Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] limited remote print server
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Mon, 25 Feb 2002 13:30:21 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0202251327570.8045-100000@xxxxxxxxxxxx>
> Subject: Re: [suse-security] limited remote print server
>
> >Does anyone know of any docs on giving machines with certain ips the
> >ability to print remotely while blocking all others? I've never set such
> >a thing up and I'm not sure I'm asking the right question..my boss is
> >asking me about this.

Hi Ben,

good to see you!

> >
>
> check /etc/hosts.[allow|deny] to block|enable certain services for
> hosts to name.

None of the lpd packages on a SuSE are using these files (they are not
compiled with libwrap support). The next SuSE distribution will be. Patch
for lprold below.
Without this patch, you might have to use kernel packet filter rules.

Greetings,
Roman.
diff -ruN lpr-0.48.orig/lpd/Makefile lpr-0.48/lpd/Makefile
--- lpr-0.48.orig/lpd/Makefile Mon Jan 28 21:51:57 2002
+++ lpr-0.48/lpd/Makefile Mon Jan 28 21:52:22 2002
@@ -1,3 +1,4 @@
+LDLIBS = -lcommon -L ../common_source -lwrap
all: lpd

lpd: lpd.o lpdchar.o printjob.o recvjob.o
diff -ruN lpr-0.48.orig/lpd/lpd.c lpr-0.48/lpd/lpd.c
--- lpr-0.48.orig/lpd/lpd.c Thu Jan 6 21:42:48 2000
+++ lpr-0.48/lpd/lpd.c Mon Jan 28 21:52:51 2002
@@ -68,6 +68,9 @@

#include "lp.h"
#include "pathnames.h"
+#include <tcpd.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;

int lflag; /* log requests flag */
int from_remote; /* from remote socket */
@@ -82,6 +85,7 @@
struct sockaddr_un sun, fromunix;
struct sockaddr_in sin, frominet;
int omask, lfd;
+ struct request_info wrap_req;

gethostname(host, sizeof(host));
host[MAXHOSTNAMELEN-1]='\0';
@@ -224,6 +228,22 @@
(void) close(funix);
(void) close(finet);
dup2(s, 1);
+
+ /*
+ * libwrap/tcp_wrappers:
+ * draht@xxxxxxx, Mon Jan 28 2002
+ */
+ request_init(&wrap_req, RQ_DAEMON, "lpd" , RQ_FILE, s, NULL);
+ fromhost(&wrap_req);
+ if (!hosts_access(&wrap_req)) refuse(&wrap_req);
+ /* If an entry from hosts.allow/deny prohibits
+ a connection, we are dead now. */
+ syslog(LOG_INFO, "connection from %s",
+ eval_client(&wrap_req));
+ /*
+ * end libwrap/tcp_wrappers
+ */
+
(void) close(s);
if (domain == AF_INET) {
from_remote = 1;


< Previous Next >
Follow Ups
References