***********************************************************************
DDN Security Bulletin 9110       DCA DDN Defense Communications System
23 July 91              Published by: DDN Security Coordination Center
                                     (SCC@NIC.DDN.MIL)  (800) 235-3155

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

The DDN  SECURITY BULLETIN  is distributed  by the  DDN SCC  (Security
Coordination Center) under  DCA contract as  a means of  communicating
information on network and host security exposures, fixes, &  concerns
to security & management personnel at DDN facilities.  Back issues may
be  obtained  via  FTP  (or  Kermit)  from  NIC.DDN.MIL  [192.67.67.20]
using login="anonymous" and password="guest".  The bulletin pathname is
SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001).
**********************************************************************

                     Patch for SunOS /usr/lib/lpd

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
!                                                                       !
!     The following important  advisory was  issued by the Computer     !
!     Emergency Response Team (CERT)  and is being relayed unedited     !
!     via the Defense Communications Agency's Security Coordination     !
!     Center  distribution  system  as a  means  of  providing  DDN     !
!     subscribers with useful security information.                     !
!                                                                       !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +


CA-91:10                        CERT Advisory
                                July 15, 1991
                        Patch for SunOS /usr/lib/lpd

---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning the availability of a security patch 
for /usr/lib/lpd in Sun Microsystems, Inc. operating systems.  This 
problem will be fixed in SunOS 5.0.  Patches are available for SunOS 4.0.3,
SunOS 4.1, and SunOS 4.1.1 through your local Sun answer centers worldwide 
as well as through anonymous ftp to ftp.uu.net (in ~ftp/sun-dist). 
Patch ID and file information are as follows:

Fix                     Patch ID       Filename            Checksum
/usr/lib/lpd		100305-03      100305-03.tar.Z     58052   380

Please note that Sun Microsystems sometimes updates patch files.  If
you find that the checksum is different please contact Sun Microsystems
or us for verification.
---------------------------------------------------------------------------

I.   DESCRIPTION:

     A security vulnerability exists in /usr/lib/lpd in all
     existing versions of SunOS that allows an unprivileged user
     to delete any system files.
     
II.  IMPACT:

     Any user logged into the system can delete files that they do 
     not own.

III. SOLUTION:
        
     Install the new version of lpd.  You may want to alert
     users in advance that printer service will be disrupted.
     Then, before installing the patch, drain the print queues.
     This is generally done using the lpc command.  Later,
     after the patch is installed, printer queues can be
     re-enabled.
    
     As root:

     1.  Kill the currently running lpd process.  Kill -INT
         will allow the running lpd to do necessary clean-up.

         # ps -ax | grep lpd
         # kill -INT {process id of lpd found in the above command}

     2.  Move the current version aside and change the file mode
         of the old version to prevent misuse.

         # mv /usr/lib/lpd /usr/lib/lpd.OLD
         # chmod 100 /usr/lib/lpd.OLD

     3.  Install the new version of lpd

         # cp sun{3,3x,4,4c.386i}/{4.1,4.1.1}/lpd /usr/lib/lpd
         # chown root.daemon /usr/lib/lpd
         # chmod 6711 /usr/lib/lpd

     4.  Set up devices (note: new device name /dev/lpd/printer) to
         work with new lpd.  Create a link, /dev/printer, for
         compatibility purposes.

         # rm -f /dev/printer
         # mkdir /dev/lpd
         # chown root.daemon /dev/lpd
         # chmod 710 /dev/lpd
         # ln -s /dev/lpd/printer /dev/printer

     5.  Modify line printer program protections

         # chmod 6711 /usr/ucb/lpr
         # chmod 6711 /usr/ucb/lpq
         # chmod 6711 /usr/ucb/lprm
         # chmod 2711 /usr/etc/lpc

     6.  Restart lpd

         # /usr/lib/lpd

     7.  Edit /etc/rc or /etc/rc.local file and change the line that removes
         the /dev/printer file upon system startup. It should reflect
         the change in location from /dev/printer to /dev/lpd/printer.

         Original:

         if [ -f /usr/lib/lpd ]; then
                 rm -f /dev/printer /var/spool/lpd.lock

         Change to:

         if [ -f /usr/lib/lpd ]; then
                 rm -f /dev/lpd/printer /var/spool/lpd.lock
                           ^^^^
                           NEW

         The results should look like:
         if [ -f /usr/lib/lpd ]; then
                 rm -f /dev/lpd/printer /var/spool/lpd.lock
                 /usr/lib/lpd;           echo -n ' printer'
         fi


---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline:
           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
           on call for emergencies during other hours.

Past advisories and other computer security related information are available
for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.