SUN MICROSYSTEMS SECURITY BULLETIN: #00108 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. --------------------------------------------------------------------------- All patches listed are available through your local Sun answer centers worldwide as well as through anonymous ftp to ftp.uu.net. In the US on ~ftp/sun-dist directory and in Europe on mcsun.eu.net on ~ftp/sun/fixes directory. Please refer to the BugID and PatchID when requesting patches from Sun answer centers. -------------------------------------------------------------------------- Sun Bug ID : 1057834 1058003 1016437 1040453 Synopsis : The current SunOS/BSD line printer spooler has a flaw which allows system files to be deleted by the lp daemon. Sun Patch ID: 100305-01 Checksum of compressed tarfile 100305-01.tar.Z = 31440 239 -------------------------------------------------------------------------- Detailed Information: Patch-ID# 100305-01 Keywords: security passwd lpd delete system Synopsis: SunOS 4.1.1;4.1: lpd can be used to delete any file on the system Date: 30/May/91 SunOS release: 4.1.1, 4.1 Unbundled Product: Unbundled Release: Topic: lpd BugId's fixed with this patch: 1057834 1058003 1016437 1040453 Architectures for which this patch is available: sun3, sun3x, sun4, sun4c Patches which may conflict with this patch: Obsoleted by: SunOS 5.0 Problem Description: The current BSD line printer spooler has a flaw which allows system files to be deleted by the lp daemon. INSTALL: as root: first do a "ps ax |grep lpd" and kill off the currently running lpd process. the return from ps should be something like: 134 ? IW 0:00 /usr/lib/lpd 26753 p5 S 0:00 grep lpd # kill -9 {process id of lpd. in the above example this is 134} then save aside the FCS version of lpd, and change the mode so that it cannot be misused. # mv /usr/lib/lpd /usr/lib/lpd.FCS # chmod 100 /usr/lib/lpd.FCS copy in the new version and restart lpd. # cp sun{3,3x,4,4c}/{4.1,4.1.1}/lpd /usr/lib/lpd # chmod 6755 /usr/lib/lpd # chown root /usr/lib/lpd # chgrp daemon /usr/lib/lpd # rm -f /dev/printer /var/spool/lpd.lock restart the lpd daemon # /usr/lib/lpd