From acafcefc7041634ebcec8624ee782a3a011c8432 Mon Sep 17 00:00:00 2001 From: ajacoutot Date: Sun, 20 Apr 2014 22:35:10 +0000 Subject: [PATCH] Prevent lpd(8) from looking into hosts.equiv. Access control is now done only using hosts.lpd. See lpd(8) for more information about the format of this file. "seems reasonable" tedu@ "looks good" deraadt@ ok sthen@ --- usr.sbin/lpr/common_source/pathnames.h | 3 +-- usr.sbin/lpr/lpd/lpd.8 | 11 +++-------- usr.sbin/lpr/lpd/lpd.c | 14 ++------------ 3 files changed, 6 insertions(+), 22 deletions(-) diff --git a/usr.sbin/lpr/common_source/pathnames.h b/usr.sbin/lpr/common_source/pathnames.h index 303ff746fb0..92bc6e43cc8 100644 --- a/usr.sbin/lpr/common_source/pathnames.h +++ b/usr.sbin/lpr/common_source/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.4 2003/06/02 23:36:53 millert Exp $ */ +/* $OpenBSD: pathnames.h,v 1.5 2014/04/20 22:35:10 ajacoutot Exp $ */ /* $NetBSD: pathnames.h,v 1.5 1995/11/28 19:43:27 jtc Exp $ */ /* @@ -36,7 +36,6 @@ #define _PATH_DEFDEVLP "/dev/lp" #define _PATH_DEFSPOOL "/var/spool/output/lpd" -#define _PATH_HOSTSEQUIV "/etc/hosts.equiv" #define _PATH_HOSTSLPD "/etc/hosts.lpd" #define _PATH_MASTERLOCK "/var/run/lpd.pid" #define _PATH_PR "/usr/bin/pr" diff --git a/usr.sbin/lpr/lpd/lpd.8 b/usr.sbin/lpr/lpd/lpd.8 index df7079423aa..bbbd800887e 100644 --- a/usr.sbin/lpr/lpd/lpd.8 +++ b/usr.sbin/lpr/lpd/lpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lpd.8,v 1.25 2014/04/20 18:11:45 tedu Exp $ +.\" $OpenBSD: lpd.8,v 1.26 2014/04/20 22:35:10 ajacoutot Exp $ .\" $NetBSD: lpd.8,v 1.23 2002/02/08 01:38:50 ross Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 @@ -159,9 +159,7 @@ port from .Pp Access control is provided by two means. First, all requests must come from one of the machines listed in the file -.Pa /etc/hosts.lpd -or -.Pa /etc/hosts.equiv , +.Pa /etc/hosts.lpd , one hostname per line. A plus "+" may be used as a wildcard to grant access to all hosts. Second, if the @@ -337,11 +335,8 @@ minimum free space to leave line printer devices .It Pa /var/run/printer socket for local requests -.It Pa /etc/hosts.equiv -lists machine names allowed printer access .It Pa /etc/hosts.lpd -lists machine names allowed printer access, -but not under same administrative control. +lists machine names allowed printer access .El .Sh SEE ALSO .Xr lpq 1 , diff --git a/usr.sbin/lpr/lpd/lpd.c b/usr.sbin/lpr/lpd/lpd.c index 79848795a47..a3a77f24ed5 100644 --- a/usr.sbin/lpr/lpd/lpd.c +++ b/usr.sbin/lpr/lpd/lpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lpd.c,v 1.52 2013/11/24 21:32:32 deraadt Exp $ */ +/* $OpenBSD: lpd.c,v 1.53 2014/04/20 22:35:10 ajacoutot Exp $ */ /* $NetBSD: lpd.c,v 1.33 2002/01/21 14:42:29 wiz Exp $ */ /* @@ -666,7 +666,6 @@ chkhost(struct sockaddr *f) { struct addrinfo hints, *res, *r; FILE *hostf; - int first = 1; int good = 0; char host[NI_MAXHOST], ip[NI_MAXHOST]; char serv[NI_MAXSERV]; @@ -719,9 +718,8 @@ chkhost(struct sockaddr *f) fatal("address for your hostname (%s) not matched", host); setproctitle("serving %s", from); PRIV_START; - hostf = fopen(_PATH_HOSTSEQUIV, "r"); + hostf = fopen(_PATH_HOSTSLPD, "r"); PRIV_END; -again: if (hostf) { if (__ivaliduser_sa(hostf, f, f->sa_len, DUMMY, DUMMY) == 0) { (void)fclose(hostf); @@ -729,15 +727,7 @@ again: } (void)fclose(hostf); } - if (first == 1) { - first = 0; - PRIV_START; - hostf = fopen(_PATH_HOSTSLPD, "r"); - PRIV_END; - goto again; - } fatal("Your host does not have line printer access"); - /*NOTREACHED*/ } static __dead void -- 2.20.1