Date: Sat, 02 Nov 1996 10:33:07 -0800 From: Cy Schubert <cy@cwsys.cwent.com> To: Warner Losh <imp@village.org> Cc: Marc Slemko <marcs@znep.com>, security@freebsd.org Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Message-ID: <199611021833.KAA00905@cwsys.cwent.com> In-Reply-To: Your message of "Fri, 25 Oct 1996 18:16:59 MDT." <E0vGwQt-0002j6-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> In message <Pine.BSF.3.95.961025174911.27697E-100000@alive.ampr.ab.ca>
> Marc Slemko writes:
> : I would also suggest that perhaps it is even worth scrapping lpr entirely.
> : There are numerous other security changes in the OpenBSD source tree, and
> : even then I would bet there are still other problems with the code.
>
> Yes. There are a boatload. And a bunch more just went in today.
> Many of them are very defensive programming, and seem to be somewhat
> sane. I'm not sure how many of them should have some kind of warning
> generated when they are triggered. It all depends on how paranoid you
> are :-). I don't have a good answer for that. At the very least
> OpenBSD will be much less likely to be breached, which is likely the
> most important thing.
Sorry for the lateness of this reply. I've been spending the
morning catching up on the various mailing lists I subscribe to.
How about an LPRng port? Then it would be up to each individual
sysadmin whether to use a possibly more secure non-BSD print
subsystem or the existing insecure print subsystem. The port could
disable the BSD LPR/LPD by filing off the s and x bits. If the the
sysadmin opts to pkg_delete the LPRng package, the BSD print
subsystem would be re-enabled.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
ITSD Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611021833.KAA00905>