lprm has an arbitrary limit on the length of the username that can remove jobs. From lprm.c: static char luser[16]; /* buffer for person */ void usage(); int main(argc, argv) int argc; char *argv[]; { register char *arg; struct passwd *p; uid = getuid(); euid = geteuid(); seteuid(uid); name = argv[0]; gethostname(host, sizeof(host)); host[MAXHOSTNAMELEN-1]='\0'; openlog("lpd", 0, LOG_LPR); if ((p = getpwuid(getuid())) == NULL) fatal("Who are you?"); if (strlen(p->pw_name) >= sizeof(luser)) fatal("Your name is too long"); [...] The value of 16 is interesting - why not 9?
Isn't this also a buffer overflow by one character if the username is of length 16?
This is fixed by the move to LPRng in rawhide.