Date: Mon, 24 Apr 2000 16:49:10 +0200 (CEST) From: andreas@klemm.gtn.com To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/18198: owner of control file in spool dir is wrong when printing from remote Message-ID: <200004241449.QAA78264@klemm.gtn.com>
next in thread | raw e-mail | index | archive | help
>Number: 18198 >Category: bin >Synopsis: owner of ccontrol file in spool dir is wrong if remote printing >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 24 08:10:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Andreas Klemm >Release: FreeBSD-5.0 >Organization: FreeBSD >Environment: FreeBSD titan.klemm.gtn.com 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Fri Apr 21 19:59:37 CEST 2000 root@titan.klemm.gtn.com:/usr/src/sys/compile/TITAN i386 >Description: lineprinter input filter is not able anymore to read control file of a print job, because control and data file have wrong owner. apsfilter needs some informations from the cf and fails now when printing over network via lpd. This comes up because the permissions of control and data file are restrictive (660) (has this changed last recently ??) This bug shows up only when a print job came from remote over network via lpd protocol. >How-To-Repeat: install apsfilter as magic print filter, which needs to read some data from the control file of the print job. Try to print from a remote machine via lpd, this can be a Unix or NT print client. Enable debugging in apsfilter (set -x) and write out information of the id command to /tmp/apsfilter.id, to record the uid and gid under that the input filter runs. Result: - input filter runs under these ids: uid=1(daemon) gid=0(wheel) groups=0(wheel) - logfile shows this error: egrep: /var/spool/lpd/printer1-stcolor-a4-raw/\ cfA796salome.klemm.gtn.com: Permission denied Now have a look at the permission of print files in the printers spool dir when starting a local print job, compared to a remote print session: a) remote print job - apsfilter fails to open the file root@titan{596} $ ll total 46 -rw-r--r-- 1 root daemon 0 Apr 24 15:35 acct -r--r--r-- 1 root daemon 17952 Apr 24 15:35 apsfilterrc -rw-rw---- 1 root daemon 58 Apr 24 16:15 cfA796salome.klemm.gtn.com ^^ ^^ ^^^^ ^^^^^^ -rw-rw---- 1 root daemon 18107 Apr 24 16:15 dfA796SALOME -rw-rw-r-- 1 root daemon 33 Apr 24 16:15 lock -rw-r--r-- 1 root daemon 7111 Apr 24 16:15 log -rw-rw-r-- 1 root daemon 26 Apr 24 16:15 status b) local print job - apsfilter is able to read the file root@titan{614} $ ll total 33 -rw-r----x 1 root daemon 4 Apr 24 16:18 .seq -rw-r--r-- 1 root daemon 0 Apr 24 15:35 acct -r--r--r-- 1 root daemon 17952 Apr 24 15:35 apsfilterrc -rw-rw---- 1 daemon daemon 129 Apr 24 16:18 cfA000titan.klemm.gtn.com ^^ ^^ ^^^^ ^^^^^^ -rw-rw---- 1 root daemon 1598 Apr 24 16:18 dfA000titan.klemm.gtn.com -rw-rw-r-- 1 root daemon 32 Apr 24 16:18 lock -rw-r--r-- 1 root daemon 9160 Apr 24 16:18 log -rw-rw-r-- 1 root daemon 25 Apr 24 16:18 status >Fix: Don't remember the behaviour before. All I can say, that ~ a month ago my wife was able to print this way until something changed. Possibly some security fixes ;-) Fix would be to 1. change owner of control file to daemon as it is when printing locally 2. change the permissions of the control file from 660 to 664 I'd vote for 2. since I have still security problems with apsfilter I want to try to solve with a wrapper script. This wrapper should try to execute the apsfilter script either - under the permissions of the owner of the print job - under the user nobody For this purpose 664 would be really good for the control file only !!! >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004241449.QAA78264>