[Pkg-cups-devel] Bug#478280: /usr/bin/lppasswd: lppasswd is installed setuid 0
Helmut Grohne
helmut at subdivi.de
Mon Apr 28 14:40:18 UTC 2008
Package: cupsys-client
Version: 1.3.7-5
Severity: normal
File: /usr/bin/lppasswd
$ man lppasswd
...
SECURITY ISSUES
The lppasswd command is installed setuid to root. While every
attempt has been made to make it secure against exploits that
could grant super-user privileges to unprivileged users,
paranoid system administrators may wish to disable or change
the ownership of the program to an unprivileged account. (So
Debian installs lppasswd command with setuid to lp)
...
$ ls -la /usr/bin/lppasswd
-rwsr-xr-x 1 root lpadmin 11496 Apr 23 11:14 /usr/bin/lppasswd
$
Debian doesn't install lppasswd with setuid to lp. Please either fix the
manpage or the permission.
Helmut
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.23.14 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages cupsys-client depends on:
ii adduser 3.107 add and remove users and groups
ii cupsys-common 1.3.7-5 Common UNIX Printing System(tm) -
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcupsimage2 1.3.7-5 Common UNIX Printing System(tm) -
ii libcupsys2 1.3.7-5 Common UNIX Printing System(tm) -
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
cupsys-client recommends no packages.
-- no debconf information
More information about the Pkg-cups-devel
mailing list