Re: LPRng: Installing LPD Setuid Root Considered Harmful

Fri, 14 Jul 2000 13:23:30 -0700 

> From [EMAIL PROTECTED] Sun Jul  9 19:04:04 2000
> Date: Sun, 9 Jul 2000 17:49:44 -0700 (PDT)
> From: andrew morgan <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: LPRng: Installing LPD Setuid Root Considered Harmful
>
>
>
> On Sun, 9 Jul 2000 [EMAIL PROTECTED] wrote:
>
> > Lars Kellogg-Stedman <[EMAIL PROTECTED]> was asking why
> > the 'lpd -L file' option required the file to exist.
> > 
> > As part of the reply,  I explained that:
> > 
> > if lpd was installed SETUID root
> > AND
> > if the user was able to do 'lpd -L /..../file'
> > AND
> > the file was writeable by the user that 'lpd' was running
> > as
> > 
> > THEN the file would have junk appended to the end of it.
> > 
> > This is the reason why you do not install lpd SETUID root.
> > 
> > So if you have your 'lpd' program installed 'setuid root' then
> > I recommend that you remove the setuid ASAP.
>
> I have LPRng 3.6.12 installed, and it appears that:
>
> lpd
> lpc
> lpq
> lpr
> lprm
> lpstat
>
> are suid root.  I have just removed suid from lpd.  Do any of these other
> utilities need to be suid?  What are the consequences of removing suid on
> each of these?

You will not be able to communicate directly to totally RFC1179 compliant
systems.  If you wish only to communicate with LPRng systems,  then SETUID
root is not required.

>
> I don't have any local users on this machine, but I do call some of these
> programs from perl cgi scripts and from samba/netatalk.
>
> Does lpstat do anything which lpq doesn't?  Is this just a replacement for
> systems which have lpstat normally?

Yes.  It just provides lpstat simulation.

>
> Thanks,
>
>       Andy

Patrick Powell                 Astart Technologies,
[EMAIL PROTECTED]            9475 Chesapeake Drive, Suite D,
Network and System             San Diego, CA 92123
  Consulting                   858-874-6543 FAX 858-279-8424 
LPRng - Print Spooler (http://www.astart.com)

-----------------------------------------------------------------------------
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body.  For the impatient,
to subscribe to a list with name LIST,  send mail to [EMAIL PROTECTED]
with:                           | example:
subscribe LIST <mailaddr>       |  subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr>     |  unsubscribe lprng [EMAIL PROTECTED]

If you have major problems,  send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------

Reply via email to