[PATCH] Re: lpd security questions

[kevin lyda <kevin@suberic.net>]

On Fri, Feb 22, 2002 at 10:06:47AM +0100, Ragnar Beer wrote:
> So at the moment I'm thinking about leaving lpd running. But even if I
> don't have any entries in /etc/hosts.equiv and /etc/hosts.lpd having lpd
> listen on port 515 can still be a risk, can't it?

yep.  you could firewall off the port but here's a patch to add a -u
flag to lpd which forces it to only open the unix socket.  i haven't
run it, but it compiled ;^) .  this diff is against the 3.0 sources
(which match -current at the moment).  would more people want this -
where would i submit it?

cvs server: Diffing .
Index: lpd.8
===================================================================
RCS file: /cvs/src/usr.sbin/lpr/lpd/lpd.8,v
retrieving revision 1.10
diff -r1.10 lpd.8
71a72,76
> .It Fl u
> Have
> .Nm
> only open it's unix socket to submit jobs - do not listen on the
> standard lpd port.
Index: lpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/lpr/lpd/lpd.c,v
retrieving revision 1.21
diff -r1.21 lpd.c
109a110
> int   uflag = 0;                      /* unix socket only flag */
151a153,155
>                       case 'u':
>                               uflag=1;
>                               break;
228c232,236
<       finet = socket(AF_INET, SOCK_STREAM, 0);
---
>       if (!uflag) {
>           finet = socket(AF_INET, SOCK_STREAM, 0);
>       } else {
>           finet = -1;
>       }

kevin

-- 
kevin@suberic.net          buffy: come on, can't you put your foot down?!
fork()'ed on 37058400      giles: it *is* down.
meatspace place: orbit     buffy: one of these days you're going to have to
http://suberic.net/~kevin         get a grown up car.  --inca mummy girl