Xref: utzoo comp.bugs.sys5:1506 comp.bugs.4bsd:1795
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!mips!pacbell.com!att!cbnews!lml
From: lml@cbnews.cb.att.com (l.mark.larsen)
Newsgroups: comp.bugs.sys5,comp.bugs.4bsd
Subject: Re: Servere bug in lp(1) - also security violater
Keywords: sort bug
Message-ID: <1991Apr15.210338.19740@cbnews.cb.att.com>
Date: 15 Apr 91 21:03:38 GMT
References: <1991Apr11.031926.19901@cs.uow.edu.au> <1950@ahds.UUCP>
Sender: L. Mark Larsen
Followup-To: comp.bugs.sys5
Organization: AT&T Bell Laboratories
Lines: 39

I discovered the bug in lpsched a few years ago and even posted the information
and a source code fix to this newsgroup.  As you have observed, lpsched has a
rather nasty bug that causes files to be dequeued upon termination of the
interface script - regardless of success or failure.  For those without source
code, it is fairly trivial to code the interface script to take into account
this "feature" - which is what I did for the machines I administer.  If anyone
wants a copy of how I did it, I would be happy to send one.

For those with source, here is the diff of the original vs. the fixed versions
of lpsched.c:
608c608
<               resetstatus(1, 1);
---
>               fclose(rfile);
609a610
>                       resetstatus(0, 1);
616,617c617
<                       fclose(rfile);
<                       unlink(rname);
---
>                       resetstatus(1, 1);
705c705
<  *    if dflag != 0 then delete outputq entry and remove associated data
---
>  *    if oflag != 0 then delete outputq entry and remove associated data

Note that the entire LP package was rewritten and expanded in SVR3.2.  The
lpsched bug was fixed as a side-effect.  Three new features were added:
access to forms, easier administration of filters and a menu interface for
administration.  Lpsched is now setuid root but does setuid() before calling
the interface script.  Lp is no longer setuid/setgid, so your second problem
will also disappear.  In the meantime, as someone else suggested, you can
put a wrapper around the lp command to make sure protected files are sent
to the real lp program via stdin.  I did something similar but for a very
different reason.

regards,
L. Mark Larsen
lml@atlas.att.com