lpd fails to drop groups of root when becoming a daemon. ========================================================= If tetex-1.0.7-7 is installed, it is possible to exploit this to gain (for example) gid disk, which allows pretty much anything you want. # ps -ax|grep lpd|grep -v grep 20697 ? SW 0:00 [lpd] [root@clarity /]# cat /proc/20697/status Name: lpd State: S (sleeping) Pid: 20697[root@clarity /] PPid: 1 Uid: 0 4 0 4 Gid: 7 7 7 7 Groups: 0 1 2 3 4 6 10 40 ... ... ... (gid 40 is used on my system for the net connection program) I would expect to see the groups that user lp is a member of. [root@clarity /]# id lp uid=4(lp) gid=7(lp) groups=7(lp) --zen-parse
tetex info: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43342 oops, nearly forgot [root@clarity /]# rpm -qf /usr/sbin/lpd LPRng-3.6.24-2
This is fixed in errata, now.
Looks like someone forgot to mark this as RESOLVED ERRATA (Its definately not NEW) Kinda makes the bugzilla database pretty useless if its not used properly. Also makes it look like you aren't solving the problems. Might want to spend a few minutes checking what else is actually resolved.