lpd is the UNIX facility for printing (Line Printer Daemon). It allows you to submit print jobs, run them through filters, manage the print queues, and so on. lpd can accept print jobs locally, or over the network, and access various parts of the system (printers, logging daemons, etc), making it a potential security hole. Historically lpd has been the source of several nasty root hacks. Although these bugs seems to have been mostly ironed out, there are still many potential denial of service attacks though due to its function (something simple like submitting huge print jobs and running the printer out of paper). Fortunately, lpd is slowly being phased out with the advent of network aware printers, however there is still a huge amount of printing done via lpd. lpd access is controlled via /etc/hosts.equiv, and /etc/hosts.lpd. You should also firewall lpd from the outside world. And if you need to send print jobs across public networks, remember anyone can read them, so a VPN solution is a good idea. lpd runs on port 515 using tcp. The hosts.lpd file should contain a list of hosts (workstation1.yourdomain.org, etc), one per line that are allowed to use the lpd services on the server, you might as well use ipfwadm/ipchains.
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 515 ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 515 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 515
or
ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 515 ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 515 ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 515
An alternative to the stock lpd is LPRng (LPR Next Generation), it provides new enhancements and also supports a higher level of security. LPRng supports Kerberos and PGP-based authentication, as well as a restrictions files, /etc/lpd.perms, which allows you to control access based on user, group, authentication, IP, and so on, allowing for extremely flexible and secure configurations. LPRng has excellent documentation and is available at: http://www.astart.com/lprng/LPRng.html.
pdq is another LPD replacement, no real emphasis on enhanced security but it does seem to offer some management improvements and performance gains over the stock LPD. You can get pdq from: http://feynman.tam.uiuc.edu/pdq/.
Common UNIX Printing System (CUPS), is GPL licensed and version 1.0 just came out. CUPS is available from: http://www.cups.org/.
Written by Kurt Seifried |