From owner-freebsd-stable Wed Aug 19 19:20:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA24583 for freebsd-stable-outgoing; Wed, 19 Aug 1998 19:20:52 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA24577 for ; Wed, 19 Aug 1998 19:20:50 -0700 (PDT) (envelope-from erics@now.com) Received: from now by seraph.uunet.ca with UUCP id <185037-3213>; Wed, 19 Aug 1998 22:19:59 -0400 Received: from business.now.com (really [205.150.6.1]) by vishnu.now.com via rsmtp (Smail-3.2 1996-Jul-4 #2 built 1997-Apr-17) with bsmtp id for ; Wed, 19 Aug 1998 22:01:44 -0400 (EDT) Received: by business.now.com (Smail3.1.29.1 #12) id m0z9K0A-00002sC; Wed, 19 Aug 98 21:58 EDT Message-Id: From: erics@now.com (Eric Siegerman) Subject: Re: Found reason why lpr -r -s doesn't work as expected To: andre.albsmeier@mchp.siemens.de (Andre Albsmeier) Date: Wed, 19 Aug 1998 21:58:58 -0400 Cc: freebsd-stable@FreeBSD.ORG In-Reply-To: <199808161345.PAA19691@internal> from "Andre Albsmeier" at Aug 16, 98 09:45:28 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Andre Albsmeier wrote: > I have now changed printjob.c so that removing > files containing '/' still is forbidden except when it starts with > '/var/spool/samba/'. It's ugly but works. But, I think this behaviuor > should be stated in the manual page of lpr. Now it says: > > -r Remove the file upon completion of spooling or upon completion of > printing (with the -s option). > > -s Use symbolic links. Usually files are copied to the spool direc- > tory. The -s option will use symlink(2) to link data files > rather than trying to copy them so large files can be printed. Why not instead make "lpr -r" (without -s) act like mv(1): try to rename the file into /var/spool/output, and only copy-and-unlink if the rename fails? If you have /var/spool/samba and /var/spool/output on the same filesystem, you'd avoid the extra file copy, without introducing either new security holes or the ugly special case. (One could conceivably go a step further by having "lpr" (with neither -r nor -s) try to hard-link the file into the spool directory. Bad idea; it would change the original file's st_ctime behind the user's back, when they thought they were only reading the file.) Rasmus Kaj wrote: > A 'serious' way to fix this (IMHO) would be to make lpd su to the user > that requested the printout before removing any file at all. But this > would probably be very hard to do ... Obvious catch: a remote user > might print without even having an account on the host where lpd > runns. Well, any file that wasn't created by lpr. Otherwise it'd keep lpd from removing files from /var/spool/output. Besides which, as you were probably thinking, this would require adding -- and security-auditing -- machinery to pass the userid from lpr to lpd. -- | | /\ |-_|/ > Eric Siegerman, Toronto, Ont. erics@now.com | | / The Rock & Roll Baby Theorem: Syllables(x+"baby") = Syllables("baby"+x) = Syllables(x) + 2 SemanticContent(x+"baby") = SemanticContent("baby"+x) = SemanticContent(x) - Anonymous To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message