File: setuid.htm

package info (click to toggle)
lprng 3.8.10-1.2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 13,076 kB
  • ctags: 4,348
  • sloc: ansic: 35,394; sh: 10,756; perl: 2,210; makefile: 1,046
file content (175 lines) | stat: -rw-r--r-- 6,920 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta name="generator" content="HTML Tidy, see www.w3.org">
    <title>Security Concerns</title>
    <meta name="GENERATOR" content=
    "Modular DocBook HTML Stylesheet Version 1.71 ">
    <link rel="HOME" title=" LPRng-HOWTO" href="index.htm">
    <link rel="UP" title="Installation" href="installation.htm">
    <link rel="PREVIOUS" title="SAMBA and LPRng" href="smb.htm">
    <link rel="NEXT" title="System Specific Notes " href=
    "systemspecific.htm">
  </head>

  <body class="SECT1" bgcolor="#FFFFFF" text="#000000" link=
  "#0000FF" vlink="#840084" alink="#0000FF">
    <div class="NAVHEADER">
      <table summary="Header navigation table" width="100%" border=
      "0" cellpadding="0" cellspacing="0">
        <tr>
          <th colspan="3" align="center">LPRng-HOWTO: 1 Apr 2002
          (For LPRng-3.8.10)</th>
        </tr>

        <tr>
          <td width="10%" align="left" valign="bottom"><a href=
          "smb.htm" accesskey="P">Prev</a></td>

          <td width="80%" align="center" valign="bottom">Chapter 2.
          Installation</td>

          <td width="10%" align="right" valign="bottom"><a href=
          "systemspecific.htm" accesskey="N">Next</a></td>
        </tr>
      </table>
      <hr align="LEFT" width="100%">
    </div>

    <div class="SECT1">
      <h1 class="SECT1"><a name="SETUID">2.13. Security
      Concerns</a></h1>

      <p>While the <b class="APPLICATION">LPRng</b> software has
      been written with security as the primary goal there is
      always the problem with undetected errors in the <b class=
      "APPLICATION">LPRng</b> software that when exploited could
      compromise system security. The most serious concern is that
      of gaining ROOT (UID 0) permissions.</p>

      <p>The simplest way to handle this problem is to not install
      LPRng with <tt class="LITERAL">setuid ROOT</tt> permissions.
      Client programs will be able to connect to the <b class=
      "APPLICATION">lpd</b> server. Since the <b class=
      "APPLICATION">lpd</b> server is started by the system startup
      script with effective UID root, it is the only program in
      this suite that will have an privileged user id.</p>

      <p>A more radical step is to run the <b class=
      "APPLICATION">lpd</b> server as a non-privileged user
      entirely. However, the RFC1179 protocol specifies that the <b
      class="APPLICATION">lpd</b> TCP/IP port is 515 and <b class=
      "APPLICATION">lpd</b> requires root permissions to open and
      bind to port 515. The <b class="APPLICATION">lpd</b> server
      can use the <tt class="FUNCTION">setuid()</tt> system call
      after binding to this port do drop ROOT capabilities.
      However, in order to fully compatible with RFC1179, <b class=
      "APPLICATION">lpd</b> must originate connections from a <i
      class="EMPHASIS">reserved</i> port in the range 721-731,
      although in practice port 1-1023 seems to be acceptable.</p>

      <p>If inter-operability with non-<b class=
      "APPLICATION">LPRng</b> print spoolers is not desired, then
      it is <i class="EMPHASIS">trivial</i> to configure <b class=
      "APPLICATION">LPRng</b> to use a non-privileged port by using
      the <tt class="FILENAME">lpd.conf</tt> file. For example, in
      the <tt class="FILENAME">/etc/lpd.conf</tt> file, you only
      need to change the indicated lines:</p>

      <div class="INFORMALEXAMPLE">
        <a name="AEN1408"></a>
<pre class="SCREEN">
    # Purpose: lpd port
    #   default lpd_port=printer
    lpd_port=2000
    # or lpd_port=localhost%2000
</pre>
      </div>
      The <tt class="LITERAL">lpd_port</tt> specifies the
      (optional) IP address and port to which the <b class=
      "APPLICATION">lpd</b> server binds and to which the clients
      will connect. <b class="APPLICATION">LPRng</b> applications
      will connect to port 2000 to transfer jobs and ask for
      status. You can also use this facility to establish a <i
      class="EMPHASIS">private</i> set of print spoolers which can
      be used for testing See <a href="testing.htm">Testing and
      Diagnostic Facilities</a> for more details.<br>
      <br>

      <p>Some <i class="EMPHASIS">legacy</i> print filters are not
      <i class="EMPHASIS">meta-char-escape</i> proof. For example,
      suppose that a user decided to spool a job as follows:</p>

      <div class="INFORMALEXAMPLE">
        <a name="AEN1418"></a>
<pre class="SCREEN">
    <tt class="PROMPT">h4: {66} #</tt> <tt class=
"USERINPUT"><b>lpr "-J`;rm -rf /;`" /tmp/a</b></tt>
</pre>
      </div>
      This would create a job file with the line: 

      <div class="INFORMALEXAMPLE">
        <a name="AEN1422"></a>
<pre class="SCREEN">
    J`rm -rf /;`
</pre>
      </div>
      and gets passed to a print filter as 

      <div class="INFORMALEXAMPLE">
        <a name="AEN1424"></a>
<pre class="SCREEN">
    /usr/local/printfilter  -J`rm -rf /;`
</pre>
      </div>
      The observant reader will observe that the above line may
      have the most hideous consequences if it is processed by a
      shell. For this reason the <b class="APPLICATION">LPRng</b>
      software takes extreme precautions and <i class=
      "EMPHASIS">sanitizes</i> control file contents and file names
      so that they do not contain any control or
      metacharacters.<br>
      <br>

      <p>Finally, you can enable the use of a Unix socket for
      connections to the server on the localhost, and disable the
      <b class="APPLICATION">lpd</b> listening socket. This will
      prevent users not on your local host from connecting to the
      <b class="APPLICATION">lpd</b> server. This is done by
      enabling this with the <tt class="LITERAL">configure</tt> <tt
      class="LITERAL">--enable-unixsocket</tt> option, and then
      setting the <tt class="LITERAL">lpd_port</tt> value to 0.</p>
    </div>

    <div class="NAVFOOTER">
      <hr align="LEFT" width="100%">

      <table summary="Footer navigation table" width="100%" border=
      "0" cellpadding="0" cellspacing="0">
        <tr>
          <td width="33%" align="left" valign="top"><a href=
          "smb.htm" accesskey="P">Prev</a></td>

          <td width="34%" align="center" valign="top"><a href=
          "index.htm" accesskey="H">Home</a></td>

          <td width="33%" align="right" valign="top"><a href=
          "systemspecific.htm" accesskey="N">Next</a></td>
        </tr>

        <tr>
          <td width="33%" align="left" valign="top">SAMBA and <b
          class="APPLICATION">LPRng</b></td>

          <td width="34%" align="center" valign="top"><a href=
          "installation.htm" accesskey="U">Up</a></td>

          <td width="33%" align="right" valign="top">System
          Specific Notes</td>
        </tr>
      </table>
    </div>
  </body>
</html>