Patch-ID# 100305-15 Keywords: security passwd lpd lpr delete system lpstat -v Synopsis: SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch Date: Apr/11/94 SunOS release: 4.1.1, 4.1.2, 4.1.3, 4.1.3C Unbundled Product: Unbundled Release: Topic: lpd lpr lpc lpstat lprm lpq pac cancel Xref: Patch 101434 is the 4.1.3_U1 version of this patch. BugId's fixed with this patch: 1016437 1040453 1057834 1058003 1059620 1061504 1063772 1081850 1081968 1090527 1048004 1099009 1050628 1112342 1133067 1147821 Changes incorporated in this version: 1147821 Relevant Architecture: sparc NOTE: sun3(all), sun4(all) Patches which may conflict with this patch: NOTE:100301 (obsoleted) 100696 (obsoleted) 100598 (obsoleted) Obsoleted by: NOTE:5.0 Problem Description: 1161352 lpstat in patch 100305 core dumps (SIGSEGV) with -t option 1016437 lpd does not check file names for legality 1040453 lpd can be used by any user to delete any file on the system 1057834 lpd can be used to delete any file on the system 1058003 Reading from /dev/printer lpd does not check how much data it has read 1059620 lpr -r does not work on files that are nfs mounted. 1061504 lpd can still be used to delete any file on a system 1063772 It is possible to overwrite any file on the system using lpr/ lpd 1081850 It is possible to delete a file with lpr -r that should not be able to. 1081968 lpr can be used to overwrite any file 1090527 lpstat -v only returns the second entry from printer alias list 1048004 lpr checks on the real user rather than the effective user 1099009 'lp -t' doesn't work; causes print job to fail. 1050628 Header banner 'A' is printed as 'a'. 1112342 lpc complains for > 32 tc= entries total in printcap, recursive or not 1133067 'lpr -s -t' can be used to remove any file in directory / (root). 1147821 lpd takes a long time to reconnect to server after it comes up. INSTALL: As root: first do a "ps ax |grep lpd" and kill off the currently running lpd process. the return from ps should be something like: 134 ? IW 0:00 /usr/lib/lpd 26753 p5 S 0:00 grep lpd # kill -9 {process id of lpd. in the above example this is 134} Then save aside the FCS versions and change the modes so that they cannot be misused: mv /usr/lib/lpd /usr/lib/lpd.FCS mv /usr/ucb/lpr /usr/ucb/lpr.FCS mv /usr/ucb/lprm /usr/ucb/lprm.FCS mv /usr/ucb/lpq /usr/ucb/lpq.FCS mv /usr/etc/lpc /usr/etc/lpc.FCS mv /usr/etc/pac /usr/etc/pac.FCS mv /usr/bin/lpstat /usr/bin/lpstat.FCS mv /usr/bin/cancel /usr/bin/cancel.FCS chmod 0400 /usr/lib/lpd.FCS /usr/ucb/lpr.FCS /usr/ucb/lprm.FCS /usr/ucb/lpq.FCS /usr/etc/lpc.FCS /usr/etc/pac.FCS /usr/bin/lpstat.FCS /usr/bin/cancel.FCS Copy in the new versions, delete /dev/printer and create a directory mode 750 owned by root, with group daemon, called /dev/lpd; then create a symbolic link called /dev/printer that points to /dev/lpd/printer and restart lpd. rm -f /dev/printer mkdir /dev/lpd chown root.daemon /dev/lpd chmod 710 /dev/lpd ln -s /dev/lpd/printer /dev/printer cp `arch`/{4.1.1,4.1.2,4.1.3}/lpd /usr/lib/lpd cp `arch`/{4.1.1,4.1.2,4.1.3}/lpr /usr/ucb/lpr cp `arch`/{4.1.1,4.1.2,4.1.3}/lprm /usr/ucb/lprm cp `arch`/{4.1.1,4.1.2,4.1.3}/lpq /usr/ucb/lpq cp `arch`/{4.1.1,4.1.2,4.1.3}/lpc /usr/etc/lpc cp `arch`/{4.1.1,4.1.2,4.1.3}/pac /usr/etc/pac cp `arch`/{4.1.1,4.1.2,4.1.3}/lpstat /usr/bin/lpstat cp `arch`/{4.1.1,4.1.2,4.1.3}/cancel /usr/bin/cancel chmod 6711 /usr/lib/lpd chmod 6711 /usr/ucb/lpr chmod 6711 /usr/ucb/lprm chmod 6711 /usr/ucb/lpq chmod 2711 /usr/etc/lpc chmod 755 /usr/etc/pac chmod 6711 /usr/bin/lpstat chmod 6711 /usr/bin/cancel chown root.daemon /usr/lib/lpd chown root.daemon /usr/ucb/lpr chown root.daemon /usr/ucb/lprm chown root.daemon /usr/ucb/lpq chown root.daemon /usr/etc/lpc chown root.staff /usr/etc/pac chown root.daemon /usr/bin/lpstat chown root.daemon /usr/bin/cancel rm -f /var/spool/lpd.lock /usr/lib/lpd Last step: edit your /etc/rc file and change the line that removes the /dev/printer file upon system startup so that it removes /dev/lpd/printer instead. Note the change to "/dev/lpd/printer" from "/dev/printer" /etc/rc: Find the lines having to do with lpd startup: if [ -f /usr/lib/lpd ]; then rm -f /dev/printer /var/spool/lpd.lock Change (add) in the new location: if [ -f /usr/lib/lpd ]; then rm -f /dev/lpd/printer /var/spool/lpd.lock ^^^^ NEW The results should look like: if [ -f /usr/lib/lpd ]; then rm -f /dev/lpd/printer /var/spool/lpd.lock /usr/lib/lpd; echo -n ' printer' fi