| Previous | Contents | Index |
The printer channel is a secure program. However, there are some facets of its operation of which system managers should be aware.
Of paramount importance is to never configure a printer channel to print to an execution queue of some sort. Doing otherwise could cause a serious security hole under the right (wrong) circumstances. Consider the case where the channel doesn't require special printer control sequences and is configured to discard all message headers. Then, all that would be printed would be the body of a message directed to it. In that case, a message containing just commands appropriate to the execution queue could then be sent by anyone with permission to send mail to the printer channel.
Additional, operating system specific issues are discussed in the following sections.
26.6.5.1 Security Considerations on OpenVMS Systems
On OpenVMS systems, the ability to use the USERNAME addressing
attribute is disabled by default. This prevents a user from maliciously
generating print requests under any username. However, the USERNAME
addressing attribute is useful since it allows specification of the
OpenVMS username under which to print messages to a given address. That
in turn both helps in accounting for print jobs and in identifying for
which user the printer output is intended; (e.g., given a
username, the printer symbiont can display that username in trailer and
flag pages). Use the SET_USERNAME option to enable the use of the
USERNAME addressing attribute if you consider it safe for use at your
site. Note that the account under which the printer channel runs will
require CMKRNL privilege in order to submit print jobs under a username
different than its own. The channel itself does not use that privilege:
it is needed because the $SNDJBC system service checks for it.
26.6.5.2 Security Considerations on UNIX Systems
On UNIX systems, each message is printed by forking a child to execute a print command. The system()
routine is used to accomplish this task; the child runs as the pmdf
account. The format of the print command is specified with the
PRINT_COMMAND channel option. Absolutely no user supplied data is put
into the print command and hence there is no possibility for the
channel to execute a user generated command. The only information
substituted into the print command is the printer name and the name of
the file to print. The printer name was specified when the channel was
configured; the file name is that of a PMDF message file and produced
by the channel itself. Moreover, that information which is substituted
into the command is filtered so that any shell metacharacters are
literalized. That is, all occurrences of the characters
" # $ & ' ( ) * ; < = > ? [ \ ] ` { | })
|
| Previous | Next | Contents | Index |