GETTES@pucc.Princeton.EDU (Michael R. Gettes) (02/19/89)
I am not sure if this has been discussed yet; I have been getting into postscript over the last couple of weeks and I came up against a security problem with passwords. The Apple LWs are distributed with the password set to 0. Being in a setting in which a LaserWriter (or Postscript Printer) is a shared resource within public clusters of micro computers and such... it is quite easy for anyone, just by reading the manual, to reset the password and change the communications settings as well. I can live with this under the assumption that we, the administrators/maintainers, just set an alternate password on the printers around campus. However, it has been realized that this is not possible because within the LaserWriter driver for the Macintosh there is code that assumes a password of 0 to do whatever it is it wants to do! Now, what I ask is what can be done about this? I have seen other vendors postscript programs that have commented code that talks about doing such things only if the user chooses to do so by uncommenting a block of the postscript code...why did not apple choose this method? is it absolutely necessary for the LaserWriter driver to go into server mode? Preliminary tests have shown that it would take about 42 hours for a 68000 mac to just count from 2**32-1 down to -2**31. I have not yet determined, and probably will not take the time to, how long it would take a LaserWriter to do such a task with the added overhead of checking each number with the CHECKPASSWORD function to chase down what the new password is, and this would work only if the communications parameters were not trashed as well. When it comes to security -- it appears that there is not much choice in dealing with a postscript printer. Any comments, advice, or solutions are quite welcome...especially from any Apple developers. - Michael R. Gettes, Princeton University, Other Networking