Hi folks. I have searched the list archive[1] for "user spoofing", "user authentication", "trust", and numerous other things, all without luck. I have also read most of the LPRng Reference Manual, and it doesn't seem to have the answer. If I have missed the obvious, apologies.
I'm interested in making sure users cannot use -U in order to get free print jobs[2]. I want to avoid PGP, SSL, Kerberos, passwords etc[3]. Here's my setup: Managed clients: I have the root password, they don't. They can only log on with their own username and password, which we trust. LPRng is configured with lpd_listen_port=off to force the use of a local socket. Server: only allowing connections from port numbers < 1024, so we trust that the connection is coming from an lpd server on a client, not a user talking the right protocol directly to the server. In order to impersonate a user wanting free print jobs, I have recompiled lpr and lprm so that -U is allowed without checks. When lpr -U anon job.ps is run, it connects to the lpd process on the client using /var/run/lprng, but anon appears in the control file. Would it be possible to use the system username instead of the supplied one? A fifo equivalent would be: [EMAIL PROTECTED] ~$ mkfifo fifo [EMAIL PROTECTED] ~$ ls fifo prw-r--r-- 1 me mygroup 0 Feb 5 16:10 fifo [EMAIL PROTECTED] ~$ cat fifo [text appears here] In another xterm: [EMAIL PROTECTED] ~$ cat >>fifo [write text here] In a third xterm: [EMAIL PROTECTED] ~$ lsof | grep fifo cat 16422 me 3r FIFO 0,16 445986 /home/me/fifo cat 16423 me 1w FIFO 0,16 445986 /home/me/fifo $ So we know the username of the process writing to the fifo, and can use it instead of the one spoofed with -U. Perhaps a lpd_listen_port=fifo option could be added? If this has already been done, please accept my apologies and point me to the right documentation. If this needs writing, I would be happy to do so. Thanks, Ashley Chaloner Department of Computer Science, University of Warwick, UK. 1. http://marc.theaimsgroup.com/?l=lprng&r=1&w=2 2. LPRng Reference Manual, Ch.18, paragraph 1 3. LPRng Reference Manual, Ch.17.1, third last paragraph ("While this model...") ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
