Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 16 Aug 1998 15:45:28 +0200 (CEST)
From:      Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
To:        cschuber@uumail.gov.bc.ca
Cc:        andre.albsmeier@mchp.siemens.de, imp@village.org, freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Subject:   Re: Found reason why lpr -r -s doesn't work as expected
Message-ID:  <199808161345.PAA19691@internal>
In-Reply-To: <199808151331.GAA01035@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Aug 15, 98 06:31:54 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > In message <199808141807.UAA13224@internal> Andre Albsmeier writes:
> > > :                         if (strchr(line+1, '/'))
> > > :                                 continue;
> > > : This disables the removement of files starting with '/'. This was
> > > : introduced in version 1.14 according to the CVS log. However, I didn't
> > > : find an explanation  why this change was made. Is it a security hole?
> > > 
> > > Without this fix, people could remove any file on your system by
> > > having remote print access.
> > 
> > OK, and if remote access is disabled would it be safe? Have you got
> > any references how this exploit exactly works so I can figure out
> > what to do in order to be able to remove both files and without
> > making my machine insecure...
> 
> No.  By revoking remote access to your lpd, e.g. firewall, you would 
> still have an exposure that local users could exploit, which in this 
> case revoking access to local users would solve the problem.  I think 
> you get the picture...

OK, thanks for the info. I have now changed printjob.c so that removing
files containing '/' still is forbidden except when it starts with
'/var/spool/samba/'. It's ugly but works. But, I think this behaviuor
should be stated in the manual page of lpr. Now it says:

     -r      Remove the file upon completion of spooling or upon completion of
             printing (with the -s option).

     -s      Use symbolic links.  Usually files are copied to the spool direc-
             tory.  The -s option will use symlink(2) to link data files
             rather than trying to copy them so large files can be printed.


Thanks again,

	-Andre

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808161345.PAA19691>