NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/59493: Add insecure option to lpd
>Number: 59493
>Category: bin
>Synopsis: Add insecure option to lpd
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sun Jun 29 19:10:00 +0000 2025
>Originator: Konrad Schroder <perseant%netbsd.org@localhost>
>Release: NetBSD-current 2025-06-29
>Organization:
>Environment:
System: NetBSD nbdev.hhhh.org 10.0 NetBSD 10.0 (XEN3_DOMU) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/xen/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
lpd(8) provides network access control using hosts_access(5) and
requires reverse DNS to serve requests from the network. In a modern
setting, host access is generally provided via host firewall, and
in a small network setting, anonymous clients are common. The patch
below provides a flag, -i, that disables the network security checks
for cases where they do not make sense (e.g. home network, or
a host that already uses npf(7) for access control).
The default behavior, of course, would not be changed.
>How-To-Repeat:
Set up a printer using lpd(8) and attempt to print from a remote host
that does not have reverse DNS.
>Fix:
The following patch implements the desired flag:
--------8<--------
Index: lpd/lpd.8
===================================================================
RCS file: /cvsroot/src/usr.sbin/lpr/lpd/lpd.8,v
retrieving revision 1.36
diff -u -r1.36 lpd.8
--- lpd/lpd.8 3 Jul 2017 21:35:31 -0000 1.36
+++ lpd/lpd.8 29 Jun 2025 18:45:15 -0000
@@ -95,6 +95,16 @@
See
.Xr setsockopt 2
for more details.
+.It Fl i
+The
+.Fl i
+option selects
+.Dq insecure
+mode, bypassing the address-based checks described below. Options
+.Fl i
+and
+.Fl s
+are mutually exclusive.
.It Fl l
The
.Fl l
@@ -137,7 +147,11 @@
.Nm
runs is subject to attack over the network and it is desired that the
machine be protected from attempts to remotely fill spools and similar
-attacks.
+attacks. Options
+.Fl s
+and
+.Fl i
+are mutually exclusive.
.It Fl w
The
.Fl w
@@ -163,7 +177,9 @@
port from
.Pa /etc/services .
.Pp
-Access control is provided by three means.
+Unless the
+.Fl i
+flag is specified, access control is provided by three means.
First,
.Pa /etc/hosts.allow
and
Index: lpd/lpd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/lpr/lpd/lpd.c,v
retrieving revision 1.60
diff -u -r1.60 lpd.c
--- lpd/lpd.c 26 Apr 2023 18:25:02 -0000 1.60
+++ lpd/lpd.c 29 Jun 2025 18:45:15 -0000
@@ -117,6 +117,7 @@
int deny_severity = LOG_AUTH|LOG_WARNING;
#endif
+int iflag; /* insecure (no network checks) flag */
int lflag; /* log requests flag */
int rflag; /* allow of for remote printers */
int sflag; /* secure (no inet) flag */
@@ -160,7 +161,7 @@
setprogname(*argv);
errs = 0;
- while ((i = getopt(argc, argv, "b:dln:srw:W")) != -1)
+ while ((i = getopt(argc, argv, "b:diln:srw:W")) != -1)
switch (i) {
case 'b':
if (blist_addrs >= blist_size) {
@@ -176,6 +177,10 @@
case 'd':
options |= SO_DEBUG;
break;
+ case 'i':
+ sflag = 0;
+ iflag++;
+ break;
case 'l':
lflag++;
break;
@@ -189,6 +194,7 @@
rflag++;
break;
case 's':
+ iflag = 0;
sflag++;
break;
case 'w':
@@ -604,6 +610,12 @@
struct request_info req;
#endif
+ if (iflag) {
+ strcpy(fromb, inet_ntoa(((struct sockaddr_in *)f)->sin_addr));
+ from = fromb;
+ return;
+ }
+
error = getnameinfo(f, f->sa_len, NULL, 0, serv, sizeof(serv),
NI_NUMERICSERV);
if (error)
@@ -694,7 +706,7 @@
{
(void)fprintf(stderr,
- "Usage: %s [-dlrsW] [-b bind-address] [-n maxchild] "
+ "Usage: %s [-dilrsW] [-b bind-address] [-n maxchild] "
"[-w maxwait] [port]\n", getprogname());
exit(1);
}
--------8<--------
If there are no objections I'll commit in the coming weeks.
Home |
Main Index |
Thread Index |
Old Index