• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src/router/LPRng/DOCS/LPRng-Reference-Multipart/
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2
3<html>
4  <head>
5    <meta name="generator" content="HTML Tidy, see www.w3.org">
6    <title>Security Concerns</title>
7    <meta name="GENERATOR" content=
8    "Modular DocBook HTML Stylesheet Version 1.7">
9    <link rel="HOME" title=" LPRng Reference Manual" href=
10    "index.htm">
11    <link rel="UP" title="Installation" href="installation.htm">
12    <link rel="PREVIOUS" title="SAMBA and LPRng" href="smb.htm">
13    <link rel="NEXT" title="System Specific Notes " href=
14    "systemspecific.htm">
15  </head>
16
17  <body class="SECT1" bgcolor="#FFFFFF" text="#000000" link=
18  "#0000FF" vlink="#840084" alink="#0000FF">
19    <div class="NAVHEADER">
20      <table summary="Header navigation table" width="100%" border=
21      "0" cellpadding="0" cellspacing="0">
22        <tr>
23          <th colspan="3" align="center">LPRng Reference Manual: 5
24          Sep 2003 (For LPRng-3.8.22)</th>
25        </tr>
26
27        <tr>
28          <td width="10%" align="left" valign="bottom"><a href=
29          "smb.htm" accesskey="P">Prev</a></td>
30
31          <td width="80%" align="center" valign="bottom">Chapter 2.
32          Installation</td>
33
34          <td width="10%" align="right" valign="bottom"><a href=
35          "systemspecific.htm" accesskey="N">Next</a></td>
36        </tr>
37      </table>
38      <hr align="LEFT" width="100%">
39    </div>
40
41    <div class="SECT1">
42      <h1 class="SECT1"><a name="SETUID">2.13. Security
43      Concerns</a></h1>
44
45      <p>While the <b class="APPLICATION">LPRng</b> software has
46      been written with security as the primary goal there is
47      always the problem with undetected errors in the <b class=
48      "APPLICATION">LPRng</b> software that when exploited could
49      compromise system security. The most serious concern is that
50      of gaining ROOT (UID 0) permissions.</p>
51
52      <p>The simplest way to handle this problem is to not install
53      LPRng with <var class="LITERAL">setuid ROOT</var>
54      permissions. Client programs will be able to connect to the
55      <b class="APPLICATION">lpd</b> server. Since the <b class=
56      "APPLICATION">lpd</b> server is started by the system startup
57      script with effective UID root, it is the only program in
58      this suite that will have an privileged user id.</p>
59
60      <p>A more radical step is to run the <b class=
61      "APPLICATION">lpd</b> server as a non-privileged user
62      entirely. However, the RFC1179 protocol specifies that the <b
63      class="APPLICATION">lpd</b> TCP/IP port is 515 and <b class=
64      "APPLICATION">lpd</b> requires root permissions to open and
65      bind to port 515. The <b class="APPLICATION">lpd</b> server
66      can use the <code class="FUNCTION">setuid()</code> system
67      call after binding to this port do drop ROOT capabilities.
68      However, in order to fully compatible with RFC1179, <b class=
69      "APPLICATION">lpd</b> must originate connections from a <span
70      class="emphasis"><i class="EMPHASIS">reserved</i></span> port
71      in the range 721-731, although in practice port 1-1023 seems
72      to be acceptable.</p>
73
74      <p>If inter-operability with non-<b class=
75      "APPLICATION">LPRng</b> print spoolers is not desired, then
76      it is <span class="emphasis"><i class=
77      "EMPHASIS">trivial</i></span> to configure <b class=
78      "APPLICATION">LPRng</b> to use a non-privileged port by using
79      the <tt class="FILENAME">lpd.conf</tt> file. For example, in
80      the <tt class="FILENAME">/etc/lpd.conf</tt> file, you only
81      need to change the indicated lines:</p>
82
83      <div class="INFORMALEXAMPLE">
84        <a name="AEN1463"></a>
85<pre class="SCREEN">
86    # Purpose: lpd port
87    #   default lpd_port=printer
88    lpd_port=2000
89    # or lpd_port=localhost%2000
90</pre>
91      </div>
92      The <var class="LITERAL">lpd_port</var> specifies the
93      (optional) IP address and port to which the <b class=
94      "APPLICATION">lpd</b> server binds and to which the clients
95      will connect. <b class="APPLICATION">LPRng</b> applications
96      will connect to port 2000 to transfer jobs and ask for
97      status. You can also use this facility to establish a <span
98      class="emphasis"><i class="EMPHASIS">private</i></span> set
99      of print spoolers which can be used for testing See <a href=
100      "testing.htm">Testing and Diagnostic Facilities</a> for more
101      details.<br>
102      <br>
103
104      <p>Some <span class="emphasis"><i class=
105      "EMPHASIS">legacy</i></span> print filters are not <span
106      class="emphasis"><i class=
107      "EMPHASIS">meta-char-escape</i></span> proof. For example,
108      suppose that a user decided to spool a job as follows:</p>
109
110      <div class="INFORMALEXAMPLE">
111        <a name="AEN1473"></a>
112<pre class="SCREEN">
113    <samp class="PROMPT">h4: {66} #</samp> <kbd class=
114"USERINPUT">lpr "-J`;rm -rf /;`" /tmp/a</kbd>
115</pre>
116      </div>
117      This would create a job file with the line: 
118
119      <div class="INFORMALEXAMPLE">
120        <a name="AEN1477"></a>
121<pre class="SCREEN">
122    J`rm -rf /;`
123</pre>
124      </div>
125      and gets passed to a print filter as 
126
127      <div class="INFORMALEXAMPLE">
128        <a name="AEN1479"></a>
129<pre class="SCREEN">
130    /usr/local/printfilter  -J`rm -rf /;`
131</pre>
132      </div>
133      The observant reader will observe that the above line may
134      have the most hideous consequences if it is processed by a
135      shell. For this reason the <b class="APPLICATION">LPRng</b>
136      software takes extreme precautions and <span class=
137      "emphasis"><i class="EMPHASIS">sanitizes</i></span> control
138      file contents and file names so that they do not contain any
139      control or metacharacters.<br>
140      <br>
141
142      <p>Finally, you can use a Unix socket (i.e. - FIFO) for
143      connections to the server on the localhost, and disable the
144      <b class="APPLICATION">lpd</b> listening socket by setting
145      the <var class="LITERAL">lpd_listen_port</var> value to <var
146      class="LITERAL">off</var>.</p>
147    </div>
148
149    <div class="NAVFOOTER">
150      <hr align="LEFT" width="100%">
151
152      <table summary="Footer navigation table" width="100%" border=
153      "0" cellpadding="0" cellspacing="0">
154        <tr>
155          <td width="33%" align="left" valign="top"><a href=
156          "smb.htm" accesskey="P">Prev</a></td>
157
158          <td width="34%" align="center" valign="top"><a href=
159          "index.htm" accesskey="H">Home</a></td>
160
161          <td width="33%" align="right" valign="top"><a href=
162          "systemspecific.htm" accesskey="N">Next</a></td>
163        </tr>
164
165        <tr>
166          <td width="33%" align="left" valign="top">SAMBA and <b
167          class="APPLICATION">LPRng</b></td>
168
169          <td width="34%" align="center" valign="top"><a href=
170          "installation.htm" accesskey="U">Up</a></td>
171
172          <td width="33%" align="right" valign="top">System
173          Specific Notes</td>
174        </tr>
175      </table>
176    </div>
177  </body>
178</html>
179
180