lprng-doc 3.8.A~rc2-3 / usr / share / doc / lprng-doc / LPRng-Reference-Multipart / setuid.htm

This file is indexed.

/usr/share/doc/lprng-doc/LPRng-Reference-Multipart/setuid.htm is in lprng-doc 3.8.A~rc2-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
  <meta name="generator" content=
  "HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org">

  <title>Security Concerns</title>
  <meta name="GENERATOR" content=
  "Modular DocBook HTML Stylesheet Version 1.79">
  <link rel="HOME" title=" LPRng Reference Manual" href=
  "index.htm">
  <link rel="UP" title="Installation" href="installation.htm">
  <link rel="PREVIOUS" title="SAMBA and LPRng" href="smb.htm">
  <link rel="NEXT" title="System Specific Notes " href=
  "systemspecific.htm">
</head>

<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF"
vlink="#840084" alink="#0000FF">
  <div class="NAVHEADER">
    <table summary="Header navigation table" width="100%" border=
    "0" cellpadding="0" cellspacing="0">
      <tr>
        <th colspan="3" align="center">LPRng Reference Manual: 24
        Sep 2004 (For LPRng-3.8.28)</th>
      </tr>

      <tr>
        <td width="10%" align="left" valign="bottom"><a href=
        "smb.htm" accesskey="P">Prev</a></td>

        <td width="80%" align="center" valign="bottom">Chapter 2.
        Installation</td>

        <td width="10%" align="right" valign="bottom"><a href=
        "systemspecific.htm" accesskey="N">Next</a></td>
      </tr>
    </table>
    <hr align="left" width="100%">
  </div>

  <div class="SECT1">
    <h1 class="SECT1"><a name="SETUID" id="SETUID">2.13. Security
    Concerns</a></h1>

    <p>While the <b class="APPLICATION">LPRng</b> software has been
    written with security as the primary goal there is always the
    problem with undetected errors in the <b class=
    "APPLICATION">LPRng</b> software that when exploited could
    compromise system security. The most serious concern is that of
    gaining ROOT (UID 0) permissions.</p>

    <p>The simplest way to handle this problem is to not install
    LPRng with <tt class="LITERAL">setuid ROOT</tt> permissions.
    Client programs will be able to connect to the <b class=
    "APPLICATION">lpd</b> server. Since the <b class=
    "APPLICATION">lpd</b> server is started by the system startup
    script with effective UID root, it is the only program in this
    suite that will have an privileged user id.</p>

    <p>A more radical step is to run the <b class=
    "APPLICATION">lpd</b> server as a non-privileged user entirely.
    However, the RFC1179 protocol specifies that the <b class=
    "APPLICATION">lpd</b> TCP/IP port is 515 and <b class=
    "APPLICATION">lpd</b> requires root permissions to open and
    bind to port 515. The <b class="APPLICATION">lpd</b> server can
    use the <code class="FUNCTION">setuid()</code> system call
    after binding to this port do drop ROOT capabilities. However,
    in order to fully compatible with RFC1179, <b class=
    "APPLICATION">lpd</b> must originate connections from a
    <span class="emphasis"><i class="EMPHASIS">reserved</i></span>
    port in the range 721-731, although in practice port 1-1023
    seems to be acceptable.</p>

    <p>If inter-operability with non-<b class=
    "APPLICATION">LPRng</b> print spoolers is not desired, then it
    is <span class="emphasis"><i class=
    "EMPHASIS">trivial</i></span> to configure <b class=
    "APPLICATION">LPRng</b> to use a non-privileged port by using
    the <tt class="FILENAME">lpd.conf</tt> file. For example, in
    the <tt class="FILENAME">/etc/lpd.conf</tt> file, you only need
    to change the indicated lines:</p>

    <div class="INFORMALEXAMPLE">
      <a name="AEN1461" id="AEN1461"></a>
      <pre class="SCREEN">
# Purpose: lpd port
#   default lpd_port=printer
lpd_port=2000
# or lpd_port=localhost%2000
</pre>
    </div>The <tt class="LITERAL">lpd_port</tt> specifies the
    (optional) IP address and port to which the <b class=
    "APPLICATION">lpd</b> server binds and to which the clients
    will connect. <b class="APPLICATION">LPRng</b> applications
    will connect to port 2000 to transfer jobs and ask for status.
    You can also use this facility to establish a <span class=
    "emphasis"><i class="EMPHASIS">private</i></span> set of print
    spoolers which can be used for testing See <a href=
    "testing.htm">Testing and Diagnostic Facilities</a> for more
    details.

    <p>Some <span class="emphasis"><i class=
    "EMPHASIS">legacy</i></span> print filters are not <span class=
    "emphasis"><i class="EMPHASIS">meta-char-escape</i></span>
    proof. For example, suppose that a user decided to spool a job
    as follows:</p>

    <div class="INFORMALEXAMPLE">
      <a name="AEN1471" id="AEN1471"></a>
      <pre class="SCREEN">
<samp class="PROMPT">h4: {66} #</samp> <kbd class=
"USERINPUT">lpr "-J`;rm -rf /;`" /tmp/a</kbd>
</pre>
    </div>This would create a job file with the line:

    <div class="INFORMALEXAMPLE">
      <a name="AEN1475" id="AEN1475"></a>
      <pre class="SCREEN">
J`rm -rf /;`
</pre>
    </div>and gets passed to a print filter as

    <div class="INFORMALEXAMPLE">
      <a name="AEN1477" id="AEN1477"></a>
      <pre class="SCREEN">
/usr/local/printfilter  -J`rm -rf /;`
</pre>
    </div>The observant reader will observe that the above line may
    have the most hideous consequences if it is processed by a
    shell. For this reason the <b class="APPLICATION">LPRng</b>
    software takes extreme precautions and <span class=
    "emphasis"><i class="EMPHASIS">sanitizes</i></span> control
    file contents and file names so that they do not contain any
    control or metacharacters.

    <p>Finally, you can use a Unix socket (i.e. - FIFO) for
    connections to the server on the localhost, and disable the
    <b class="APPLICATION">lpd</b> listening socket by setting the
    <tt class="LITERAL">lpd_listen_port</tt> value to <tt class=
    "LITERAL">off</tt>.</p>
  </div>

  <div class="NAVFOOTER">
    <hr align="left" width="100%">

    <table summary="Footer navigation table" width="100%" border=
    "0" cellpadding="0" cellspacing="0">
      <tr>
        <td width="33%" align="left" valign="top"><a href="smb.htm"
        accesskey="P">Prev</a></td>

        <td width="34%" align="center" valign="top"><a href=
        "index.htm" accesskey="H">Home</a></td>

        <td width="33%" align="right" valign="top"><a href=
        "systemspecific.htm" accesskey="N">Next</a></td>
      </tr>

      <tr>
        <td width="33%" align="left" valign="top">SAMBA and
        <b class="APPLICATION">LPRng</b></td>

        <td width="34%" align="center" valign="top"><a href=
        "installation.htm" accesskey="U">Up</a></td>

        <td width="33%" align="right" valign="top">System Specific
        Notes</td>
      </tr>
    </table>
  </div>

  <p align="center"></p>
</body>
</html>

APT Browse - Built by Thomas Orozco.