole can be closed by not doing > > the chown/chmod commands. I inserted them because I wanted the > > file in the spool directory to appear exactly as if lpr would > > have copied it. > >I don't have too much time to think about this, argue me this: > > why should I allow a user to print any file on the system? > >the race condition is still there. I think the general goal of the patch is a good idea (ie, doing a 'mv' instead of a 'cp & rm' when we can). And, in fact, I'd like the chown/chmod's to be done so the file is owned and permitted the same way as if it was cp'ed. I don't have any time to really look at the patch right now though (it's end-of-semester, things breaking, students around here in a frenzy, etc, etc). I might try to suggest something this weekend, depending on how things go. I think we can afford to do whatever checking is necessary to get this right, as the checking can't possibly be more expensive than copying the whole file and removing the old one. (in my environment we have people printing thru samba or CAP, and who are sending >100meg files. If I can use 'mv' instead of 'cp', that has to save a lot of cpu time!). Of course, the security implications of such a change are also pretty important in our environment here... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210105b475e8305ccd>