| Michael Lossin on Tue, 16 May 2000 08:50:36 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| apsfilter security loophole via user config |
Hi, it's me, I'm back...
I think the user preferences simply cannot be trusted :-\
Imagine this:
A2PS_BASIC!-q -o - /etc/shadow -!
with the filter running as root... disaster!
(Just replace /etc/shadow with any file containing possibly plain-text
passwords or other sensitive data...)
These variables are vulnerable:
A2PS_BASIC, A2PS_OPTS, MPAGE_BASIC, MPAGE_OPTS, RECODE_OPTS,
HTML2PS_OPTS, DJPEG_OPTS, RAS2PS_OPTS (which right now is missing in
the parser), GS_FEATURES and PS_INIT (and maybe more)
in addition to PS_UTILS and PRINT_DVI, which can't be trusted anyway.
There are several possible solutions:
a) distrust these variables (and all future stuff used in an equally
dangerous way) -- this pretty much defeats their purpose, since
they are rather useful
b) introduce a more complex way to check for valid options (may be
nearly impossible, and kludgy for sure)
c) disable all user preferences (the hard way)
d) use a suid-root wrapper around apsfilter to restrict it to the
printing user's permissions (this is an earlier suggestion to
Andreas)
e) use LPRng to switch to a safe user
In the latter three cases all configuration files could be sourced
again (after reverting to standard shell syntax).
>From an admin's point of view, I'd favour c) or e), but users tend to
demand ridiculous amounts of flexibility... ;^)
Maybe you know some other way to get around that?
Michael