PMDF System Manager's Guide


Previous Next Contents Index

28.6.5 Security Considerations

The printer channel is a secure program. However, there are some facets of its operation of which system managers should be aware.

Of paramount importance is to never configure a printer channel to print to an execution queue of some sort. Doing otherwise could cause a serious security hole under the right (wrong) circumstances. Consider the case where the channel doesn't require special printer control sequences and is configured to discard all message headers. Then, all that would be printed would be the body of a message directed to it. In that case, a message containing just commands appropriate to the execution queue could then be sent by anyone with permission to send mail to the printer channel.

Additional, operating system specific issues are discussed in the following sections.

28.6.5.1 Security Considerations on OpenVMS Systems

On OpenVMS systems, the ability to use the USERNAME addressing attribute is disabled by default. This prevents a user from maliciously generating print requests under any username. However, the USERNAME addressing attribute is useful since it allows specification of the OpenVMS username under which to print messages to a given address. That in turn both helps in accounting for print jobs and in identifying for which user the printer output is intended; (e.g., given a username, the printer symbiont can display that username in trailer and flag pages). Use the SET_USERNAME option to enable the use of the USERNAME addressing attribute if you consider it safe for use at your site. Note that the account under which the printer channel runs will require CMKRNL privilege in order to submit print jobs under a username different than its own. The channel itself does not use that privilege: it is needed because the $SNDJBC system service checks for it.

28.6.5.2 Security Considerations on UNIX Systems

On UNIX systems, each message is printed by forking a child to execute a print command. The system() routine is used to accomplish this task; the child runs as the pmdf account. The format of the print command is specified with the PRINT_COMMAND channel option. Absolutely no user supplied data is put into the print command and hence there is no possibility for the channel to execute a user generated command. The only information substituted into the print command is the printer name and the name of the file to print. The printer name was specified when the channel was configured; the file name is that of a PMDF message file and produced by the channel itself. Moreover, that information which is substituted into the command is filtered so that any shell metacharacters are literalized. That is, all occurrences of the characters


" # $ & ' ( ) * ; < = > ? [ \ ] ` { | }) 
are preceded with a backslash, \. The QUOTE_CHARS channel option can be used to specify which characters, if any, require quoting.


Previous Next Contents Index