How wto configure Xprt ?

How wto configure Xprt ?

Post by Roland Main » Thu, 24 Feb 2000 04:00:00



Hi !

----

How to configure Xprt (X print server) ? Are there any infodocs
available ?

We'd like to configure Xprt in a per-system basis (e.g. lauched by
/etc/init.d/lp), but it prints as user "root" (we're using the std.
config which prints via "lp") ;-(

----

Bye,
Roland

--
  __ .  . __


  /O /==\ O\  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
 (;O/ \/ \O;) TEL +49 (0) 641/99-13193 FAX +49 (0) 641/99-41359

 
 
 

How wto configure Xprt ?

Post by Thomas J. Gil » Thu, 24 Feb 2000 04:00:00


Quote:> We'd like to configure Xprt in a per-system basis (e.g. lauched by
> /etc/init.d/lp), but it prints as user "root" (we're using the std.
> config which prints via "lp") ;-(

I forget what the outcome was, but when the printing portion of
Xprt was coded, we struggled with whether the user-id (uid) of
the client should be conveyed to Xprt so Xprt could change
ownership on the resulting lp.  My leaning is that we didn't
change ownership for 3 reasons: 1) it would be trivial to jam
anyones user-id in the protocol and do printouts in their name,
2) a clever user might be able to reconfigure the print back end
to run something other than lp, which when combined with
uid spoofing......, and 3) though the print job seems to be owned
by root, you still have adequate control over it.

Sorry for the rambling, I'm just trying to expose some of the issues
I think we encountered 4 years ago.

Thomas Gilg


 
 
 

How wto configure Xprt ?

Post by Roland Main » Thu, 24 Feb 2000 04:00:00



> > We'd like to configure Xprt in a per-system basis (e.g. lauched by
> > /etc/init.d/lp), but it prints as user "root" (we're using the std.
> > config which prints via "lp") ;-(

> I forget what the outcome was, but when the printing portion of
> Xprt was coded, we struggled with whether the user-id (uid) of
> the client should be conveyed to Xprt so Xprt could change
> ownership on the resulting lp.

Is this still true if the X servers auth was set to use DES or Kerberos
?

But there's another problem: What if some smart admin opens the Xprt
server to others (xhost +foo.bar.com) - foo.bar.com may send print
requests but doesn't match into the print servers uid space... Ouch.

----

Quote:>  My leaning is that we didn't
> change ownership for 3 reasons: 1) it would be trivial to jam
> anyones user-id in the protocol and do printouts in their name,
> 2) a clever user might be able to reconfigure the print back end
> to run something other than lp, which when combined with
> uid spoofing......, and 3) though the print job seems to be owned
> by root, you still have adequate control over it.

How ? Think about DUMB users which don't have root access...

----

Thanks for the explanations :-)

After all, we have two useable choices:
- Integrate Xprt functionality into Xsun (I filed a RFE to Sun...)
- Launch Xprt on a per-user basis in /usr/dt/bin/Xsession, but this
results in the "X-port is in use problem". It would be nice if Xprt has
an option "use any port above xxxx and add itself to XPSERVERLIST"...

But I'd like to see only one X print server per machine (or network)...

----

Bye,
Roland

P.S.:
Found a solution for the "display-id in use" problem:
id=$(expr `echo $DISPLAY | cut -f 2,2 -d ":" | cut -f 1,1 -d "."` +
"32") ; Xprt :$id
does the trick (awk may make it little bit better...)

--
  __ .  . __


  /O /==\ O\  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
 (;O/ \/ \O;) TEL +49 (0) 641/99-13193 FAX +49 (0) 641/99-41359

 
 
 

How wto configure Xprt ?

Post by Thomas J. Gil » Fri, 25 Feb 2000 04:00:00



Quote:> Is this still true if the X servers auth was set to use
> DES or Kerberos?

DES and Kerberos were sufficiently new to X in 1995/96
that no attempt was made to leverage them for the issue
at hand.

Quote:> But there's another problem: What if some smart admin opens the Xprt
> server to others (xhost +foo.bar.com) - foo.bar.com may send print
> requests but doesn't match into the print servers uid space... Ouch.

Yes, the varying uid space issue impacted the design
of Xprt.

Thomas Gilg

 
 
 

How wto configure Xprt ?

Post by Roland Main » Sat, 26 Feb 2000 04:00:00



> > But there's another problem: What if some smart admin opens the Xprt
> > server to others (xhost +foo.bar.com) - foo.bar.com may send print
> > requests but doesn't match into the print servers uid space... Ouch.

> Yes, the varying uid space issue impacted the design
> of Xprt.

Is there no way to fetch the user name out of the libXp print request and
pass it to the LP spooler system like in.lpd does (e.g. the lpd protcoll
defined by http://www.ietf.org/rfc/rfc1179.txt) ?

----

Are there any known security issues with running Xprt on a per-user basis
?

----

Bye,
Roland

--
  __ .  . __


  /O /==\ O\  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
 (;O/ \/ \O;) TEL +49 (0) 641/99-13193 FAX +49 (0) 641/99-41359

 
 
 

How wto configure Xprt ?

Post by Thomas J. Gil » Wed, 01 Mar 2000 04:00:00



> Is there no way to fetch the user name ...

OK, I broke down and looked at the code ;-)

In summary, the uid of the client using libXp should be
conveyed to Xprt, and Xprt will try to use it (i.e. setuid())
when issuing the print job (i.e. lp).

In detail, when XpStartJob() is called by the client that is trying
to print, XpStartJob() first fetches the uid of the current user and
creates the attribute "job-owner" in the XPJobAttr attribute pool.

    #ifndef WIN32
    _Xgetpwparams pwparams;
    struct passwd *pw;
    pw = _XGetpwuid(getuid(),pwparams);

    if (pw && (PwName = pw->pw_name)) {
    #else
    if ((PwName = getenv("USERNAME"))) {
    #endif
        joa = (char *) Xmalloc( strlen( PwName ) + 20 );
        sprintf( joa, "job-owner: %s", PwName );
        context = XpGetContext( dpy );
        XpSetAttributes( dpy, context, XPJobAttr, joa, XPAttrMerge );

XpStartJob() then issues the start job protocol which causes
the XPJobAttr attribute pool to be locked within Xprt.

When XpEndJob() is finally called, it causes Xprt to prepare the
print job.  Prior to kicking off lp(1), Xprt fetches the same job-owner
attribute:

    userName = XpGetOneAttribute(pContext, XPJobAttr, "job-owner");
    if(userName != (char *)NULL && strlen(userName) == 0)
    userName = (char *)NULL;

Does a fork, and then sets the job-owner id:

    if (userName) {
        uid_t myUid;

        if ( (myUid = geteuid()) == (uid_t) 0 ) {
            struct passwd *pPasswd;

            if((pPasswd = getpwnam(userName))) {
                setuid((uid_t)pPasswd->pw_uid);
            }
        }
    }

After this an execv() is done to execute the spool command.

    #ifdef hpux
    static char DEFAULT_SPOOL_COMMAND[] = "/usr/bin/lp -d %printer-name% -o
raw -n %copy-count% -t %job-name% %options%";
    #else
    static char DEFAULT_SPOOL_COMMAND[] = "/usr/bin/lp -d %printer-name% -n
%copy-count% -t %job-name% %options%";
    #endif

I don't have the geteuid() man page, so it would be interesting to
see if the above code only does a setuid() if Xprt is started as
root.

Regarding security when Xprt is started as root and print jobs get
submitted with the clients uid, converted to a user name, converted
back to a uid (possibly different) within Xprt.  Most of the Xp() routines
are convenience routines xor protocol wrapper routines. XpStartJob()
is a little odd in that I slipped in the job-owner trickery before
XpStartJob()
generates the start job protocol.  For folks who don't know how to generate
wire protocol themselves (i.e. they depend on the Xp routines), it
essentially
takes care of setting a job-owner at a point in the sequence where it is
hard
to set a fake job-owner.  If you set job-owner prior to XpStartJob(), I
overwrite
it.  If you try to set job-owner after XpStartJob(), it fails because we
don't
allow changes to the XPJobAttr attribute pool after the start job protocol
has been issued.  If you wrote your own XpStartJob(), you could insert a
fake job-owner, but the only risk is that a print job gets printed in the
name of
the fake job-owner.  When Harry wrote the Xprt lp code, he went out of his
way to ensure that the spool command could not be populated with rogue
commands that could be executed as root or any normal user.

Quote:> Are there any known security issues with running Xprt on a per-user

basis...

No.  In fact, SUN and others were advocates of per-user Xprts, so that style
of usage probably got more consideration and testing that a global Xprt
that served many users (HP's early recommendation).

Thomas Gilg

 
 
 

1. WTO

Here is a copy of a message sent to Eric S. Raymond and others:

Subject:
        World Tactics Organization
   Date:
        Fri, 06 Oct 2000 11:37:05 -0700
   From:

     To:

     CC:


Hi Eric,

I am disturbed by an article in Techweb about a conference in Seattle
from which Linux has apparently been shut out:

http://www.techweb.com/wire/story/TWB20001005S0013

It looks to be a conference on how the largest proprietary hardware and
software vendors can lock the market for personal computers in third
world countries before Linux takes the whole bundle.  Note that many
companies which have supposedly supported Linux are participating in
this exclusionary conference.

Since I live in Seattle, I would be interested in helping to organize
our own "meeting" outside their meeting place, complete with Debian CDs
(or anyone else's who cares to participate), plenty of Linux and Penguin
paraphenalia, various questions to attendees, and a boisterous good time
in the presence of the PC vendor royalty.  This might be a good time and
place to spread our message, and publicize theirs.
--
Seduced, shaggy Samson snored.
She scissored short.  Sorely shorn,
Soon shackled slave, Samson sighed,
Silently scheming,
Sightlessly seeking
Some savage, spectacular suicide.
                -- Stanislaw Lem, "Cyberiad"

2. dhcp problem

3. Kernel Oops in net/sunrpc/xprt.c/xprt_timer

4. Help : Pbs with a disk

5. Xprt. What is it really?

6. What Tape Libraries/Autoloader are compatible with Linux?

7. spaces missing when printing arial from Netscape 7 beta via Xprt

8. C++ constructors in shared libraries

9. Xprt patches for Solaris 7...

10. Help : Xprt and CDE

11. spaces missing when printing arial from Netscape 7 beta via Xprt

12. Xprt server

13. xprt - use auxiliary-printers attached to terminals