Bug 2019 - Printing to a smb printer stores printer passwd and username in plain text file.
Printing to a smb printer stores printer passwd and username in plain text file.
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: samba (Show other bugs)
5.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-04-05 22:44 EDT by jaras
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-04-06 10:42:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jaras 1999-04-05 22:44:46 EDT
/var/spool/lpd/lp/.config is world readable by any user.

[jaras@preston:lp]$ ls -asl .config
   1 -rw-r--r--   1 root     root           72 Mar 29 22:50
.config
[jaras@preston:lp]$
[jaras@preston:lp]$ id
uid=500(jaras) gid=500(jaras) groups=500(jaras)

This is not a huge issue, but still alot of systems use
similar passwords and what have you.

I did not want to go to the 'security' community first,
until you respond to this w/ a patch/fix and what not.

keep up the good work.

jay.
Comment 1 Bill Nottingham 1999-04-06 10:42:59 EDT
It's always been this way; in fact, if you read the large warning
that appears in printtool:

"               - WARNING -

    The use of a remote SMB/Windows 95/NT printer
    may require a username and password for
    its server. These are stored unencrypted
    in a script locally, and must be passed on
    the command line to the smbclient program.

    In other words, it is possible for
    another person to learn of the username
    and password. It is therefore recommended
    that the username and password for the
    use of the printer to NOT BE the same as
    that for a user account on the local
    Linux box. That way, if this information
    is compromised, the only possible damage
    is unauthorized use of the printer.

    If there are file shares from the server,
    it would be best if they required a
    different password than that required for
    the use of the printer, for the same reason.

-
The file has to be world readable, or otherwise only root can print.

------- Additional Comments From   09/30/99 15:44 -------
One way round this problem would be to do what I do with a similar
script I use that requires passwords to be presented on the command
line: put the passwords in a separate file and use `cmd` to insert
them.

As an example, try something like the following shell script:

 Q> #!/bin/bash
 Q> printf 'For your reference, I am "%s"\n' \
 Q>        `grep "^\`id -un\`" /etc/passwd | cut -d : -f 5`

Try running it, and you will see that it happily displays the
specified field from the said user's password entry, but at no time
does the said field ever appear in any history file or any ps or top
command listing.

I'm no expert on samba by any means, but surely something along these
lines could be used ???

Note You need to log in before you can comment on or make changes to this bug.