I've checked this out myself and yes it seems that you can do this little trick. We all know that the LPD protocol is horribly insecure but is there anything that can be done about this? A simple if user='root' then check uid=0 would help. Of course if they've mangled the /etc/passwd file then they're probably doing ok anyway. Anyone heard from Patrick lately? ----- Forwarded message from xsdg <[EMAIL PROTECTED]> ----- [headers gone] Description: For enhanced security, I changed the username of my UID0 user (to "bob", for the purpose of the discussion). I recently ran `apsfilterconfig` as bob, and it told me that I needed to run `lpc reread`, so lprng would reload /etc/printcap and probably some other stuff. However, the following resulted: >[bob@~]#lpc reread >no permission to control server This in and of itself is a problem, because I am unable to de-queue jobs without shutting down lprng, and manually deleting the hf*, cf*, and df* files in the spooldir. As per someone's suggestion, I created a user name "root" with UID 1004, and was flabbergasted at the what occurred: >[bob@~]#su root -c "/usr/sbin/lpc reread" >lpd server pid 13294 on portal.xsdg.org, sending SIGHUP Do remember that "root" == UID1004. This, in my and others' opinions, is a gaping security hole. LPRng should determine who has permission to run administrative commands by the User ID, and _not_ the username. Just to deter any doubts, here is a slightly more unsettling example: Computer printing to remote printer: >21:47:38> [xsdg@~]$cat tmp.ps | lpr -V >LPRng-3.6.26, Copyright 1988-2000 Patrick Powell, <[EMAIL PROTECTED]> >sending job 'xsdg@cpp+720' to lp@localhost >connecting to 'localhost', attempt 1 >connected to 'localhost' >requesting printer lp@localhost >sending control file 'cfA720cpp.xsdg.org' to lp@localhost >completed sending 'cfA720cpp.xsdg.org' to lp@localhost >sending data file 'dfA720cpp.xsdg.org' to lp@localhost >completed sending 'dfA720cpp.xsdg.org' to lp@localhost >done job 'xsdg@cpp+720' transfer to lp@localhost Computer with printer attached: >21:46:33> [bob@~]#lpq >Printer: ljet3p@portal 'HP Laserjet IIIP' > Queue: 1 printable job > Server: pid 13533 active > Unspooler: pid 13535 active > Status: error 'JWRERR' at 21:49:06.663 > Rank Owner/ID Class Job Files Size Time >1 xsdg A 720 (stdin) 45613 21:47:46 > >21:49:10> [bob@~]#lprm - >Printer ljet3p@portal: > checking perms 'cfA720cpp.xsdg.org' > no permissions 'cfA720cpp.xsdg.org' > >21:49:13> [bob@~]#su root > >21:49:29> [root@/root]$lpq >Printer: ljet3p@portal 'HP Laserjet IIIP' > Queue: 1 printable job > Server: pid 13533 active > Unspooler: pid 13535 active > Status: error 'JWRERR' at 21:49:26.663 > Rank Owner/ID Class Job Files Size Time >1 xsdg A 720 (stdin) 45613 21:47:46 > >21:49:31> [root@/root]$lprm - >Printer ljet3p@portal: > checking perms 'cfA720cpp.xsdg.org' > dequeued 'cfA720cpp.xsdg.org' As a final reminder, please remember that "bob"==UID0, and "root"=UID1004. ----- End forwarded message ----- -- Craig Small VK2XLZ GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5 Eye-Net Consulting http://www.eye-net.com.au/ <[EMAIL PROTECTED]> MIEEE <[EMAIL PROTECTED]> Debian developer <[EMAIL PROTECTED]> ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
