From owner-freebsd-audit  Sun Mar 10 18:25:51 2002
Delivered-To: freebsd-audit@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40])
	by hub.freebsd.org (Postfix) with ESMTP id 173E637B416
	for <freebsd-audit@freebsd.org>; Sun, 10 Mar 2002 18:25:38 -0800 (PST)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.12.1/8.12.1) with ESMTP id g2B2PVoX065298;
	Sun, 10 Mar 2002 21:25:36 -0500
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p0510153db8b1c2cf8237@[128.113.24.47]>
In-Reply-To: <p05101503b8aa09917075@[128.113.24.47]>
References: <p05101503b8aa09917075@[128.113.24.47]>
Date: Sun, 10 Mar 2002 21:25:29 -0500
To: freebsd-print@bostonradio.org
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: The group for /var/run/printer
Cc: freebsd-audit@freebsd.org
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang)
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

At 12:44 AM -0500 3/5/02, Garance A Drosihn wrote
    to freebsd-print@bostonradio.org:
>There is a PR:
>
>http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin/17289
>
>which notices that /var/run/printer is created rwx to both the
>owner (root) and group (wheel).  He notes that it would probably
>be better if it was not permitted to everyone in the wheel group.
>
>But this got me thinking.  Shouldn't that be created with a group
>of daemon?  All the lp* programs are setuid root (ick) and setgid
>daemon.  If we could drop the need for setuid root, we'd still
>like that setgid daemon, assuming /var/run/printer is permitted
>to group daemon.

Well, here's an initial cut at my idea.  This keys off a userid,
where lpd gets the groupid to use based on the default group
for that userid.  I did it that way, because that's how the
'du / daemon.user' option works in printcap entries.  I added a
'-u' parameter to lpd, so an administrator can specify an
alternate userid, or completely skip the new chgrp-ish step.
This is basically a small subset of the code that lpd currently
does in printjob.c (except that keys off the 'du' value).

No documentation update has been done yet, as I wanted to get
feedback before writing any docs for it.  Maybe I should drop
the -u option, and instead have a -g option, for instance.
I'd like to do something along these lines sometime after the
mini-code-slush is over for current.


Index: lpd/lpd.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/lpr/lpd/lpd.c,v
retrieving revision 1.31
diff -u -r1.31 lpd.c
--- lpd/lpd.c	23 Jul 2001 00:13:02 -0000	1.31
+++ lpd/lpd.c	11 Mar 2002 02:23:55 -0000
@@ -85,6 +85,7 @@
  #include <netinet/in.h>
  #include <arpa/inet.h>

+#include <pwd.h>
  #include <netdb.h>
  #include <unistd.h>
  #include <syslog.h>
@@ -128,10 +129,16 @@
  #define LPD_NOPORTCHK	0001		/* skip reserved-port check */
  #define LPD_LOGCONNERR	0002		/* (sys)log connection errors */

+#define NULL_UID (uid_t)-1
+#define NULL_GID (gid_t)-1
+
  int
  main(int argc, char **argv)
  {
  	int ch_options, errs, f, funix, *finet, i, lfd, socket_debug;
+	char *remc;
+	gid_t lpd_gid;
+	uid_t lpd_uid4grp;
  	fd_set defreadfds;
  	struct sockaddr_un un, fromunix;
  	struct sockaddr_storage frominet;
@@ -145,6 +152,8 @@

  	ch_options = 0;
  	socket_debug = 0;
+	lpd_uid4grp = DEFUID;
+	lpd_gid = NULL_GID;
  	gethostname(local_host, sizeof(local_host));

  	progname = "lpd";
@@ -153,7 +162,7 @@
  		errx(EX_NOPERM,"must run as root");

  	errs = 0;
-	while ((i = getopt(argc, argv, "cdlpwW46")) != -1)
+	while ((i = getopt(argc, argv, "cdlpu:wW46")) != -1)
  		switch (i) {
  		case 'c':
  			/* log all kinds of connection-errors to syslog */
@@ -168,6 +177,18 @@
  		case 'p':
  			pflag++;
  			break;
+		case 'u':
+			i = strtol(optarg, &remc, 10);
+			if (*remc) {
+				syslog(LOG_ERR,
+				    "Bad argument to -u, number expected");
+				errs++;
+			}
+			if (i >= 0)
+				lpd_uid4grp = i;
+			else
+				lpd_uid4grp = NULL_UID;
+			break;
  		case 'w':		/* netbsd uses -w for maxwait */
  			/*
  			 * This will be removed after the release of 4.4, as
@@ -215,6 +236,18 @@
  		family = PF_UNSPEC;
  	argc -= optind;
  	argv += optind;
+	if ((lpd_uid4grp != NULL_UID) && (lpd_gid != NULL_GID)) {
+		struct passwd *pwd;
+
+		pwd = getpwuid(lpd_uid4grp);
+		if (pwd == NULL) {
+			syslog(LOG_ERR, "lpd startup: Can not find "
+			    "uid %d (for default-gid) in password file",
+			    lpd_uid4grp);
+			errs++;
+		}
+		lpd_gid = pwd->pw_gid;
+	}
  	if (errs)
  		usage();

@@ -332,6 +365,12 @@
  		syslog(LOG_ERR, "ubind: %m");
  		exit(1);
  	}
+	if (lpd_gid != NULL_GID) {
+		if (chown(_PATH_SOCKETNAME, (uid_t)-1, lpd_gid)) {
+			syslog(LOG_ERR, "lpd startup: chown(%s,,%d): %m",
+			    _PATH_SOCKETNAME, lpd_gid);
+		}
+	}
  	(void) umask(0);
  	sigprocmask(SIG_SETMASK, &omask, (sigset_t *)0);
  	FD_ZERO(&defreadfds);
@@ -911,9 +950,9 @@
  usage(void)
  {
  #ifdef INET6
-	fprintf(stderr, "usage: lpd [-cdlpW46] [port#]\n");
+	fprintf(stderr, "usage: lpd [-cdlpW46] [-u <uid>] [port#]\n");
  #else
-	fprintf(stderr, "usage: lpd [-cdlpW] [port#]\n");
+	fprintf(stderr, "usage: lpd [-cdlpW] [-u <uid>] [port#]\n");
  #endif
  	exit(EX_USAGE);
  }

-- 
Garance Alistair Drosehn            =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message