close out pr 2771, which added a -s ("secure") flag to lpd -- makes

lpd run in a mode where the it listens only to the local unix domain socket and not to the network. Changes are similar but not identical to the supplied patches.
1996-09-21 15:57:21 +00:00 · 1996-09-21 15:57:21 +00:00 · d8e1329af8
commit d8e1329af8
parent 3fd5d3ba03
2 changed files with 23 additions and 4 deletions
--- a/usr.sbin/lpr/lpd/lpd.8
+++ b/usr.sbin/lpr/lpd/lpd.8
@ -1,4 +1,4 @@
-.\" $NetBSD: lpd.8,v 1.6 1996/06/16 22:36:59 pk Exp $
+.\" $NetBSD: lpd.8,v 1.7 1996/09/21 15:57:21 perry Exp $
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
 .\"
@ -68,6 +68,17 @@ flag causes
 .Nm lpd
 to log valid requests received from the network. This can be useful
 for debugging purposes.
+.It Fl s
+The
+.Fl s
+flag selects ``secure'' mode, in which 
+.Nm lpd
+does not listen on a TCP socket but only takes commands from a UNIX
+domain socket.  This is valuable when the machine on which
+.Nm lpd 
+runs is subject to attack over the network and it is desired that the
+machine be protected from attempts to remotely fill spools and similar
+attacks.
 .It Ar "port#"
 The Internet port number used to rendezvous
 with other processes is normally obtained with
--- a/usr.sbin/lpr/lpd/lpd.c
+++ b/usr.sbin/lpr/lpd/lpd.c
@ -1,4 +1,4 @@
-/*	$NetBSD: lpd.c,v 1.7 1996/04/24 14:54:06 mrg Exp $	*/
+/*	$NetBSD: lpd.c,v 1.8 1996/09/21 15:57:22 perry Exp $	*/

 /*
 * Copyright (c) 1983, 1993, 1994
@ -98,6 +98,7 @@ static char sccsid[] = "@(#)lpd.c	8.4 (Berkeley) 4/17/94";
 #include "extern.h"

 int	lflag;				/* log requests flag */
+int	sflag;				/* secure (no inet) flag */
 int	from_remote;			/* from remote socket */

 static void       reapchild __P((int));
@ -135,6 +136,9 @@ main(argc, argv)
 			case 'l':
 				lflag++;
 				break;
+			case 's':
+				sflag++;
+				break;
 			}
 	}

@ -200,7 +204,10 @@ main(argc, argv)
 	FD_ZERO(&defreadfds);
 	FD_SET(funix, &defreadfds);
 	listen(funix, 5);
-	finet = socket(AF_INET, SOCK_STREAM, 0);
+	if (!sflag)
+		finet = socket(AF_INET, SOCK_STREAM, 0);
+	else
+		finet = -1;	/* pretend we couldn't open TCP socket. */
 	if (finet >= 0) {
 		struct servent *sp;

@ -261,7 +268,8 @@ main(argc, argv)
 			signal(SIGQUIT, SIG_IGN);
 			signal(SIGTERM, SIG_IGN);
 			(void) close(funix);
-			(void) close(finet);
+			if (!sflag)
+				(void) close(finet);
 			dup2(s, 1);
 			(void) close(s);
 			if (domain == AF_INET) {