Date: Tue, 17 Nov 1998 12:29:17 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: making 'lpd' under FreeBSD more secure Message-ID: <v0401170db2775dfbe1a1@[128.113.24.47]> In-Reply-To: <199811170527.VAA23429@apollo.backplane.com> References: <199811162114.PAA06569@s07.sa.fedex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The "would this make FreeBSD more secure?" thread has expanded a bit from the original topic. I had no opinion on the original topic, but I do have a lot of interest in one sub-topic that came up later on. Hopefully no one will mind if I spin that into a different thread... In my case, I don't use freebsd on any servers I run here (for the RPI campus), but I do use a modified version of freebsd's lpr suite on all our public workstations, and printing from all other platforms go thru our unix print servers, so I'm keenly interested in the one topic of lpr/lpd. At 9:27 PM -0800 11/16/98, Matthew Dillon wrote: > Someone else wrote: >: I'm not convinced that sendmail and lpd require TCAPF_LOWPORT. >: I think inetd and the 'wait' attribute can do what they need, >: but I'm all for adding the solution as defined above [for other >: programs]. > > I don't think they need it either, as long as sendmail and > lpd are started as root and setuid() themselves after binding > the port I'd be happy. I think lpd needs root access for more than just binding to the port, although I haven't looked at the code yet to remember why I think that... Still, someone recently went thru the other programs (lpr, lpc, etc) adding seteuid() calls so that those programs are root only where they need to be root. It would be a good idea to do this for lpd too, and would reduce the security exposure in a way that I could benefit when using the same source on other operating systems. I should write up some more specific suggestions here, but I don't have the time right now. Mainly I'm just hoping to get all the lpd-related ideas in this thread, so I can go back to ignoring the other, busier thread. :-) --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v0401170db2775dfbe1a1>