COMMAND

    /usr/bin/printtool

SYSTEMS AFFECTED

    Linux RH 6,1, 6.2Beta

PROBLEM

    Following is based  on Hackerslab bug_paper.   If we make  printer
    configuration by printtool package, it will make vulnerable config
    file.  Config file perrmission is "-rw-r--r-- root root".  If  you
    use  samba  network  printer,  password  is stored in config file.
    This was tested on:

        Tested platform : RedHat 6.1 - 6.2B
        printtool-3.41-2
        printtool-3.42-3ac
        printtool-3.43-1

        [dubhe@duat dubhe]$ ls -lsa /var/spool/lpd/lp/.config
           1 -rw-r--r--   1 root     root           96 Mar  6 13:21 /var/spool/lpd/lp/.config
        [dubhe@duat dubhe]$ cat /var/spool/lpd/lp/.config
        share='\\xxxxx\HP'
        hostip=xxx.xxx.xxx.xxx
        user='username'
        password='1111'
        workgroup='xxxxxxxx'

SOLUTION

    Well, quite simple:

        chmod o-r /var/spool/lpd/lp/.config
        chgrp lp /var/spool/lpd/lp/.config

    It's a  RedHat-specific bug,  not a  Linux bug.   Redhat != Linux.
    Printtool  package  is  also  available  for Debian GNU/Linux, but
    it isn't vulnerable.  On Debian systems  /var/spool/lpd/lp/.config
    is owned by daeomn.lp with permission 600.

    Brian Knotts fixed his /usr/bin/printtool (v. 3.41) with:

        2302a2303,2307
        > #
        > #   set the .config permissions to something sane
        > #
        >     catch {exec chown root.lp $smb_config}
        >     catch {exec chmod 600 $smb_config}
        2465a2471,2475
        > #
        > #   set the .config permissions to something sane
        > #
        >     catch {exec chown root.lp $ncp_config}
        >     catch {exec chmod 600 $ncp_config}

    Seems to work.