From njh@kernighan.demon.co.uk  Mon May 22 14:53:00 2000
Return-Path: <njh@kernighan.demon.co.uk>
Received: from anchor-post-33.mail.demon.net (anchor-post-33.mail.demon.net [194.217.242.91])
	by hub.freebsd.org (Postfix) with ESMTP id 9823D37B521
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 May 2000 14:52:57 -0700 (PDT)
	(envelope-from njh@kernighan.demon.co.uk)
Received: from kernighan.demon.co.uk ([194.222.151.76] helo=homebrew.kernighan.demon.co.uk)
	by anchor-post-33.mail.demon.net with esmtp (Exim 2.12 #1)
	id 12u085-000G6u-0X
	for FreeBSD-gnats-submit@freebsd.org; Mon, 22 May 2000 22:52:54 +0100
Received: (from njh@localhost)
	by homebrew.kernighan.demon.co.uk (8.9.3/8.9.3) id WAA00822;
	Mon, 22 May 2000 22:52:28 +0100 (BST)
	(envelope-from njh)
Message-Id: <200005222152.WAA00822@homebrew.kernighan.demon.co.uk>
Date: Mon, 22 May 2000 22:52:28 +0100 (BST)
From: njh@kernighan.demon.co.uk
To: FreeBSD-gnats-submit@freebsd.org
Subject: patch: "no inet" flag for /usr/sbin/lpd
X-Send-Pr-Version: 3.2

>Number:         18760
>Category:       bin
>Synopsis:       patch: "no inet" flag for /usr/sbin/lpd
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 22 15:00:00 PDT 2000
>Closed-Date:    Tue May 23 08:28:30 PDT 2000
>Last-Modified:  Tue May 23 08:29:42 PDT 2000
>Originator:     Neil Hoggarth
>Release:        FreeBSD 3.4-RELEASE i386
>Organization:
none
>Environment:
>Description:

The /usr/sbin/lpd daemon is required to run, as root, on any host
which has a printer. This daemon listens for local lpr/lpq/etc
requests on a UNIX domain socket, and for remote requests on port 515
(printer/tcp) all available Internet interfaces.

I know of no security problems with the current lpd code, or the
libraries with which it links. However, in line with the general
principle that network services that aren't required ought not to be
offered to the world at large for potential abuse, it seems to me that
it would be desirable if hosts which have a local printer or printers
but which have no requirement to provide printer services to remote
clients could optionally disable the Internet listening feature.

>How-To-Repeat:
>Fix:

Context diffs for lpd.c and lpd.8 follow.

They add a new command line flag to lpd, "-n", which prevents lpd from
opening any Internet sockets (local requests are still accepted via
the UNIX domain socket /var/run/printer).

They were generated relative to the 3.4-RELEASE sources - I don't have
a CURRENT source tree to hand, but I tested them as patches against
the 4.0-RELEASE sources and they apply cleanly, so I don't think that
I've been too far overtaken by developments.


*** usr.sbin/lpr/lpd/lpd.c.orig	Mon May 22 21:06:08 2000
--- usr.sbin/lpr/lpd/lpd.c	Mon May 22 21:44:34 2000
***************
*** 125,131 ****
  	int argc;
  	char **argv;
  {
! 	int f, funix, finet, options, fromlen, i, errs;
  	fd_set defreadfds;
  	struct sockaddr_un un, fromunix;
  	struct sockaddr_in sin, frominet;
--- 125,131 ----
  	int argc;
  	char **argv;
  {
! 	int f, funix, finet, options, fromlen, i, errs, noinet;
  	fd_set defreadfds;
  	struct sockaddr_un un, fromunix;
  	struct sockaddr_in sin, frominet;
***************
*** 144,150 ****
  		errx(EX_NOPERM,"must run as root");
  
  	errs = 0;
! 	while ((i = getopt(argc, argv, "dl")) != -1)
  		switch (i) {
  		case 'd':
  			options |= SO_DEBUG;
--- 144,151 ----
  		errx(EX_NOPERM,"must run as root");
  
  	errs = 0;
! 	noinet = 0;
! 	while ((i = getopt(argc, argv, "dln")) != -1)
  		switch (i) {
  		case 'd':
  			options |= SO_DEBUG;
***************
*** 152,157 ****
--- 153,161 ----
  		case 'l':
  			lflag++;
  			break;
+ 		case 'n':
+ 			noinet++;
+ 			break;
  		default:
  			errs++;
  		}
***************
*** 279,285 ****
  	FD_SET(funix, &defreadfds);
  	listen(funix, 5);
  	finet = socket(AF_INET, SOCK_STREAM, 0);
! 	if (finet >= 0) {
  		if (options & SO_DEBUG)
  			if (setsockopt(finet, SOL_SOCKET, SO_DEBUG, 0, 0) < 0) {
  				syslog(LOG_ERR, "setsockopt (SO_DEBUG): %m");
--- 283,289 ----
  	FD_SET(funix, &defreadfds);
  	listen(funix, 5);
  	finet = socket(AF_INET, SOCK_STREAM, 0);
! 	if ((finet >= 0) && !noinet) {
  		if (options & SO_DEBUG)
  			if (setsockopt(finet, SOL_SOCKET, SO_DEBUG, 0, 0) < 0) {
  				syslog(LOG_ERR, "setsockopt (SO_DEBUG): %m");
***************
*** 629,634 ****
  static void
  usage()
  {
! 	fprintf(stderr, "usage: lpd [-dl] [port#]\n");
  	exit(EX_USAGE);
  }
--- 633,638 ----
  static void
  usage()
  {
! 	fprintf(stderr, "usage: lpd [-dln] [port#]\n");
  	exit(EX_USAGE);
  }


*** usr.sbin/lpr/lpd/lpd.8.orig	Mon May 22 21:06:18 2000
--- usr.sbin/lpr/lpd/lpd.8	Mon May 22 22:10:14 2000
***************
*** 40,46 ****
  .Nd line printer spooler daemon
  .Sh SYNOPSIS
  .Nm lpd
! .Op Fl dl
  .Op Ar port#
  .Sh DESCRIPTION
  .Nm Lpd
--- 40,46 ----
  .Nd line printer spooler daemon
  .Sh SYNOPSIS
  .Nm lpd
! .Op Fl dln
  .Op Ar port#
  .Sh DESCRIPTION
  .Nm Lpd
***************
*** 73,78 ****
--- 73,85 ----
  .Nm
  to log valid requests received from the network. This can be useful
  for debugging purposes.
+ .It Fl n
+ The
+ .Fl n
+ flag prevents
+ .Nm
+ from opening the Internet listening socket. This prevents all connections
+ from remote hosts.
  .It Ar "port#"
  The Internet port number used to rendezvous
  with other processes is normally obtained with

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Tue May 23 08:28:30 PDT 2000 
State-Changed-Why:  
Desired functionality is already implemented as the `-p' flag. 
>Unformatted:
 
