Package list pnm2ppa / scrub-obsolete/main README.security
scrub-obsolete/main

Tree @scrub-obsolete/main (Download .tar.gz)

README.security @scrub-obsolete/mainraw · history · blame

These notes  are for the guidance of  distributions that include  pnm2ppa:
---------------------------------------------------------------------

Notes on secure installation of pnm2ppa.

What pnm2ppa does:

1.  It attempts to open and read  a configuration file
    "/etc/pnm2ppa.conf", and then any additional configuration
    files with paths specified by the -f command line option.

    These paths are checked to be shorter than MAXPATHLEN before
    they are used, otherwise pnm2ppa terminates.

    GNU getopt() is used to process options.

2.  It opens an input file  (-i option)  to receive pnm data.  
    The pnm format and page size is taken from the header.  

    If the header does not correspond to a valid pnm format, the rest 
    of the data is rejected, and pnm2ppa terminates.

    The input file path is checked to have a length less than
    MAXPATHLEN, as determined at compilation time.

3.  It opens an output file (-o option) to send ppa data  
    (for the printer).

    The output file path is checked to have a length less than
    MAXPATHLEN.


4.  (unless the --noGamma option is specified) it tries to read color
    correction data from "/etc/pnm2ppa.gamma", or an alternate file with
    a path  specified by the -F command line option.

    Such paths are also checked to be shorter than MAXPATHLEN before 
    they are used.

    If this data exists, but is not successfully read, pnm2ppa terminates.
    (See COLOR.txt).

5.  pnm2ppa opens and writes to the syslog with informational messages
    about its progress, or, if it terminates, with an error message.
    If it is working in --verbose mode, these messages are also sent
    to stderr.   

    No strings derived from user input to pnm2ppa are included in syslog
    messages.  Syslog messages must fit in a  string of length < 128.
    They can be suppressed with a keyword "silent 1" in the default
    system configuration file (/etc/pnm2ppa.conf), but not from
    user-specified config files (from -f option).

    All syslog actions by pnm2ppa are "wrapped":  message strings
    produces in the rest of the program are  only sent to the syslog by
    code in syslog.c.  This is also where openlog() and closelog() are 
    called.


----------------------------------------------------------------------
Recommendations:

--  do *NOT* install pnm2ppa  suid/guid, if is possible that a
    "malicious user" might run it.   The output file specified
    with the -o option could overwrite files to which the user
    has no write permission. 


--  since pnm2ppa  works as an output filter for gs, it only needs the
    same privileges that gs would need.  If lpr is available, pipe
    the pnm2ppa output though "lpr -l ..." to the appropriate printer
    rather than directly sending it to e.g. /dev/lp0 (in the latter case, 
    write privileges on /dev/lp0 would be needed.)

--------------------------------------------------------------

Other (optional) programs in the distribution:

Do NOT install these suid/gid!

calibrate_ppa.c:  
	      This is used to produce various ppmraw format PixMap images
              used with pnm2ppa for printer calibration.  Note: these
              PixMaps are LARGE (100MB!!) and should generally be piped 
              directly to pnm2ppa.

	     THIS SHOULD USUALLY BE INSTALLED.

parse_vlink.c 
	      a utility useful in debugging pnm2ppa that can interpret
              ppa format output instructions to the printer, whether
              produced by pnm2ppa, or captured from the Windows9x drivers.
              It is in the ppa_protocol subdirectory, and is not compiled
              by default.

             THIS IS NOT USUALY INSTALLED.