> From [EMAIL PROTECTED] Wed Feb 20 16:10:49 2002 > To: [EMAIL PROTECTED] > Subject: LPRng: Too much security in LPRng 3.8.6 > Date: Wed, 20 Feb 2002 15:12:22 -0800 > From: Kenneth Lareau <[EMAIL PROTECTED]> > > After several years away from using LPRng, I decided to give it a shot > again. However, I think someone was a bit too agressive with security > concerns... > > On a Sun Ultra 10 running Solaris 8, I ran the following configure > command: > > CFLAGS=-O2 ./configure --disable-setuid --enable-priv_ports >--disable-force_localhost --with-included-gettext > > then > > make clean all > > Everything went fine, and I installed the software. However, the docs > say to run 'checkpc -f', but I seem to get this message: > > checkpc: WARNING- LPD_CONF environment variable option enabled > and running as root! You have an exposed security breach! > Recompile without -DGETENV or do not run clients as ROOT > > In fact, if I try to do anything as root, I get that message, even with > 'allow_getenv@' in my lpd.conf file. Uh... this makes it quite impossible > to run the daemon, doesn't it? > > Suggestions on a fix here? > > Kenneth Lareau > [EMAIL PROTECTED]
This has been posted before, but in src/Makefile.in #### ****** TESTING AND SECURITY LOOPHOLE ****************************** # Define G ETENV to allow the LPD_CONFIG environment # variable to be used as the name of a configuration file. In non-testing # systems, this is a security loophole. #CFLAGS:= $(CFLAGS) -DGETENV=\"1\" -Wall -Werror ^^^ Make sure this is commented out I am currently running regression tests on a new version. Patrick Powell Astart Technologies, [EMAIL PROTECTED] 9475 Chesapeake Drive, Suite D, Network and System San Diego, CA 92123 Consulting 858-874-6543 FAX 858-279-8424 LPRng - Print Spooler (http://www.lprng.com) ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
