[gentoo-dev] Help needed on the security guide for gentoo

[gentoo-dev] Help needed on the security guide for gentoo

[Kim Nielsen]

Hi,

I sent a note to the security list about me not knowing (Or having one)
anything about lpd when it comes to security. Now what I'm looking for is
someone who has setup lpd and want to send me the configuration (And notes
on the setup)

The same goes for postfix. I haven't tried it and is not the one to give
security advice using it. But since it the default mailserver in gentoo (Or
so I'm told) I would like some comments on this aswell.

Hope someone could help me out (It's all I need in order to make the version
0.1 and but it in bugzilla)

best regards

Kim

The guide so far : http://gentoo.insecurity.dk

Re: [gentoo-dev] Help needed on the security guide for gentoo

[Einar Karttunen]

On 08.04 12:48, Kim Nielsen wrote:
> I sent a note to the security list about me not knowing (Or having one)
> anything about lpd when it comes to security. Now what I'm looking for is
> someone who has setup lpd and want to send me the configuration (And notes
> on the setup)
> 

You could also mention pdq since it doesn't have such security problems
(no daemon/set[ug]id) and is quite usable in small enviroments.

- Einar Karttunen

Re: [gentoo-dev] Help needed on the security guide for gentoo

[Kim Nielsen]

> On 08.04 12:48, Kim Nielsen wrote:
>> I sent a note to the security list about me not knowing (Or having
>> one) anything about lpd when it comes to security. Now what I'm
>> looking for is someone who has setup lpd and want to send me the
>> configuration (And notes on the setup)
>>
>
> You could also mention pdq since it doesn't have such security problems
> (no daemon/set[ug]id) and is quite usable in small enviroments.
>
Thanks .. I will .. but I need an example of the configuration file and a
small guide in what it does. I do no have a printer and would like the
examples to be usefull

/Kim

Re: [gentoo-dev] Help needed on the security guide for gentoo

[Einar Karttunen]

On 08.04 14:50, Kim Nielsen wrote:
> Thanks .. I will .. but I need an example of the configuration file and a
> small guide in what it does. I do no have a printer and would like the
> examples to be usefull
> 

http://pdq.sourceforge.net/ contains a nice and short introduction to pdq. 
The basic thing is that because there is no print queue with pdq 
there is no need for root priviledges or a daemon process so there
are no exploits.

- Einar Karttunen

Re: [gentoo-dev] Help needed on the security guide for gentoo

[Kim Nielsen]

>
> http://pdq.sourceforge.net/ contains a nice and short introduction to
> pdq.  The basic thing is that because there is no print queue with pdq
> there is no need for root priviledges or a daemon process so there are
> no exploits.
>
Thanks .. I'll look into it .. But I still need a working example ..

/Kim

http://gentoo.insecurity.dk

Re: [gentoo-dev] Help needed on the security guide for gentoo

[Einar Karttunen]

[-- Attachment #1: Type: text/plain, Size: 680 bytes --]

On 09.04 07:57, Kim Nielsen wrote:
> >
> > http://pdq.sourceforge.net/ contains a nice and short introduction to
> > pdq.  The basic thing is that because there is no print queue with pdq
> > there is no need for root priviledges or a daemon process so there are
> > no exploits.
> >
> Thanks .. I'll look into it .. But I still need a working example ..
> 

http://pdq.sourceforge.net/screenshots.html
also I have attached my configuration files. However the configuration
of pdq doesn't imho belong to security manual as it has very little
to do with security. (Trying to limit access to some printer via
pdq is plain stupid if the user can telnet to it...).

- Einar Karttunen

[-- Attachment #2: printrc --]
[-- Type: text/plain, Size: 3184 bytes --]

# Redefinitions are silently ignored.  Be careful to define last the
# choices you want.  The order of processing is /etc/printrc and 
# then ~/.printrc


########################################################################
#
# Configurable options
#
#

# Directory to store jobs
#job_dir "~/.printjobs"

# Time (in seconds) for which job files will be saved.
# Jobs files will be cleaned up after new jobs finish.
#job_history_duration 259200

# Maximum number of times to try to connect to the printer.
#max_send_tries 30     

# Delay (in seconds) between attempting to resend 
#delay_between_tries 10 

# Default printer definition
#default_printer pokey

# Path that gets passed to driver scripts
driver_command_path "/bin:/usr/bin:/usr/local/bin"

# Path that gets passed to interface scripts
interface_command_path "/bin:/usr/bin:/usr/local/bin"



########################################################################
#
# Extra pieces of this config file, that define drivers and interfaces.
#
#

try_include "/etc/pdq/interfaces/*"
try_include "/etc/pdq/drivers/*/*"



########################################################################
#
# Local printer definitions - Note that xpdq will create entries 
#                             automatically.  Changes made by superuser
#                             will be made to global config files.  To add
#                             entries by hand, see man printrc(5) for
#                             examples.
#



#printer "stylusc800" {
	## Added by the wizard on Fri Apr 30 12:10:16 1999
	#location "216 Talbot Lab"
	#model "Epson Stylus Color 800"
	#driver "epson-stylus-1.0"
	#interface "bsd-lpd-1.0"
	#driver_opts ""
	#driver_args "720x720, fscmyk"
	#interface_opts ""
	#interface_args "QUEUE = raw, REMOTE_HOST = printer.foo.edu"
#}

#default_printer
#
#printer "luokka" {
#	driver "generic-postscript-1.2"
#	interface 
#
#}


printer "luokka" {
	# Added by the wizard on Mon Dec 31 17:01:25 2001
	location "4krs mikroluokka"
	model "bw postscript"
	driver "generic-postscript"
	interface "tcp-port"
	driver_opts { }
	driver_args {"COPIES" = "1"}
	interface_opts { }
	interface_args {"REMOTE_PORT" = "9100", "REMOTE_HOST" = "128.214.72.161"}
}


printer "asspaiv" {
	# Added by the wizard on Mon Dec 31 17:05:36 2001
	location "4krs assari huone"
	model "bw postscript"
	driver "generic-postscript"
	interface "tcp-port"
	driver_opts { }
	driver_args {"COPIES" = "1"}
	interface_opts { }
	interface_args {"REMOTE_PORT" = "9100", "REMOTE_HOST" = "128.214.72.117"}
}

default_printer asspaiv

printer "kanslia" {
	# Added by the wizard on Mon Dec 31 17:06:55 2001
	location "5krs postihuone"
	model "bw postscript"
	driver "generic-postscript"
	interface "tcp-port"
	driver_opts { }
	driver_args {"COPIES" = "1"}
	interface_opts { }
	interface_args {"REMOTE_PORT" = "9100", "REMOTE_HOST" = "128.214.72.146"}
}


printer "solmu" {
	# Added by the wizard on Mon Dec 31 17:07:35 2001
	location "???"
	model "???"
	driver "generic-postscript"
	interface "tcp-port"
	driver_opts { }
	driver_args {"COPIES" = "1"}
	interface_opts { }
	interface_args {"REMOTE_PORT" = "9100", "REMOTE_HOST" = "128.214.72.175"}
}

Re: [gentoo-dev] Help needed on the security guide for gentoo

[Kim Nielsen]

> On 09.04 07:57, Kim Nielsen wrote:
> http://pdq.sourceforge.net/screenshots.html
> also I have attached my configuration files. However the configuration
> of pdq doesn't imho belong to security manual as it has very little to
> do with security. (Trying to limit access to some printer via
> pdq is plain stupid if the user can telnet to it...).

Thanks :)

I know that configuration files  should not be in the manual unless there is
something importen in it .. The only place I have added a full config file
is in the logging section. That is because I beleave that logging is
__very__ importen ..

Best regards
Kim