NetBSD Problem Report #59493

From perseant@nbdev.hhhh.org  Sun Jun 29 19:05:51 2025
Return-Path: <perseant@nbdev.hhhh.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 806431A9239
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 29 Jun 2025 19:05:51 +0000 (UTC)
Message-Id: <20250629185646.B89A435AC4E@nbdev.hhhh.org>
Date: Sun, 29 Jun 2025 11:56:46 -0700 (PDT)
From: perseant@nbdev.hhhh.org
Reply-To: perseant@nbdev.hhhh.org
To: gnats-bugs@NetBSD.org
Subject: Add insecure option to lpd
X-Send-Pr-Version: 3.95

>Number:         59493
>Category:       bin
>Synopsis:       Add insecure option to lpd
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 29 19:10:00 +0000 2025
>Last-Modified:  Mon Jun 30 14:40:01 +0000 2025
>Originator:     Konrad Schroder <perseant@netbsd.org>
>Release:        NetBSD-current 2025-06-29
>Organization:
>Environment:
System: NetBSD nbdev.hhhh.org 10.0 NetBSD 10.0 (XEN3_DOMU) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/xen/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
	lpd(8) provides network access control using hosts_access(5) and
	requires reverse DNS to serve requests from the network.  In a modern
	setting, host access is generally provided via host firewall, and
	in a small network setting, anonymous clients are common.  The patch
	below provides a flag, -i, that disables the network security checks
	for cases where they do not make sense (e.g. home network, or
	a host that already uses npf(7) for access control).

	The default behavior, of course, would not be changed.
>How-To-Repeat:
	Set up a printer using lpd(8) and attempt to print from a remote host
	that does not have reverse DNS.
>Fix:
	The following patch implements the desired flag:

--------8<--------
Index: lpd/lpd.8
===================================================================
RCS file: /cvsroot/src/usr.sbin/lpr/lpd/lpd.8,v
retrieving revision 1.36
diff -u -r1.36 lpd.8
--- lpd/lpd.8	3 Jul 2017 21:35:31 -0000	1.36
+++ lpd/lpd.8	29 Jun 2025 18:45:15 -0000
@@ -95,6 +95,16 @@
 See
 .Xr setsockopt 2
 for more details.
+.It Fl i
+The
+.Fl i
+option selects 
+.Dq insecure
+mode, bypassing the address-based checks described below.  Options
+.Fl i
+and
+.Fl s
+are mutually exclusive.
 .It Fl l
 The
 .Fl l
@@ -137,7 +147,11 @@
 .Nm
 runs is subject to attack over the network and it is desired that the
 machine be protected from attempts to remotely fill spools and similar
-attacks.
+attacks.  Options
+.Fl s
+and
+.Fl i
+are mutually exclusive.
 .It Fl w
 The
 .Fl w
@@ -163,7 +177,9 @@
 port from
 .Pa /etc/services .
 .Pp
-Access control is provided by three means.
+Unless the
+.Fl i
+flag is specified, access control is provided by three means.
 First,
 .Pa /etc/hosts.allow
 and
Index: lpd/lpd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/lpr/lpd/lpd.c,v
retrieving revision 1.60
diff -u -r1.60 lpd.c
--- lpd/lpd.c	26 Apr 2023 18:25:02 -0000	1.60
+++ lpd/lpd.c	29 Jun 2025 18:45:15 -0000
@@ -117,6 +117,7 @@
 int deny_severity = LOG_AUTH|LOG_WARNING;
 #endif

+int	iflag;				/* insecure (no network checks) flag */
 int	lflag;				/* log requests flag */
 int	rflag;				/* allow of for remote printers */
 int	sflag;				/* secure (no inet) flag */
@@ -160,7 +161,7 @@
 	setprogname(*argv);

 	errs = 0;
-	while ((i = getopt(argc, argv, "b:dln:srw:W")) != -1)
+	while ((i = getopt(argc, argv, "b:diln:srw:W")) != -1)
 		switch (i) {
 		case 'b':
 			if (blist_addrs >= blist_size) {
@@ -176,6 +177,10 @@
 		case 'd':
 			options |= SO_DEBUG;
 			break;
+		case 'i':
+			sflag = 0;
+			iflag++;
+			break;
 		case 'l':
 			lflag++;
 			break;
@@ -189,6 +194,7 @@
 			rflag++;
 			break;
 		case 's':
+			iflag = 0;
 			sflag++;
 			break;
 		case 'w':
@@ -604,6 +610,12 @@
 	struct request_info req;
 #endif

+	if (iflag) {
+		strcpy(fromb, inet_ntoa(((struct sockaddr_in *)f)->sin_addr));
+		from = fromb;
+		return;
+	}
+
 	error = getnameinfo(f, f->sa_len, NULL, 0, serv, sizeof(serv),
 			    NI_NUMERICSERV);
 	if (error)
@@ -694,7 +706,7 @@
 {

 	(void)fprintf(stderr,
-	    "Usage: %s [-dlrsW] [-b bind-address] [-n maxchild] "
+	    "Usage: %s [-dilrsW] [-b bind-address] [-n maxchild] "
 	    "[-w maxwait] [port]\n", getprogname());
 	exit(1);
 }
--------8<--------

	If there are no objections I'll commit in the coming weeks.

>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/59493: Add insecure option to lpd
Date: Mon, 30 Jun 2025 06:24:25 -0000 (UTC)

 perseant@nbdev.hhhh.org writes:

 >	lpd(8) provides network access control using hosts_access(5) and
 >	requires reverse DNS to serve requests from the network.  In a modern
 >	setting, host access is generally provided via host firewall, and
 >	in a small network setting, anonymous clients are common.  The patch
 >	below provides a flag, -i, that disables the network security checks
 >	for cases where they do not make sense (e.g. home network, or
 >	a host that already uses npf(7) for access control).

 While I agree that allowing clients without DNS entry is necessary,
 I don't like this "ignore everything" setting. In particular, it
 bypasses tcp wrappers and the port check silently.

 An option to only skip the hosts.lpd check is better. Enhancing
 the check to also handle IP addresses and subnets (then you could
 enable your subnet or even 0/0) is another.

From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/59493: Add insecure option to lpd
Date: Mon, 30 Jun 2025 20:43:04 +0700

     Date:        Mon, 30 Jun 2025 06:30:02 +0000 (UTC)
     From:        "Michael van Elst via gnats" <gnats-admin@NetBSD.org>
     Message-ID:  <20250630063002.2B2121A9242@mollari.NetBSD.org>

   |  While I agree that allowing clients without DNS entry is necessary,

 Same here, personally I think the reverse DNS (IN-ADDR.ARPA or IP6.ARPA)
 has outlived its usefulness, and should be retired completely.   I'd simply
 remove any code from anything which is insisting upon (rather than simply
 looking for) reverse DNS being set up - no added options required.

 kre

Home	PR Database Search