From owner-freebsd-stable Sun Aug 16 06:46:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA12675 for freebsd-stable-outgoing; Sun, 16 Aug 1998 06:46:40 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA12538 for ; Sun, 16 Aug 1998 06:46:09 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail.siemens.de (salomon.siemens.de [139.23.33.13]) by david.siemens.de (8.9.1/8.9.1) with ESMTP id PAA20865 for ; Sun, 16 Aug 1998 15:45:40 +0200 (MET DST) Received: from curry.mchp.siemens.de (daemon@curry.mchp.siemens.de [146.180.31.23]) by mail.siemens.de (8.9.1/8.9.1) with ESMTP id PAA15919 for ; Sun, 16 Aug 1998 15:45:40 +0200 (MET DST) Received: (from daemon@localhost) by curry.mchp.siemens.de (8.8.8/8.8.8) id PAA24165 for ; Sun, 16 Aug 1998 15:45:37 +0200 (CEST) From: Andre Albsmeier Message-Id: <199808161345.PAA19691@internal> Subject: Re: Found reason why lpr -r -s doesn't work as expected In-Reply-To: <199808151331.GAA01035@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Aug 15, 98 06:31:54 am" To: cschuber@uumail.gov.bc.ca Date: Sun, 16 Aug 1998 15:45:28 +0200 (CEST) Cc: andre.albsmeier@mchp.siemens.de, imp@village.org, freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > In message <199808141807.UAA13224@internal> Andre Albsmeier writes: > > > : if (strchr(line+1, '/')) > > > : continue; > > > : This disables the removement of files starting with '/'. This was > > > : introduced in version 1.14 according to the CVS log. However, I didn't > > > : find an explanation why this change was made. Is it a security hole? > > > > > > Without this fix, people could remove any file on your system by > > > having remote print access. > > > > OK, and if remote access is disabled would it be safe? Have you got > > any references how this exploit exactly works so I can figure out > > what to do in order to be able to remove both files and without > > making my machine insecure... > > No. By revoking remote access to your lpd, e.g. firewall, you would > still have an exposure that local users could exploit, which in this > case revoking access to local users would solve the problem. I think > you get the picture... OK, thanks for the info. I have now changed printjob.c so that removing files containing '/' still is forbidden except when it starts with '/var/spool/samba/'. It's ugly but works. But, I think this behaviuor should be stated in the manual page of lpr. Now it says: -r Remove the file upon completion of spooling or upon completion of printing (with the -s option). -s Use symbolic links. Usually files are copied to the spool direc- tory. The -s option will use symlink(2) to link data files rather than trying to copy them so large files can be printed. Thanks again, -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message