Patch-ID# 100305-15
Keywords: security passwd lpd lpr delete system lpstat -v
Synopsis: SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch
Date: Apr/11/94
 
SunOS release: 4.1.1, 4.1.2, 4.1.3, 4.1.3C
 
Unbundled Product: 
 
Unbundled Release: 
 
Topic: lpd lpr lpc lpstat lprm lpq pac cancel

Xref: Patch 101434 is the 4.1.3_U1 version of this patch.
 
BugId's fixed with this patch: 1016437 1040453 1057834 1058003 1059620 1061504 1063772 1081850 1081968 1090527 1048004 1099009 1050628 1112342 1133067 1147821

Changes incorporated in this version:  1147821

Architectures for which this patch is available: sun3(all), sun4(all)

Patches which may conflict with this patch: 100301 (obsoleted) 100696 (obsoleted) 100598 (obsoleted)

Obsoleted by: 5.0

Problem Description:

1161352 lpstat in patch 100305 core dumps (SIGSEGV) with -t option
1016437	lpd does not check file names for legality
1040453 lpd can be used by any user to delete any file on the system
1057834 lpd can be used to delete any file on the system
1058003 Reading from /dev/printer lpd does not check how much data it has read
1059620 lpr -r does not work on files that are nfs mounted.
1061504 lpd can still be used to delete any file on a system
1063772 It is possible to overwrite any file on the system using lpr/ lpd
1081850 It is possible to delete a file with lpr -r that should not be able to.
1081968 lpr can be used to overwrite any file
1090527 lpstat -v only returns the second entry from printer alias list
1048004 lpr checks on the real user rather than the effective user
1099009 'lp -t' doesn't work; causes print job to fail.
1050628 Header banner 'A' is printed as 'a'.
1112342 lpc complains for > 32 tc= entries total in printcap, recursive or not
1133067 'lpr -s -t' can be used to remove any file in directory / (root).
1147821 lpd takes a long time to reconnect to server after it comes up.

INSTALL: 

As root:

first do a "ps ax |grep lpd"  and kill off the currently running lpd process.
the return from ps should be something like:
 134 ?  IW    0:00 /usr/lib/lpd
26753 p5 S     0:00 grep lpd
# kill -9 {process id of lpd. in the above example this is 134}

Then save aside the FCS versions and change the modes so that they 
cannot be misused:

   mv /usr/lib/lpd /usr/lib/lpd.FCS
   mv /usr/ucb/lpr /usr/ucb/lpr.FCS
   mv /usr/ucb/lprm /usr/ucb/lprm.FCS
   mv /usr/ucb/lpq /usr/ucb/lpq.FCS
   mv /usr/etc/lpc /usr/etc/lpc.FCS
   mv /usr/etc/pac /usr/etc/pac.FCS
   mv /usr/bin/lpstat /usr/bin/lpstat.FCS
   mv /usr/bin/cancel /usr/bin/cancel.FCS
   chmod 0400 /usr/lib/lpd.FCS /usr/ucb/lpr.FCS /usr/ucb/lprm.FCS /usr/ucb/lpq.FCS /usr/etc/lpc.FCS /usr/etc/pac.FCS /usr/bin/lpstat.FCS /usr/bin/cancel.FCS 

Copy in the new versions, delete /dev/printer and create a
directory mode 750 owned by root, with group daemon, called /dev/lpd;
then create a symbolic link called /dev/printer that points to
/dev/lpd/printer and restart lpd.

   rm -f /dev/printer
   mkdir /dev/lpd
   chown root.daemon /dev/lpd
   chmod 710 /dev/lpd
   ln -s /dev/lpd/printer /dev/printer

   cp `arch`/{4.1.1,4.1.2,4.1.3}/lpd /usr/lib/lpd
   cp `arch`/{4.1.1,4.1.2,4.1.3}/lpr /usr/ucb/lpr
   cp `arch`/{4.1.1,4.1.2,4.1.3}/lprm /usr/ucb/lprm
   cp `arch`/{4.1.1,4.1.2,4.1.3}/lpq /usr/ucb/lpq
   cp `arch`/{4.1.1,4.1.2,4.1.3}/lpc /usr/etc/lpc
   cp `arch`/{4.1.1,4.1.2,4.1.3}/pac /usr/etc/pac
   cp `arch`/{4.1.1,4.1.2,4.1.3}/lpstat /usr/bin/lpstat
   cp `arch`/{4.1.1,4.1.2,4.1.3}/cancel /usr/bin/cancel
   chmod 6711 /usr/lib/lpd
   chmod 6711 /usr/ucb/lpr
   chmod 6711 /usr/ucb/lprm
   chmod 6711 /usr/ucb/lpq
   chmod 2711 /usr/etc/lpc
   chmod 755 /usr/etc/pac
   chmod 6711 /usr/bin/lpstat
   chmod 6711 /usr/bin/cancel
   chown root.daemon /usr/lib/lpd
   chown root.daemon /usr/ucb/lpr
   chown root.daemon /usr/ucb/lprm
   chown root.daemon /usr/ucb/lpq
   chown root.daemon /usr/etc/lpc
   chown root.staff /usr/etc/pac
   chown root.daemon /usr/bin/lpstat
   chown root.daemon /usr/bin/cancel

   rm -f /var/spool/lpd.lock
   /usr/lib/lpd

Last step:
   edit your /etc/rc file and change the line that removes the /dev/printer
   file  upon system startup so that it removes /dev/lpd/printer instead.

Note the change to "/dev/lpd/printer" from "/dev/printer"

/etc/rc:

Find the lines having to do with lpd startup:

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/printer /var/spool/lpd.lock

Change (add) in the new location: 

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
                  ^^^^
                  NEW

The results should look like:
if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
        /usr/lib/lpd;           echo -n ' printer'
fi


