[TAG] (forw) Re: (forw) Re: lpr works for user not root in Basiclinux 2.1
Benjamin A. Okopnik
ben at linuxgazette.net
Fri Jan 26 19:41:11 MSK 2007
On Fri, Jan 26, 2007 at 02:09:35AM -0800, Sindi Keesan wrote:
> I don't even know what a network socket is.
That's pretty much my point. The majority of those who run their
machines as root literally have _no_ idea of how exposed and vulnerable
Sockets and ports are methods by which local and remote clients can
connect to your machine. Try running 'netstat'; this will show you a
list of your currently-open sockets and ports.
> Nobody in their right mind
> would want my system. The software is 8 years out of date (the hardware
> is older than that) and the connection is dialup. Should I be worried
See my earlier point about resources. There are Russian and Polish
companies (and probably lots of others, but those seem to be at the
forefront) who will sell you their spam-distribution services and boast
of "thousands of 'captured' machines" that they use for the purpose.
It's a popular dodge for spammers these days, since it essentially
counters IP blocking.
> >Also, I'd like to point out that the Unix world was ecstatic about the
> >rise of CUPS specifically because it allowed us to finally get rid of
> >lpd / lprNG, which was hopeless spaghetti code, derived from ancient BSD
> >efforts among nameless student coders at University of California at
> >Berkeley. One of the worst of the many bad aspects of lpd / lprNG is
> >that its security profile and history were and are utterly dreadful.
> Do I need security to print on my own single-user system?
I don't know how to emphasize this enough, but given that a very large
percentage of system break-ins in the past occurred via 'lpr/lprng', the
answer is a very definite "YES".
> The people we are giving 200MHz computers to don't have networks. But
> they do need to print formatted papers for school, and webpages.
> I don't think I need CUPS.
Given the above, why are you using a print server/scheduler at all? I
ran my system with nothing more than 'magicfilter' and a script to send
it to the appropriate filter for a couple of years when I was in a
similar situation, and it worked fine.
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
More information about the TAG