On startup, lpd(8) creates an AF_UNIX socket /var/run printer. Before creating it, umask is set to 007. This allows members of the wheel group to submit data to lpd bypassing normal accounting, etc. Fix: In /usr/src/usr.sbin/lpr/lpd/ How-To-Repeat: shalunov@tuzik$ id uid=1000(shalunov) gid=1000(shalunov) groups=1000(shalunov), 0(wheel) shalunov@tuzik$ cd /var/run shalunov@tuzik$ ls -l printer srwxrwx--- 1 root wheel 0 Oct 25 10:53 printer shalunov@tuzik$ perl -MSocket -e 'socket(SOCK, PF_UNIX, SOCK_STREAM, 0); connect(SOCK, sockaddr_un("printer")); print SOCK "foo\n"' shalunov@tuzik$ tail -1 /var/log/messages Mar 9 14:44:15 tuzik lpd[95097]: bad request (102) from tuzik.lz.att.com
Responsible Changed From-To: freebsd-bugs->gad Garance has been doing some work with lpr
Btw, I should mention that I'm finally getting around to doing something with this PR. Or at least I will, if my regular job doesn't swamp me with extra work again. I'm going to take a slightly different tactic than you recommended. What I'm going to do is change the group of /var/run/printer so that the group is set to daemon. Eventually I would like to fix lpr/lpd so it does not have to run as root (or at least, it will use set-uid root permissions for very little of it's processing), and if I ever manage to do that then I'd probably keep the 'setgid daemon' on it. --- Garance Alistair Drosehn = gad@gilead.acs.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy NY USA
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>