Patch-ID# 100305-07
Keywords: security passwd lpd lpr delete system
Synopsis: SunOS 4.1;4.1.1;4.1.2: lpd can be used to delete any file on the system
Date: 03/Mar/92
 
SunOS release: 4.1 4.1.1 4.1.2
 
Unbundled Product: 
 
Unbundled Release: 
 
Topic: lpd
 
BugId's fixed with this patch: 1016437 1040453 1057834 1058003 1059620 1061504 1063772 1081850 1081968

Architectures for which this patch is available: sun3, sun4

Patches which may conflict with this patch: 100301 (obsoleted)

Obsoleted by:

Problem Description: The current BSD line printer spooler has a flaw
                     which allows system files to be deleted by the lp daemon.

INSTALL: 

As root:

first do a "ps ax |grep lpd"  and kill off the currently running lpd process.
the return from ps should be something like:
 134 ?  IW    0:00 /usr/lib/lpd
26753 p5 S     0:00 grep lpd
# kill -9 {process id of lpd. in the above example this is 134}

Then save aside the FCS versions and change the modes so that they 
cannot be misused.

mv /usr/lib/lpd /usr/lib/lpd.FCS
mv /usr/ucb/lpr /usr/ucb/lpr.FCS
mv /usr/etc/lpc /usr/etc/lpc.FCS

Copy in the new versions, delete /dev/printer and create a
directory mode 750 owned by root, with group daemon, called /dev/lpd;
then create a symbolic link called /dev/printer that points to
/dev/lpd/printer and restart lpd.

rm -f /dev/printer
mkdir /dev/lpd
chown root.daemon /dev/lpd
chmod 710 /dev/lpd
ln -s /dev/lpd/printer /dev/printer

cp `arch`/{4.1,4.1.1,4.1.2}/lpd /usr/lib/lpd
cp `arch`/{4.1,4.1.1,4.1.2}/lpr /usr/ucb/lpr
cp `arch`/{4.1,4.1.1,4.1.2}/lpc /usr/etc/lpc
chmod 6711 /usr/lib/lpd
chmod 6711 /usr/ucb/lpr
chmod 2711 /usr/etc/lpc
chown root.daemon /usr/lib/lpd
chown root.daemon /usr/ucb/lpr
chown root.daemon /usr/etc/lpc

rm -f /var/spool/lpd.lock
/usr/lib/lpd

Last step:
 edit your /etc/rc file and change the line that removes the /dev/printer
 file  upon system startup so that it removes /dev/lpd/printer instead.

Note the change to "/dev/lpd/printer" from "/dev/printer"

/etc/rc:

Find the lines having to do with lpd startup:

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/printer /var/spool/lpd.lock

Change (add) in the new location: 

if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
                  ^^^^
                  NEW

The results should look like:
if [ -f /usr/lib/lpd ]; then
        rm -f /dev/lpd/printer /var/spool/lpd.lock
        /usr/lib/lpd;           echo -n ' printer'
fi


