On startup, lpd(8) creates an AF_UNIX socket /var/run printer. Before creating it, umask is set to 007. This allows members of the wheel group to submit data to lpd bypassing normal accounting, etc. Fix: In /usr/src/usr.sbin/lpr/lpd/ How-To-Repeat: shalunov@tuzik$ id uid=1000(shalunov) gid=1000(shalunov) groups=1000(shalunov), 0(wheel) shalunov@tuzik$ cd /var/run shalunov@tuzik$ ls -l printer srwxrwx--- 1 root wheel 0 Oct 25 10:53 printer shalunov@tuzik$ perl -MSocket -e 'socket(SOCK, PF_UNIX, SOCK_STREAM, 0); connect(SOCK, sockaddr_un("printer")); print SOCK "foo\n"' shalunov@tuzik$ tail -1 /var/log/messages Mar 9 14:44:15 tuzik lpd[95097]: bad request (102) from tuzik.lz.att.com
Responsible Changed From-To: freebsd-bugs->gad Garance has been doing some work with lpr
Btw, I should mention that I'm finally getting around to doing something with this PR. Or at least I will, if my regular job doesn't swamp me with extra work again. I'm going to take a slightly different tactic than you recommended. What I'm going to do is change the group of /var/run/printer so that the group is set to daemon. Eventually I would like to fix lpr/lpd so it does not have to run as root (or at least, it will use set-uid root permissions for very little of it's processing), and if I ever manage to do that then I'd probably keep the 'setgid daemon' on it. --- Garance Alistair Drosehn = gad@gilead.acs.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy NY USA
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6cde8f3ef7cd060be39d78055eaf982b06b19a3b commit 6cde8f3ef7cd060be39d78055eaf982b06b19a3b Author: Stanislav Shalunov <shalunov@att.com> AuthorDate: 2024-10-11 15:49:02 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2024-10-11 15:50:08 +0000 lpd: Tighten permissions on /var/run/printer Exclude group read/write permissions as well. Otherwise, group wheel can submit things w/o the normal accounting. While group wheel is generally trusted on the machine, submitting jobs w/o checks is not one of the functions we document for that group. PR: 17289 Differential Revision: https://reviews.freebsd.org/D47040 usr.sbin/lpr/lpd/lpd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
^Triage: assign to committer and set flags for possible MFC.