TUCoPS :: SunOS/Solaris :: ciacb033.txt

New Sun lpd Problem 

From BRAND@addvax.llnl.gov Tue Jul  9 15:39:37 1991
Return-Path: <BRAND@addvax.llnl.gov>
Received: from addvax.llnl.gov by  (4.1/SMI-4.1)
	id AA12802; Tue, 9 Jul 91 15:32:33 PDT
Date: Tue, 9 Jul 91 15:30 PST
From: "Hal R. Brand, LLnL, 415-422-6312" <BRAND@addvax.llnl.gov>
Subject: CIAC Bulletin B-33 - New SunOS lpd Problem
To: external@cheetah.llnl.gov, cert-system-info@nist.GOV
Message-Id: <4A75AD40177500EB27@addvax.llnl.gov>
X-Envelope-To: external@cheetah.llnl.GOV
X-Vms-To: in%"external@cheetah.llnl.gov",in%"cert-system-info@nist.gov"
Status: RO

			   NO RESTRICTIONS
         _____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin
 
July 9, 1991, 1500 PDT                                        Number B-33
 
			  New SunOS lpd Problem
_________________________________________________________________________
PROBLEM: The SunOS 4.1 and 4.1.1 line printer spooler daemon (lpd) has
	a flaw that allows unauthorized deletion of files.
PLATFORM: Sun3, sun3x, sun4, sun4c, and sun386i architectures running
	SunOS 4.1 and 4.1.1.
DAMAGE: Unauthorized file deletions can occur.
SOLUTIONS: Apply patch-ID# 100305-03.
_________________________________________________________________________
		  Critical Facts About New lpd Problem

In CIAC Bulletin B-30 we described a patch (100305-01) available from Sun
Microsystems to fix security bugs in the line printer spooler daemon
(lpd).  We have since learned, however, that this patch does not
eliminate all security bugs in lpd.  Sun Microsystems has recently
released a new patch (100305-03) to lpd.  This new patch supersedes the
old patch, and prevents an unauthorized person from using lpd to delete
files. You should install this new patch (100305-03), even if you have
installed the old patch (100305-01).

Sun Microsystems has provided corrected lpd files for the various
architectures and versions of SunOS affected.  These files are in the
compressed tarfile 100305-03.tar.Z This file can be obtained from Sun by
specifying "Patch-ID# 100305-03".  Alternately, the file can be obtained
via anonymous FTP from ftp.uu.net as "sun-dist/100305-03.tar.Z". The
checksum (sum(1V)) of the file 100305-03.tar.Z is "40955 380".

Instructions for obtaining this patch from ftp.uu.net are:

  (Login as root
  # ftp ftp.uu.net
  ...
  Name (ftp.uu.net:root): anonymous
  331 Guest login ok, send ident as password.
  Password: <put your e-mail address here>
  230 Guest login ok, access restrictions apply.
  ftp> cd sun-dist
  ftp> binary
  ftp> get 100305-03.tar.Z
  ...
  ftp> quit

Instruction for applying this patch are:

  (Login as root
  (cd to directory containing the compressed tar patch file

  (Verify the integrity of the compressed tar patch file.
  # sum 100305-03.tar.Z
  40955   380
  (If the numbers you get are not these, DO NOT proceed! You have a bad
  (  patch file. Delete the patch file and try to obtain a proper copy.

  (Expand the tar file
  # uncompress 100305-03.tar.Z
  # mkdir sunpatch
  # cd sunpatch
  # tar xvf ../100305-03.tar

  (Kill the running lpd:
  # ps -ax | grep lpd
  (You should see something like:
  (          134 ?  IW    0:00 /usr/lib/lpd
  (        26753 p5 S     0:00 grep lpd
  (  Insert the "pid" (the first number on the line) of /usr/lib/lpd into
  (   the next command, i.e. in this case, one would substitute 134.
  (  If you have more than one copy of lpd running, repeat the "kill -9"
  (   command for each "pid" found.
  # kill -9 <pid of /usr/lib/lpd>

  (Save old lpd - if you have already installed the 100305-01 patched lpd
  (  you can ignore this step, or better yet, rename the -01 lpd to
  (  something like /usr/lib/lpd.Patch-01
  # mv /usr/lib/lpd /usr/lib/lpd.FCS
  # chmod 100 /usr/lib/lpd.FCS

  (copy the upgraded lpd file to /usr/lib
  (   Substitute as appropriate for your architecture and SunOS version:
  # cp sun{3,3x,4,4c,386i}/{4.1,4.1.1}/lpd /usr/lib/lpd
  # chown root.daemon /usr/lib/lpd
  # chmod 6711 /usr/lib/lpd

  (Verify your work with /usr/lib/lpd:
  # ls -lg /usr/lib/lpd
  -rws--s--x  1 root      daemon    ...       /usr/lib/lpd

  (Modify some other line printer utility program protections
  # chmod 6711 /usr/ucb/lpr
  # chmod 6711 /usr/ucb/lpq
  # chmod 6711 /usr/ucb/lprm
  # chmod 2711 /usr/etc/lpc

  (Prepare for usage of new /usr/lib/lpd
  # rm -f /dev/printer /var/spool/lpd.lock
  # mkdir /dev/lpd
  # chown root.daemon /dev/lpd
  # chmod 710 /dev/lpd
  # ln -s /dev/lpd/printer /dev/printer

  (Restart the new lpd
  # /usr/lib/lpd

  (Verify that the lpd daemon restarted:
  # ps -ax | grep lpd

  (Modify /etc/rc and/or /etc/rc.local to reflect new location of the
  (  printer socket to be cleaned-up on boot.
  ( To do this, use your favorite editor on /etc/rc and /etc/rc.local
  (  and change:
  	if [ -f /usr/lib/lpd ]; then
  		rm -f /dev/printer /var/spool/lpd.lock
  (  to:
  	if [ -f /usr/lib/lpd ]; then
  		rm -f /dev/lpd/printer /var/spool/lpd.lock
  (   new                 ^^^^

  (Cleanup:
  # cd ..
  # rm -r sunpatch
  # rm 100305-03.tar

For additional information or assistance, please contact CIAC:

	Hal Brand
        (415) 422-6312 or (FTS) 532-6312
 	brand@addvax.llnl.gov

 	During work hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or
	send e-mail to ciac@llnl.gov.  For non-working hour
	emergencies, call 1-800-SKY PAGE, then enter 855-0070 or
	855-0074.

 	Send FAX messages to:  (415) 423-8002 or (FTS) 543-8002 (THIS
        IS A NEW FAX NUMBER).

	The CIAC BUlletin Board, FELIX, can be accessed at 1200 or 2400
	baud at (415) 423-4753 or (FTS) 543-4753.  (9600 baud access can
	be obtained from Lawrence Berkeley and Lawrence Livermore
	laboratories at 423-9885.)

Sun Microsystems provided some of the information used in this
bulletin.  This document was prepared as an account of work sponsored
by an agency of the United States Government. Neither the United States
Government nor the University of California nor any of their employees,
makes any warranty, express or implied, or assumes any legal liability
or responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by the
United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government or the University of
California, and shall not be used for advertising or product
endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH