[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] LPRng priviledges bugs



Topic
=====
When LPRng drops uid and gid, it fails to drop membership in its
supplemental groups.

Problem Description
===================
LPRng fails to drop supplemental group membership at init time, though it
does properly setuid and setgid. The result is that LPRng, and its
children, maintain any supplemental groups that the process starting LPRng
had at the time it started LPRng. This is a security risk.

Affected Systems
================
RedHat 7.x

If you are using the SFU package from sphinx in
/vol/vol1/distrib/redhat/6.2/contrib, you may be vulnerable under certain
circumstances, see Remark below.

Remark
======
If you just want to be able to send print jobs to SFU network printers,
then it is not necessary to run a lpd daemon. In that case you should
do something like
# cd /etc/rc.d/rc5.d; mv S20lpd K20lpd; ./K20lpd stop
(see the linux-security web page at 
http://www.sfu.ca/acs/security/linux-security.html
for details on how to switch off daemons).
Instead you install a /etc/lpd.conf file that simply forwards all print jobs
to lprng.sfu.ca. Such a lpd.conf is part of the LPRng-3.7.4-23sfu.i386.rpm.
It contains nothing but the 3 lines:
======<cut here: /etc/lpd.conf>================================
default_remote_host=lprng.sfu.ca
default_printer=lp
force_localhost@
===============================================================
In that case lpd is not used at all and no vulnerability exists.
The RPM in /vol/vol1/distrib/redhat/6.2/contrib was upgraded nevertheless
in case it is used in a different configuration.

Solution
========
RedHat 7.x
rpm -Fvh LPRng-3.7.4-23.i386.rpm

RedHat 6.x
rpm -Fvh LPRng-3.7.4-23sfu.i386.rpm