SUN MICROSYSTEMS SECURITY BULLETIN: #00108

 This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------

   All patches listed are available through your local Sun answer centers
   worldwide as well as through anonymous ftp to ftp.uu.net.
   In the US on ~ftp/sun-dist directory and in Europe on mcsun.eu.net
   on ~ftp/sun/fixes directory.


Please refer to the BugID and PatchID when requesting patches from Sun
answer centers.

--------------------------------------------------------------------------

Sun Bug ID  : 1057834 1058003 1016437 1040453

Synopsis    : The current SunOS/BSD line printer spooler has a flaw which 
              allows system files to be deleted by the lp daemon.

Sun Patch ID: 100305-01

Checksum of compressed tarfile 100305-01.tar.Z =  31440   239

--------------------------------------------------------------------------
Detailed Information:

Patch-ID#  100305-01
Keywords: security passwd lpd delete system
Synopsis: SunOS 4.1.1;4.1: lpd can be used to delete any file on the system
Date: 30/May/91

SunOS release: 4.1.1, 4.1

Unbundled Product:

Unbundled Release:

Topic: lpd

BugId's fixed with this patch: 1057834 1058003 1016437 1040453

Architectures for which this patch is available: sun3, sun3x, sun4, sun4c

Patches which may conflict with this patch:
 
Obsoleted by: SunOS 5.0
 
Problem Description: The current BSD line printer spooler has a flaw
                     which allows system files to be deleted by the lp daemon.
 
INSTALL:
 
as root:
 
first do a "ps ax |grep lpd"  and kill off the currently running lpd process.
the return from ps should be something like:
 134 ?  IW    0:00 /usr/lib/lpd
26753 p5 S     0:00 grep lpd
# kill -9 {process id of lpd. in the above example this is 134}
 
then save aside the FCS version of lpd, and change the mode so that it cannot be
misused.
# mv /usr/lib/lpd /usr/lib/lpd.FCS
# chmod 100 /usr/lib/lpd.FCS
 
copy in the new version and restart lpd.
 
# cp sun{3,3x,4,4c}/{4.1,4.1.1}/lpd /usr/lib/lpd
# chmod 6755 /usr/lib/lpd
# chown root /usr/lib/lpd
# chgrp daemon /usr/lib/lpd
# rm -f /dev/printer /var/spool/lpd.lock

restart the lpd daemon

# /usr/lib/lpd