[TAG] lpr works for user not root in Basiclinux 2.1

Sindi Keesan keesan at grex.cyberspace.org
Wed Mar 7 23:26:00 MSK 2007 

Just lost my connection after typing out a very long reply to this ;=(

On Wed, 7 Mar 2007, Ben Okopnik wrote:

> On Sun, Mar 04, 2007 at 03:25:54AM -0500, Sindi Keesan wrote:
>> I read a short section on security in an old SuSE book, which says to
>> avoid SUID programs because they are succeptible to buffer overruns which
>> is bad for security.
>
> You've either misunderstood it, or it was poorly written. The real story
> is that if you
>
> a) have an SUID program
>
> AND
>
> b) it's susceptible to a buffer overrun - note that these two things are
> distinct and independent -
>
> then attackers can crack into your system by attacking that program.

I got a lot of hits on Opera and buffer overrun.

>
>> 1.  Anything svgalib needs to be suid to run as 'user':
>> links2, zgv, seejpeg, bmv.
>>
>> Are these security risks?
>
> Probably not in your usage scenario; all of the above are
> local-execution programs (although 'links2', depending on how it deals
> with CGI, may be - but that's a different attack vector.)

>
>> 2.  Xvesa needs to be SUID to be loaded by 'user'.  Is it better to start
>> X as root then login as 'user'?  (rxvt and xterm did not need to be suid).
>
> As I recall, Xvesa is just an X binary; it shouldn't need root
> privileges (I recall when X did need them; I also recall the flamewars
> that this caused.) instead, it should check '/etc/X11/Xsession.options'
> and '/etc/X11/Xwrapper.config' for the appropriate options (e.g.,
> "allowed_users=console", "allow-user-resources", etc.) and run based on
> those. Take a look at a normal system, and check out the interaction
> between 'startx', 'xinit', and the X program.

All TinyX servers need to be run SUID to work for user, unlike the regular 
servers which will work with xdm or Xwrapper (which I read about and cited 
info on in my attempted previous reply).  Xwrapper is set suid and 
needs only that one Xwrapper.config with that one line.  The options file 
is for running other things automatically at login time, I think.
xdm is for logging into the GUI which I don't want to do.

startx, Xwrapper (both in xbin.tgz) and Xwrapper.config are all tiny 
files.  They worked perfectly for root and user, except that I don't have 
the proper X server for my newer Matrox video card, which works fine with 
TinyX Xvesa and xfbdev (except in 8-bit color).  I don't know how to 
compile the mga server for XFree86-3.3.6.  I am told X is hard to compile.

I don't have any other PCI video cards this good which work with 
framebuffer.  AGP cards conflict with MGA in this dual-head system (which 
TAG helped me set up).

The X framebuffer standard server wants font 'fixed' (which we apparently 
do not have). SVGA and S3 servers do not need it.  Maybe I can put 
something in the config file to work around this.  I will ask at my list.

There is a TinyX matrox server but TinyX servers need to be set SUID.

>> 3.  eznet has to be SUID to access pppd (which is not on the path for
>> 'user') and eznet.conf (with login and password, not readable by user)
>> and/or pap-secrets.  Would it be more secure to dial as root and then
>> login as user?  pppd is not suid, or even on the path for user, and is
>> accessed by eznet.
>
> It would be more secure to configure 'pppd' as I described, then use it
> as a non-root user.

I will leave this alone for a while.  I could not find anything online 
about eznet and security.  The files with login and password are not 
user-readable.  eznet is just a way to set up and access pppd and related 
files.  Several small distributions use it.

>> If I dial as root but do not run any internet-related programs as root is
>> there still a security risk?
>
> Yes. Aside from the obvious - i.e., what everyone's been telling you -
> see my first paragraph.

That appears to be about SUID.  Are you referring to running zgv after 
dialing as root?

>> 4.  In the larger linux (not being given to friends) I installed bin.tgz
>> with at and crontab (I never use them) and also lpr.tgz (print spooler)
>> with lpr lprm and lqp, which I no longer use.  All these files are SUID.
>> Are they security risks?
>
> Yes. Besides being vulnerable to local exploits, 'lpd' is a daemon that
> can be attacked remotely.

removepkg lpr

I no longer need to print with lpr even as user.

>
> -- 
> * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
>

Sindi Keesan

More information about the TAG mailing list