[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-cups-devel] Bug#582441: /var/spool/cups-pdf/ANONYMOUS is inappropriately owned by nobody:nogroup

On 22/05/2010 12:14, Martin-Éric Racine wrote:
On Thu, May 20, 2010 at 10:26 PM, Roger Leigh<rleigh@debian.org>  wrote:
Package: cups-pdf
Version: 2.5.0-14
Severity: normal

% ls -ld /var/spool/cups-pdf/ANONYMOUS
drwxrwxrwt 2 nobody nogroup 4096 Jan 27  2009 /var/spool/cups-pdf/ANONYMOUS

This directory is world-writable with the sticky-bit set, which allows
any user to create files and directories in this location.  However, the
ownership is not appropriate; compare with /tmp:

% ls -ld /tmp
drwxrwxrwt 13 root root 300 May 20 20:20 /tmp

The ownership by nobody:nogroup gives processes run under this
UID and/or GID additional privileges to delete content under this
location.  Given that they are intended to be a restricted-privilege
user/group, this is not appropriate.  Ownership by root:root is
perfectly acceptable here (if you're creating files in here owned
by nobody:nogroup that will still work fine).

If I recall correctly, it was suggested that I'd make this directory
owned by nobody:nogroup to give it the lowest possible priority,
because of the risky way that Samba accesses this spool when offering
login-free guest printer access.  I welcome debian-devel's input on
whether this statement is correct or not.

This probably needs some clarification from the Samba maintainers, but I don't at first glance see why it's any safer than root:root; from the way I see it, it's actually less secure due to the unwarranted extra authority you're granting the nobody user.

If Samba is running with an EUID/EGID of root/root, it has the ability to read/write in that location under any circumstances. Given that other has rwx/sticky, any user can read/write here whatever their EUID/EGID, including Samba. So I'm not sure what's different between root:root and nobody:nogroup from the Samba POV: it has equal rights under both circumstances.

From the system POV, if owned by root:root with 01777 perms, any user may create and delete *their own* files. Only root may delete files owned by non-root users (since they own the directory). Likewise if owned by nobody:nogroup, any user may create and delete their own files, but in this case any file may be deleted *by user nobody*.

Given that user nobody is a minimum-privilege account, you've actually escalated the privileges nobody has by creating a directory owned by nobody--the nobody user, and any daemons running as nobody, now have the power to delete other users' files under this location. Clearly, this is no longer "minimum privilege". i.e. nobody is kept having minimal privs by not creating files/directories owned by nobody which can allow situations like this to arise.

Hopefully you can see where I'm coming from with this, and appreciate the potential for abuse and the security considerations related to that; I'd be interested to know more about the rationale from the Samba side.


Reply to: