2.13. Security Concerns

While the LPRng software has been written with security as the primary goal there is always the problem with undetected errors in the LPRng software that when exploited could compromise system security. The most serious concern is that of gaining ROOT (UID 0) permissions.

The simplest way to handle this problem is to not install LPRng with setuid ROOT permissions. Client programs will be able to connect to the lpd server. Since the lpd server is started by the system startup script with effective UID root, it is the only program in this suite that will have an privileged user id.

A more radical step is to run the lpd server as a non-privileged user entirely. However, the RFC1179 protocol specifies that the lpd TCP/IP port is 515 and lpd requires root permissions to open and bind to port 515. The lpd server can use the setuid() system call after binding to this port do drop ROOT capabilities. However, in order to fully compatible with RFC1179, lpd must originate connections from a reserved port in the range 721-731, although in practice port 1-1023 seems to be acceptable.

If inter-operability with non-LPRng print spoolers is not desired, then it is trivial to configure LPRng to use a non-privileged port by using the lpd.conf file. For example, in the /etc/lpd.conf file, you only need to change the indicated lines:

# Purpose: lpd port
#   default lpd_port=printer
lpd_port=2000
# or lpd_port=localhost%2000
The lpd_port specifies the (optional) IP address and port to which the lpd server binds and to which the clients will connect. LPRng applications will connect to port 2000 to transfer jobs and ask for status. You can also use this facility to establish a private set of print spoolers which can be used for testing See Testing and Diagnostic Facilities for more details.

Some legacy print filters are not meta-char-escape proof. For example, suppose that a user decided to spool a job as follows:

h4: {66} # lpr "-J`;rm -rf /;`" /tmp/a
This would create a job file with the line:
J`rm -rf /;`
and gets passed to a print filter as
/usr/local/printfilter  -J`rm -rf /;`
The observant reader will observe that the above line may have the most hideous consequences if it is processed by a shell. For this reason the LPRng software takes extreme precautions and sanitizes control file contents and file names so that they do not contain any control or metacharacters.

Finally, you can use a Unix socket (i.e. - FIFO) for connections to the server on the localhost, and disable the lpd listening socket by setting the lpd_listen_port value to off.