Date: Thu, 06 Jul 2000 20:04:55 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@osg.gov.bc.ca> Cc: papowell@astart.com, sheldonh@uunet.co.za, andrews@technologist.com, arch@FreeBSD.ORG, will@almanac.yi.org Subject: Re: was: Bringing LPRng into FreeBSD? Message-ID: <200007070305.e67351q73464@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 06 Jul 2000 19:46:53 PDT." <200007070247.e672l2R73279@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Oops. Looks like I was wrong. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <200007070247.e672l2R73279@cwsys.cwsent.com>, Cy Schubert - ITSD Ope n Systems Group writes: > In message <200007060333.UAA23827@h4.private>, papowell@astart.com > writes: > > > From sheldonh@axl.ops.uunet.co.za Mon Jun 26 02:46:32 2000 > > > From: Sheldon Hearn <sheldonh@uunet.co.za> > > > To: arch@FreeBSD.ORG > > > cc: papowell@astart.com > > > Subject: Re: was: Bringing LPRng into FreeBSD? > > > Date: Mon, 26 Jun 2000 11:46:23 +0200 > > > > > > > > > Could someone just enumerate the advantages of importing LPRng? It > > > seems to be a package which can me made to do everything FreeBSD's lpr > > > can do, but it does not seem to be a superset of FreeBSD's lpr. This > > > means that there is a cost associated with bringing it in as a > > > replacement. > > > > > > Are we sure that the cost is justified? Is it so much better than the > > > existing lpr that having it available as a port is "not enough"? > > > > > > I have no stsrong opinion one way or the other, but I do get the feeling > > > that this thread has skipped an important issue, instead focusing on > > > licensing. This looks like a little cart before horse. > > > > I started the work on LPRng with one major goal in mind: make it > > secure when used in a Computer Science Laboratory. For example, > > LPRng does not need to run SETUID root unless compatibility with > > vintage or legacy printing systems such is required. The code is > > extremely paranoid about all buffer sizes, string lengths, and so > > forth, and goes to great lengths to check for various know hacker > > attacks as well. In addition, there are facilities to use > > encryption and Kerberos based authentication to prevent abuse > > of the printing system. > > An additional degree of security can be obtained by removing the setuid > bit from Berkeley lpr and running it setgid "lpr". One could even turn > off the setgid bit and make the lpd spool directories world writable > with the sticky bit turned on. Of course this comes at the price of > reduced functionality, e.g. lpr -r won't work any more. > > I'd suggest making lpr setgid "lpr" or running LPRng "secured" and > providing instructions or a script for sysadmins to enable/disable the > additional functionality by turning on/off the setuid bit. > > Posix.1e will go a long way to mitigate some of these issues and may > make much of this moot. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007070305.e67351q73464>