Patch-ID# 100305-10
Keywords: security passwd lpd lpr delete system lpstat -v
Synopsis: SunOS 4.1;4.1.1;4.1.2;4.1.3: lpd can be used to delete any file on the system
Date: 16/Oct/92
 
SunOS release: 4.1 4.1.1 4.1.2 4.1.3
 
Unbundled Product: 
 
Unbundled Release: 
 
Topic: lpd lpr lpc lpstat
 
BugId's fixed with this patch: 1016437 1040453 1057834 1058003 1059620 1061504 1063772 1081850 1081968 1090527

Changes incorporated in this version: 1090527

Architectures for which this patch is available: sun3(all), sun4(all)

Patches which may conflict with this patch: 100301 (obsoleted)

Obsoleted by:

Problem Description:

1016437	lpd does not check file names for legality
1040453 lpd can be used by any user to delete any file on the system
1057834 lpd can be used to delete any file on the system
1058003 Reading from /dev/printer lpd does not check how much data it has read
1059620 lpr -r does not work on files that are nfs mounted.
1061504 lpd can still be used to delete any file on a system
1063772 It is possible to overwrite any file on the system using lpr/ lpd
1081850 It is possible to delete a file with lpr -r that should not be able to.
1081968 lpr can be used to overwrite any file
1090527 lpstat -v only returns the second entry from printer alias list

INSTALL: 

As root:

first do a "ps ax |grep lpd"  and kill off the currently running lpd process.
the return from ps should be something like:
 134 ?  IW    0:00 /usr/lib/lpd
26753 p5 S     0:00 grep lpd
# kill -9 {process id of lpd. in the above example this is 134}

Then save aside the FCS versions and change the modes so that they 
cannot be misused.

mv /usr/lib/lpd /usr/lib/lpd.FCS
mv /usr/ucb/lpr /usr/ucb/lpr.FCS
mv /usr/etc/lpc /usr/etc/lpc.FCS
mv /usr/bin/lpstat /usr/bin/lpstat.FCS
chmod 0400 /usr/lib/lpd.FCS /usr/ucb/lpr.FCS /usr/etc/lpc.FCS /usr/bin/lpstat.FCS

Copy in the new versions, delete /dev/printer and create a
directory mode 750 owned by root, with group daemon, called /dev/lpd;
then create a symbolic link called /dev/printer that points to
/dev/lpd/printer and restart lpd.

rm -f /dev/printer
mkdir /dev/lpd
chown root.daemon /dev/lpd
chmod 710 /dev/lpd
ln -s /dev/lpd/printer /dev/printer

cp `arch`/{4.1,4.1.1,4.1.2,4.1.3}/lpd /usr/lib/lpd
cp `arch`/{4.1,4.1.1,4.1.2,4.1.3}/lpr /usr/ucb/lpr
cp `arch`/{4.1,4.1.1,4.1.2,4.1.3}/lpc /usr/etc/lpc
cp `arch`/{4.1,4.1.1,4.1.2,4.1.3}/lpstat /usr/bin/lpstat
chmod 6711 /usr/lib/lpd
chmod 6711 /usr/ucb/lpr
chmod 2711 /usr/etc/lpc
chmod 6711 /usr/bin/lpstat
chown root.daemon /usr/lib/lpd
chown root.daemon /usr/ucb/lpr
chown root.daemon /usr/etc/lpc
chown root.daemon /usr/bin/lpstat

rm -f /var/spool/lpd.lock
/usr/lib/lpd

Last step:
 edit your /etc/rc file and change the line that removes the /dev/printer
 file  upon system startup so that it removes /dev/lpd/printer instead.

Note the change to "/dev/lpd/printer" from "/dev/printer"

/etc/rc:

Find the lines having to do with lpd startup:

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/printer /var/spool/lpd.lock

Change (add) in the new location: 

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
                  ^^^^
                  NEW

The results should look like:
if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
        /usr/lib/lpd;           echo -n ' printer'
fi