> From [EMAIL PROTECTED] Thu Jul 13 18:31:58 2000
> Date: Fri, 14 Jul 2000 10:28:09 +1000
> To: [EMAIL PROTECTED]
> Subject: LPRng: Bug#67135: lprng: Default configs makes printers world-writable
> From: [EMAIL PROTECTED] (Craig Small)
>
> G'day,
> I got this bug report yesterday and thought I would pass it on. The
> problem is that lprng with its default lpd.perms allongs anyone who can reach
> you to be able to print on your printers.
>
> I'm not sure this is such a good idea. Any comments about this? Also what
> would be the best way to fix this without breaking things. Unfortuntely
> I don't think
> REJECT SERVICE=X FORWARD
> would work.
>
> ----- Forwarded message from John Goerzen <[EMAIL PROTECTED]>
>-----
>
> The potato version of this package installs a lpd.perms that, while it does restrict
>the ability of people to run lpc on the system, does however allow any
> person to print to any printer on the machine on which it is installed, by
> default.
>
> This is very bad -- no package should open up local hardware to world write
> like this.
>
> ----- End forwarded message -----
>
> --
> Craig Small VK2XLZ GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5
> Eye-Net Consulting http://www.eye-net.com.au/ <[EMAIL PROTECTED]>
> MIEEE <[EMAIL PROTECTED]> Debian developer <[EMAIL PROTECTED]>
Since there is no authentication with RFC1179, then there is no
way to authenticate user requests. So any user can impersonate
any other user. If you are installing this on a system, you may
want to, during install, ask the question 'printing only to users
on this system?' and if so, then put the following line at the
start of the lpd.perms file.
REJECT NOT SERVER
I repeat: this is a known problem with LPRng. I have talked about
this since 1984, and that is why there is Kerberos, PGP, MD5,
and user implemented authentication.
By the way, sendmail has the same problem - try restricting mail
forwarding some time :-)
Patrick
Patrick Powell Astart Technologies,
[EMAIL PROTECTED] 9475 Chesapeake Drive, Suite D,
Network and System San Diego, CA 92123
Consulting 858-874-6543 FAX 858-279-8424
LPRng - Print Spooler (http://www.astart.com)
-----------------------------------------------------------------------------
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
