Servere bug in lp(1) - also security violater
l.mark.larsen
lml at cbnews.cb.att.com
Tue Apr 16 07:03:38 AEST 1991
I discovered the bug in lpsched a few years ago and even posted the information
and a source code fix to this newsgroup. As you have observed, lpsched has a
rather nasty bug that causes files to be dequeued upon termination of the
interface script - regardless of success or failure. For those without source
code, it is fairly trivial to code the interface script to take into account
this "feature" - which is what I did for the machines I administer. If anyone
wants a copy of how I did it, I would be happy to send one.
For those with source, here is the diff of the original vs. the fixed versions
of lpsched.c:
608c608
< resetstatus(1, 1);
---
> fclose(rfile);
609a610
> resetstatus(0, 1);
616,617c617
< fclose(rfile);
< unlink(rname);
---
> resetstatus(1, 1);
705c705
< * if dflag != 0 then delete outputq entry and remove associated data
---
> * if oflag != 0 then delete outputq entry and remove associated data
Note that the entire LP package was rewritten and expanded in SVR3.2. The
lpsched bug was fixed as a side-effect. Three new features were added:
access to forms, easier administration of filters and a menu interface for
administration. Lpsched is now setuid root but does setuid() before calling
the interface script. Lp is no longer setuid/setgid, so your second problem
will also disappear. In the meantime, as someone else suggested, you can
put a wrapper around the lp command to make sure protected files are sent
to the real lp program via stdin. I did something similar but for a very
different reason.
regards,
L. Mark Larsen
lml at atlas.att.com
More information about the Comp.bugs.sys5
mailing list