From owner-freebsd-security  Tue Nov 17 09:30:05 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA10580
          for freebsd-security-outgoing; Tue, 17 Nov 1998 09:30:05 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA10420
          for <freebsd-security@FreeBSD.ORG>; Tue, 17 Nov 1998 09:29:56 -0800 (PST)
          (envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id MAA109226;
	Tue, 17 Nov 1998 12:30:07 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: drosih@pop1.rpi.edu
Message-Id: <v0401170db2775dfbe1a1@[128.113.24.47]>
In-Reply-To: <199811170527.VAA23429@apollo.backplane.com>
References: <199811162114.PAA06569@s07.sa.fedex.com>
Date: Tue, 17 Nov 1998 12:29:17 -0500
To: Matthew Dillon <dillon@apollo.backplane.com>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: making 'lpd' under FreeBSD more secure
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The "would this make FreeBSD more secure?" thread has expanded a
bit from the original topic.  I had no opinion on the original
topic, but I do have a lot of interest in one sub-topic that came
up later on.  Hopefully no one will mind if I spin that into a
different thread...

In my case, I don't use freebsd on any servers I run here (for
the RPI campus), but I do use a modified version of freebsd's
lpr suite on all our public workstations, and printing from all
other platforms go thru our unix print servers, so I'm keenly
interested in the one topic of lpr/lpd.

At 9:27 PM -0800 11/16/98, Matthew Dillon wrote:
> Someone else wrote:
>:  I'm not convinced that sendmail and lpd require TCAPF_LOWPORT.
>:  I think inetd and the 'wait' attribute can do what they need,
>:  but I'm all for adding the solution as defined above [for other
>:  programs].
>
> I don't think they need it either, as long as sendmail and
> lpd are started as root and setuid() themselves after binding
> the port I'd be happy.

I think lpd needs root access for more than just binding to the
port, although I haven't looked at the code yet to remember why
I think that...  Still, someone recently went thru the other
programs (lpr, lpc, etc) adding seteuid() calls so that those
programs are  root only where they need to be root.  It would
be a good idea to do this for lpd too, and would reduce the
security exposure in a way that I could benefit when using the
same source on other operating systems.

I should write up some more specific suggestions here, but
I don't have the time right now.  Mainly I'm just hoping to
get all the lpd-related ideas in this thread, so I can go
back to ignoring the other, busier thread.  :-)


---
Garance Alistair Drosehn           =   gad@eclipse.its.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message