Red Hat Bugzilla – Bug 43341
lpd fails to drop groups of root
Last modified: 2007-04-18 12:33:33 EDT
lpd fails to drop groups of root when becoming a daemon.
If tetex-1.0.7-7 is installed, it is possible to exploit this
to gain (for example) gid disk, which allows pretty much anything
# ps -ax|grep lpd|grep -v grep
20697 ? SW 0:00 [lpd]
[root@clarity /]# cat /proc/20697/status
State: S (sleeping)
Pid: 20697[root@clarity /]
Uid: 0 4 0 4
Gid: 7 7 7 7
Groups: 0 1 2 3 4 6 10 40
(gid 40 is used on my system for the net connection program)
I would expect to see the groups that user lp is a member of.
[root@clarity /]# id lp
uid=4(lp) gid=7(lp) groups=7(lp)
oops, nearly forgot
[root@clarity /]# rpm -qf /usr/sbin/lpd
This is fixed in errata, now.
Looks like someone forgot to mark this as RESOLVED ERRATA
(Its definately not NEW)
Kinda makes the bugzilla database pretty useless if its not used properly.
Also makes it look like you aren't solving the problems.
Might want to spend a few minutes checking what else is actually resolved.