Bug 17289

Summary: wrong permissions on /var/run/printer
Product: Base System Reporter: stanislav shalunov <shalunov>
Component: binAssignee: Warner Losh <imp>
Status: In Progress ---    
Severity: Affects Only Me CC: Alexander88207, emaste
Priority: Normal Flags: linimon: mfc-stable14?
linimon: mfc-stable13?
Version: 3.1-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description stanislav shalunov 2000-03-09 19:50:00 UTC 
On startup, lpd(8) creates an AF_UNIX socket /var/run printer.
Before creating it, umask is set to 007.  This allows members
of the wheel group to submit data to lpd bypassing normal
accounting, etc.

Fix: In /usr/src/usr.sbin/lpr/lpd/
How-To-Repeat: 
shalunov@tuzik$ id
uid=1000(shalunov) gid=1000(shalunov) groups=1000(shalunov), 0(wheel)
shalunov@tuzik$ cd /var/run
shalunov@tuzik$ ls -l printer
srwxrwx---  1 root  wheel  0 Oct 25 10:53 printer
shalunov@tuzik$ perl -MSocket -e 'socket(SOCK, PF_UNIX, SOCK_STREAM, 0); connect(SOCK, sockaddr_un("printer")); print SOCK "foo\n"'
shalunov@tuzik$ tail -1 /var/log/messages
Mar  9 14:44:15 tuzik lpd[95097]: bad request (102) from tuzik.lz.att.com
Comment 1 Mike Heffner freebsd_committer freebsd_triage 2001-06-16 08:20:45 UTC 
Responsible Changed
From-To: freebsd-bugs->gad

Garance has been doing some work with lpr
Comment 2 Garance A Drosehn freebsd_committer freebsd_triage 2002-04-03 04:34:41 UTC 
Btw, I should mention that I'm finally getting around to doing something 
with this PR.  Or at least I will, if my regular job doesn't swamp me 
with extra work again.

I'm going to take a slightly different tactic than you recommended.  
What I'm going to do is change the group of /var/run/printer so that the 
group is set to daemon.  Eventually I would like to fix lpr/lpd so it 
does not have to run as root (or at least, it will use set-uid root 
permissions for very little of it's processing), and if I ever manage to 
do that then I'd probably keep the 'setgid daemon' on it.

---
Garance Alistair Drosehn     =      gad@gilead.acs.rpi.edu
Senior Systems Programmer           or     gad@FreeBSD.org
Rensselaer Polytechnic Institute;           Troy NY    USA
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:22 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:35:28 UTC 
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-10-11 15:55:41 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=6cde8f3ef7cd060be39d78055eaf982b06b19a3b

commit 6cde8f3ef7cd060be39d78055eaf982b06b19a3b
Author:     Stanislav Shalunov <shalunov@att.com>
AuthorDate: 2024-10-11 15:49:02 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2024-10-11 15:50:08 +0000

    lpd: Tighten permissions on /var/run/printer

    Exclude group read/write permissions as well. Otherwise, group wheel can
    submit things w/o the normal accounting. While group wheel is generally
    trusted on the machine, submitting jobs w/o checks is not one of the
    functions we document for that group.

    PR: 17289
    Differential Revision:  https://reviews.freebsd.org/D47040

 usr.sbin/lpr/lpd/lpd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Mark Linimon freebsd_committer freebsd_triage 2024-11-24 03:30:01 UTC 
^Triage: assign to committer and set flags for possible MFC.