Patch-ID#  100305-03
Keywords: security passwd lpd delete system
Synopsis: SunOS 4.1.1;4.1;4.0.3;4.0.2-386i: lpd can be used to delete any file on the system
Date: 24/June/91
 
SunOS release: 4.1.1, 4.1, 4.0.3, 4.0.2-386i
 
Unbundled Product: 
 
Unbundled Release: 
 
Topic: lpd
 
BugId's fixed with this patch: 1057834 1058003 1016437 1040453 1061504

Architectures for which this patch is available: sun3, sun3x, sun4, sun4c, sun386i

Patches which may conflict with this patch:

Obsoleted by: SunOS 5.0

Problem Description: The current BSD line printer spooler has a flaw
                     which allows system files to be deleted by the lp daemon.

INSTALL: 

as root:

first do a "ps ax |grep lpd"  and kill off the currently running lpd process.
the return from ps should be something like:
 134 ?  IW    0:00 /usr/lib/lpd
26753 p5 S     0:00 grep lpd
# kill -9 {process id of lpd. in the above example this is 134}

then save aside the FCS version of lpd and change the modes so that it 
cannot be misused.

# mv /usr/lib/lpd /usr/lib/lpd.FCS
# chmod 100 /usr/lib/lpd.FCS 

copy in the new version, delete /dev/printer and create a
directory mode 750 owned by root with the group daemon called /dev/lpd,
then create a symbolic link called /dev/printer that points to
/dev/lpd/printer and restart lpd.

# rm -f /dev/printer
# mkdir /dev/lpd
# chown root.daemon /dev/lpd
# chmod 710 /dev/lpd
# ln -s /dev/lpd/printer /dev/printer
# cp sun{3,4}/{4.1,4.1.1}/lpd /usr/lib/lpd
# chmod 6711 /usr/lib/lpd
# chmod 6711 /usr/ucb/lpr
# chmod 6711 /usr/ucb/lpq
# chmod 6711 /usr/ucb/lprm
# chmod 2711 /usr/etc/lpc
# chown root.daemon /usr/lib/lpd
# rm -f /var/spool/lpd.lock
# /usr/lib/lpd


 edit your /etc/rc file and change the line that removes the /dev/printer
 file  upon system startup so that it removes /dev/lpd/printer instead.

Note the change to "/dev/lpd/printer" from "/dev/printer"

/etc/rc:

Find the lines having to do with lpd startup:

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/printer /var/spool/lpd.lock

Change (add) in the new location: 

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
                  ^^^^
                  NEW

The results should look like:
if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
        /usr/lib/lpd;           echo -n ' printer'
fi