Previous | Next | Contents | Index |
The printer channel is a secure program. However, there are some facets of its operation of which system managers should be aware.
Of paramount importance is to never configure a printer channel to print to an execution queue of some sort. Doing otherwise could cause a serious security hole under the right (wrong) circumstances. Consider the case where the channel doesn't require special printer control sequences and is configured to discard all message headers. Then, all that would be printed would be the body of a message directed to it. In that case, a message containing just commands appropriate to the execution queue could then be sent by anyone with permission to send mail to the printer channel.
Additional, operating system specific issues are discussed in the following sections.
28.6.5.1 Security Considerations on OpenVMS Systems
On OpenVMS systems, the ability to use the USERNAME addressing
attribute is disabled by default. This prevents a user from maliciously
generating print requests under any username. However, the USERNAME
addressing attribute is useful since it allows specification of the
OpenVMS username under which to print messages to a given address. That
in turn both helps in accounting for print jobs and in identifying for
which user the printer output is intended; (e.g., given a
username, the printer symbiont can display that username in trailer and
flag pages). Use the SET_USERNAME option to enable the use of the
USERNAME addressing attribute if you consider it safe for use at your
site. Note that the account under which the printer channel runs will
require CMKRNL privilege in order to submit print jobs under a username
different than its own. The channel itself does not use that privilege:
it is needed because the $SNDJBC system service checks for it.
28.6.5.2 Security Considerations on UNIX Systems
On UNIX systems, each message is printed by forking a child to execute
a print command. The system()
routine is used to
accomplish this task; the child runs as the pmdf
account.
The format of the print command is specified with the PRINT_COMMAND
channel option. Absolutely no user supplied data is put into the print
command and hence there is no possibility for the channel to execute a
user generated command. The only information substituted into the print
command is the printer name and the name of the file to print. The
printer name was specified when the channel was configured; the file
name is that of a PMDF message file and produced by the channel itself.
Moreover, that information which is substituted into the command is
filtered so that any shell metacharacters are literalized. That is, all
occurrences of the characters
" # $ & ' ( ) * ; < = > ? [ \ ] ` { | }) |
Previous | Next | Contents | Index |