Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Security Concerns
LPRng-HOWTO: 1 Apr 2002 (For LPRng-3.8.10)
Prev Chapter 2. Installation Next

2.13. Security Concerns

While the LPRng software has been written with security as the primary goal there is always the problem with undetected errors in the LPRng software that when exploited could compromise system security. The most serious concern is that of gaining ROOT (UID 0) permissions.

The simplest way to handle this problem is to not install LPRng with setuid ROOT permissions. Client programs will be able to connect to the lpd server. Since the lpd server is started by the system startup script with effective UID root, it is the only program in this suite that will have an privileged user id.

A more radical step is to run the lpd server as a non-privileged user entirely. However, the RFC1179 protocol specifies that the lpd TCP/IP port is 515 and lpd requires root permissions to open and bind to port 515. The lpd server can use the setuid() system call after binding to this port do drop ROOT capabilities. However, in order to fully compatible with RFC1179, lpd must originate connections from a reserved port in the range 721-731, although in practice port 1-1023 seems to be acceptable.

If inter-operability with non-LPRng print spoolers is not desired, then it is trivial to configure LPRng to use a non-privileged port by using the lpd.conf file. For example, in the /etc/lpd.conf file, you only need to change the indicated lines:

    # Purpose: lpd port
    #   default lpd_port=printer
    lpd_port=2000
    # or lpd_port=localhost%2000
The lpd_port specifies the (optional) IP address and port to which the lpd server binds and to which the clients will connect. LPRng applications will connect to port 2000 to transfer jobs and ask for status. You can also use this facility to establish a private set of print spoolers which can be used for testing See Testing and Diagnostic Facilities for more details.

Some legacy print filters are not meta-char-escape proof. For example, suppose that a user decided to spool a job as follows:

    h4: {66} # lpr "-J`;rm -rf /;`" /tmp/a
This would create a job file with the line: 
    J`rm -rf /;`
and gets passed to a print filter as 
    /usr/local/printfilter  -J`rm -rf /;`
The observant reader will observe that the above line may have the most hideous consequences if it is processed by a shell. For this reason the LPRng software takes extreme precautions and sanitizes control file contents and file names so that they do not contain any control or metacharacters.

Finally, you can enable the use of a Unix socket for connections to the server on the localhost, and disable the lpd listening socket. This will prevent users not on your local host from connecting to the lpd server. This is done by enabling this with the configure --enable-unixsocket option, and then setting the lpd_port value to 0.

Prev Home Next
SAMBA and LPRng Up System Specific Notes