Mr. Cy Schubert wins the
'Total Abuse of Firewall Rules to Do Something Sneaky Award.'
I have to admit that this is rather clever... Not that I would
recommend doing it, you understand, just that it is rather clever...
Patrick ("Neat trick! I must remember this one") Powell
> From [EMAIL PROTECTED] Mon Jul 10 09:18:06 2000
> From: Cy Schubert - ITSD Open Systems Group <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> cc: [EMAIL PROTECTED]
> Subject: Re: LPRng lpd should not be SETUID root
> Date: Mon, 10 Jul 2000 09:17:09 -0700
>
> In message <[EMAIL PROTECTED]>, Patrick Powell writes:
> > Well, even in spite of all of my efforts, care, and paranoia, I
> > finally dropped the hammer on my foot. Luckily it appears that I
> > spotted this loophole before somebody on the LPRng mailing list did.
>
> Of course anyone who wishes to use LPRng in a mode where it is 100%
> compatible with lpr/lpd, would need to give up this feature in order to
> plug this hole. I would think that the bug itself needs to be fixed
> too.
>
> > COMMENTARY:
> >
> > I would really like to see capability based permissions in UNIX
> > and other systems. All that 'lpd' needs is the ability to open
> > and bind to a 'reserved' port, i.e. 515 for listening, and open
> > and bind to a port in the 'reserved' range for outgoing connections.
>
> If print services would actually listen to port 1515 (example) then the
> following IP Filter NAT rule could be used to redirect packets to that
> port thereby allowing print services to not run as root. Sort of a
> poor man's approach to capabilities until they're implemented on all
> operating systems.
>
> rdr xl0 0/0 port 515 -> 127.0.0.1 port 1515 tcp
>
>
> Regards, Phone: (250)387-8437
> Cy Schubert Fax: (250)387-5766
> Team Leader, Sun/DEC Team Internet: [EMAIL PROTECTED]
> Open Systems Group, ITSD, ISTA
> Province of BC
>
>
>
>
-----------------------------------------------------------------------------
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
