On 22/05/2010 12:14, Martin-Éric Racine wrote:
On Thu, May 20, 2010 at 10:26 PM, Roger Leigh<rleigh@debian.org> wrote:Package: cups-pdf Version: 2.5.0-14 Severity: normal % ls -ld /var/spool/cups-pdf/ANONYMOUS drwxrwxrwt 2 nobody nogroup 4096 Jan 27 2009 /var/spool/cups-pdf/ANONYMOUS This directory is world-writable with the sticky-bit set, which allows any user to create files and directories in this location. However, the ownership is not appropriate; compare with /tmp: % ls -ld /tmp drwxrwxrwt 13 root root 300 May 20 20:20 /tmp The ownership by nobody:nogroup gives processes run under this UID and/or GID additional privileges to delete content under this location. Given that they are intended to be a restricted-privilege user/group, this is not appropriate. Ownership by root:root is perfectly acceptable here (if you're creating files in here owned by nobody:nogroup that will still work fine).If I recall correctly, it was suggested that I'd make this directory owned by nobody:nogroup to give it the lowest possible priority, because of the risky way that Samba accesses this spool when offering login-free guest printer access. I welcome debian-devel's input on whether this statement is correct or not.
This probably needs some clarification from the Samba maintainers, but I don't at first glance see why it's any safer than root:root; from the way I see it, it's actually less secure due to the unwarranted extra authority you're granting the nobody user.
If Samba is running with an EUID/EGID of root/root, it has the ability to read/write in that location under any circumstances. Given that other has rwx/sticky, any user can read/write here whatever their EUID/EGID, including Samba. So I'm not sure what's different between root:root and nobody:nogroup from the Samba POV: it has equal rights under both circumstances.
From the system POV, if owned by root:root with 01777 perms, any user may create and delete *their own* files. Only root may delete files owned by non-root users (since they own the directory). Likewise if owned by nobody:nogroup, any user may create and delete their own files, but in this case any file may be deleted *by user nobody*.
Given that user nobody is a minimum-privilege account, you've actually escalated the privileges nobody has by creating a directory owned by nobody--the nobody user, and any daemons running as nobody, now have the power to delete other users' files under this location. Clearly, this is no longer "minimum privilege". i.e. nobody is kept having minimal privs by not creating files/directories owned by nobody which can allow situations like this to arise.
Hopefully you can see where I'm coming from with this, and appreciate the potential for abuse and the security considerations related to that; I'd be interested to know more about the rationale from the Samba side.
Regards, Roger