Bug 717
Summary: | lpr -r -s file does not remove file when finished printing | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Jay Berkenbilt <ejb> |
Component: | lpr | Assignee: | Crutcher Dunnavant <crutcher> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 5.2 | CC: | ejb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1999-03-19 22:53:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jay Berkenbilt
1999-01-06 22:10:35 UTC
One additional note: if the code to disable removal of files specified with absolute paths was intentional for security concerns, it was incomplete. The function process() in common_source/rmjob.c does not suppress this. That means that if you lpr -r -s file and then lprm the job before it prints, the file will be removed. This actually happens -- I've tested it. I don't think this is a security issue because the lpr code checks to ensure that the file is local and assumes the uid and login gid of the user on whose behalf the print job is being run. This is easy to reproduce. I don't think it is a bug, but I am mentioning it because it adds credibility to the notion that the problem I reported is a bug rather than an intentional change in the funcionality. --ejb My patch opens up a security hole through which any user can cause deletion of any file on a print server that accepts connections from their host. All one has to do is feed the lpd a control file that has the suitable remove entry in it. This hole is closed by the two lines which my patch attempts to remove. This bug in its present form should therefore be cancelled. Instead, the problem is that lpr -r -s no longer works but is still documented to work. I will generate a new bug report about that. Sorry for the runaround on this. What a shame that such useful functionality is no longer possible due to this exploit. I was able to write a perl script in less than 20 minutes that would delete an arbitrary remote file on a machine running lpd as patched according to my suggestion. *** Bug 717 has been marked as a duplicate of this bug. *** lpr -r -s file no longer causes deletion of file from the queue. The reason for this is that the code that was responsible for this behavior has been disabled since it also made lpd vulnerable to exploit by a remote user who could cause any file on the print server to be deleted. This is probably the same case as the most recent CERT advisory on BSD line printing daemon. Unfortuantely, I wasted a day rediscovering this myself. :-( See bug 717 (which is now obsolete and should be cancelled) for details. That bug includes a patch to restore lpr -r -s functionality, but that patch re-introduces this security hole into lpd. the man page has been fixed in lpr-0.34-2 |