Re: LPRng lpd should not be SETUID root

[Cy.Schubert () UUMAIL GOV BC CA (Cy Schubert - ITSD Open Systems Group)]

In message <200007092318.QAA21788@h4.private>, Patrick Powell writes:
> Well,  even in spite of all of my efforts, care, and paranoia, I
> finally dropped the hammer on my foot.  Luckily it appears that I
> spotted this loophole before somebody on the LPRng mailing list did.

Of course anyone who wishes to use LPRng in a mode where it is 100%
compatible with lpr/lpd, would need to give up this feature in order to
plug this hole.  I would think that the bug itself needs to be fixed
too.

> COMMENTARY:
>
> I would really like to see capability based permissions in UNIX
> and other systems.  All that 'lpd' needs is the ability to open
> and bind to a 'reserved' port, i.e. 515 for listening, and open
> and bind to a port in the 'reserved' range for outgoing connections.

If print services would actually listen to port 1515 (example) then the
following IP Filter NAT rule could be used to redirect packets to that
port thereby allowing print services to not run as root.  Sort of a
poor man's approach to capabilities until they're implemented on all
operating systems.

rdr xl0 0/0 port 515 -> 127.0.0.1 port 1515 tcp

Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert () osg gov bc ca
Open Systems Group, ITSD, ISTA
Province of BC