Date: Sun, 3 Jun 2001 15:42:15 -0700 From: "Morgan Davis" <mdavis@cts.com> To: "'Garance A Drosihn'" <drosih@rpi.edu> Cc: "'Hajimu UMEMOTO'" <ume@mahoroba.org>, <freebsd-stable@FreeBSD.org>, <security@FreeBSD.org>, <freebsd-print@bostonradio.org> Subject: RE: Malformed from address Message-ID: <003f01c0ec7e$738b3030$271978d8@cts.com> In-Reply-To: <p05100e00b73f51369492@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
Garance wrote: > I also agree that administrators should > not have to patch and recompile lpd to get the behavior they want. Having it "work" like it used to is more of an expectation rather than a want. > >(My vote is for a runtime flag that disables port > > checking or allows you to specify your own acceptable range.) > > As a security matter, I think it should do the port checking by > default, and the option would be to turn that checking off. Agreed -- that was my suggestion. Do it by the book by default, but give us the ability to break it so we can work with broken clients. > a better (but more involved) fix would be to have two lists of > allowed hosts. That's an excellent idea. The system could then accommodate the sinners and the saints in relative security. > >truly log fatal() error messages, rather than spewing them > >uselessly into stdout (or the socket stream). > > Hmm. Not sure what you mean here. At least at RPI, we DO > get error messages in logfiles, at least for some kinds of > errors. What do you have for 'lpr'-ish entries in your > /etc/syslog.conf ? >.. > I know that we have SOME logfile entries when hosts are not in > hosts.lpd, for instance. If you look at all the calls to fatal() you'll see helpful troubleshooting information that doesn't make it into the logs. The only thing you'll get in either /var/log/messages or /var/log/lpd-errs are items such as: Jun 1 01:27:32 venus lpd[623]: lpd startup: logging=1 dbg Jun 1 01:27:32 venus lpd[623]: lpd startup: ready to accept requests Jun 2 03:17:37 venus lpd[1960]: lpd startup: logging=1 dbg Jun 2 03:17:38 venus lpd[1960]: lpd startup: ready to accept requests Jun 2 03:23:31 venus lpd[1960]: exiting on signal 15 Jun 2 03:24:24 venus lpd[2174]: lpd startup: logging=1 dbg Jun 2 03:24:24 venus lpd[2174]: lpd startup: ready to accept requests Jun 2 03:25:18 venus lpd[2174]: exiting on signal 15 (I'm running with the stock syslog.conf). During this 24+ hour period, I was generating "malformed from address" errors. That's why I ultimately had to resort to tcpdump to see what was going on. You can easily test it on your own system by using telnet to upset lpd and issue the "Malformed from address". You'll see it on your telnet session terminal, but if you look in lpd-errs or messages log, it's not in there, even with -l and -d enabled. What other fatal() messages are sent back to the client and are never known to the administrator? > Maybe we turn up logging, or maybe it's > just some other difference between RPI's lpd and freebsd's. You've made several references to RPI and FreeBSD versions of lpd, as if they're different. Are you not the code maintainer for FreeBSD's lpd? If not, who is "gad"? --Morgan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003f01c0ec7e$738b3030$271978d8>