[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Re: lpd security questions
At 4:19 PM +0000 2/22/02, kevin lyda wrote:
>On Fri, Feb 22, 2002 at 10:06:47AM +0100, Ragnar Beer wrote:
> > So at the moment I'm thinking about leaving lpd running. But even
> > if I don't have any entries in /etc/hosts.equiv and /etc/hosts.lpd
> > having lpd listen on port 515 can still be a risk, can't it?
>yep. you could firewall off the port but here's a patch to add a -u
>flag to lpd which forces it to only open the unix socket. i haven't
>run it, but it compiled ;^) . this diff is against the 3.0 sources
>(which match -current at the moment).
Note that both netbsd and freebsd have an option which implements
this behavior. netbsd calls it '-s', freebsd calls it '-p'. The
'-s' was chosen to (somewhat) match '-s' in syslogd:
-s Operate in secure mode. Do not log messages from
(that's part of freebsd's description of -s in syslogd). I forget
why -p was chosen for freebsd, though it was something which made
sense at the time... I think we got two PR's at about the same
time, and we happened to go with the one which suggested '-p'.
If you're going to add this, it would be nice to add it as '-s'
and not '-u'. I do intend to add '-s' as a synonym for '-p' in
freebsd's lpd, and in fact I meant to add it after 4.4-release,
but forgot to get back to that.
> would more people want this - where would i submit it?
Note that I work on lpr in freebsd, not openbsd, so I can't
answer this question... :-) I wouldn't mind working on it for
openbsd too, but realistically I'm not active enough with openbsd
to volunteer to help out in that area.
Garance Alistair Drosehn = firstname.lastname@example.org
Senior Systems Programmer or email@example.com
Rensselaer Polytechnic Institute or firstname.lastname@example.org