1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2 3<html> 4 <head> 5 <meta name="generator" content="HTML Tidy, see www.w3.org"> 6 <title>Security Concerns</title> 7 <meta name="GENERATOR" content= 8 "Modular DocBook HTML Stylesheet Version 1.7"> 9 <link rel="HOME" title=" LPRng Reference Manual" href= 10 "index.htm"> 11 <link rel="UP" title="Installation" href="installation.htm"> 12 <link rel="PREVIOUS" title="SAMBA and LPRng" href="smb.htm"> 13 <link rel="NEXT" title="System Specific Notes " href= 14 "systemspecific.htm"> 15 </head> 16 17 <body class="SECT1" bgcolor="#FFFFFF" text="#000000" link= 18 "#0000FF" vlink="#840084" alink="#0000FF"> 19 <div class="NAVHEADER"> 20 <table summary="Header navigation table" width="100%" border= 21 "0" cellpadding="0" cellspacing="0"> 22 <tr> 23 <th colspan="3" align="center">LPRng Reference Manual: 5 24 Sep 2003 (For LPRng-3.8.22)</th> 25 </tr> 26 27 <tr> 28 <td width="10%" align="left" valign="bottom"><a href= 29 "smb.htm" accesskey="P">Prev</a></td> 30 31 <td width="80%" align="center" valign="bottom">Chapter 2. 32 Installation</td> 33 34 <td width="10%" align="right" valign="bottom"><a href= 35 "systemspecific.htm" accesskey="N">Next</a></td> 36 </tr> 37 </table> 38 <hr align="LEFT" width="100%"> 39 </div> 40 41 <div class="SECT1"> 42 <h1 class="SECT1"><a name="SETUID">2.13. Security 43 Concerns</a></h1> 44 45 <p>While the <b class="APPLICATION">LPRng</b> software has 46 been written with security as the primary goal there is 47 always the problem with undetected errors in the <b class= 48 "APPLICATION">LPRng</b> software that when exploited could 49 compromise system security. The most serious concern is that 50 of gaining ROOT (UID 0) permissions.</p> 51 52 <p>The simplest way to handle this problem is to not install 53 LPRng with <var class="LITERAL">setuid ROOT</var> 54 permissions. Client programs will be able to connect to the 55 <b class="APPLICATION">lpd</b> server. Since the <b class= 56 "APPLICATION">lpd</b> server is started by the system startup 57 script with effective UID root, it is the only program in 58 this suite that will have an privileged user id.</p> 59 60 <p>A more radical step is to run the <b class= 61 "APPLICATION">lpd</b> server as a non-privileged user 62 entirely. However, the RFC1179 protocol specifies that the <b 63 class="APPLICATION">lpd</b> TCP/IP port is 515 and <b class= 64 "APPLICATION">lpd</b> requires root permissions to open and 65 bind to port 515. The <b class="APPLICATION">lpd</b> server 66 can use the <code class="FUNCTION">setuid()</code> system 67 call after binding to this port do drop ROOT capabilities. 68 However, in order to fully compatible with RFC1179, <b class= 69 "APPLICATION">lpd</b> must originate connections from a <span 70 class="emphasis"><i class="EMPHASIS">reserved</i></span> port 71 in the range 721-731, although in practice port 1-1023 seems 72 to be acceptable.</p> 73 74 <p>If inter-operability with non-<b class= 75 "APPLICATION">LPRng</b> print spoolers is not desired, then 76 it is <span class="emphasis"><i class= 77 "EMPHASIS">trivial</i></span> to configure <b class= 78 "APPLICATION">LPRng</b> to use a non-privileged port by using 79 the <tt class="FILENAME">lpd.conf</tt> file. For example, in 80 the <tt class="FILENAME">/etc/lpd.conf</tt> file, you only 81 need to change the indicated lines:</p> 82 83 <div class="INFORMALEXAMPLE"> 84 <a name="AEN1463"></a> 85<pre class="SCREEN"> 86 # Purpose: lpd port 87 # default lpd_port=printer 88 lpd_port=2000 89 # or lpd_port=localhost%2000 90</pre> 91 </div> 92 The <var class="LITERAL">lpd_port</var> specifies the 93 (optional) IP address and port to which the <b class= 94 "APPLICATION">lpd</b> server binds and to which the clients 95 will connect. <b class="APPLICATION">LPRng</b> applications 96 will connect to port 2000 to transfer jobs and ask for 97 status. You can also use this facility to establish a <span 98 class="emphasis"><i class="EMPHASIS">private</i></span> set 99 of print spoolers which can be used for testing See <a href= 100 "testing.htm">Testing and Diagnostic Facilities</a> for more 101 details.<br> 102 <br> 103 104 <p>Some <span class="emphasis"><i class= 105 "EMPHASIS">legacy</i></span> print filters are not <span 106 class="emphasis"><i class= 107 "EMPHASIS">meta-char-escape</i></span> proof. For example, 108 suppose that a user decided to spool a job as follows:</p> 109 110 <div class="INFORMALEXAMPLE"> 111 <a name="AEN1473"></a> 112<pre class="SCREEN"> 113 <samp class="PROMPT">h4: {66} #</samp> <kbd class= 114"USERINPUT">lpr "-J`;rm -rf /;`" /tmp/a</kbd> 115</pre> 116 </div> 117 This would create a job file with the line: 118 119 <div class="INFORMALEXAMPLE"> 120 <a name="AEN1477"></a> 121<pre class="SCREEN"> 122 J`rm -rf /;` 123</pre> 124 </div> 125 and gets passed to a print filter as 126 127 <div class="INFORMALEXAMPLE"> 128 <a name="AEN1479"></a> 129<pre class="SCREEN"> 130 /usr/local/printfilter -J`rm -rf /;` 131</pre> 132 </div> 133 The observant reader will observe that the above line may 134 have the most hideous consequences if it is processed by a 135 shell. For this reason the <b class="APPLICATION">LPRng</b> 136 software takes extreme precautions and <span class= 137 "emphasis"><i class="EMPHASIS">sanitizes</i></span> control 138 file contents and file names so that they do not contain any 139 control or metacharacters.<br> 140 <br> 141 142 <p>Finally, you can use a Unix socket (i.e. - FIFO) for 143 connections to the server on the localhost, and disable the 144 <b class="APPLICATION">lpd</b> listening socket by setting 145 the <var class="LITERAL">lpd_listen_port</var> value to <var 146 class="LITERAL">off</var>.</p> 147 </div> 148 149 <div class="NAVFOOTER"> 150 <hr align="LEFT" width="100%"> 151 152 <table summary="Footer navigation table" width="100%" border= 153 "0" cellpadding="0" cellspacing="0"> 154 <tr> 155 <td width="33%" align="left" valign="top"><a href= 156 "smb.htm" accesskey="P">Prev</a></td> 157 158 <td width="34%" align="center" valign="top"><a href= 159 "index.htm" accesskey="H">Home</a></td> 160 161 <td width="33%" align="right" valign="top"><a href= 162 "systemspecific.htm" accesskey="N">Next</a></td> 163 </tr> 164 165 <tr> 166 <td width="33%" align="left" valign="top">SAMBA and <b 167 class="APPLICATION">LPRng</b></td> 168 169 <td width="34%" align="center" valign="top"><a href= 170 "installation.htm" accesskey="U">Up</a></td> 171 172 <td width="33%" align="right" valign="top">System 173 Specific Notes</td> 174 </tr> 175 </table> 176 </div> 177 </body> 178</html> 179 180