[Pkg-cups-devel] Bug#692791: Bug#692791: members of lpadmin can read every file on server via cups

[Martin Pitt]

Didier 'OdyX' Raboud [2012-11-10 12:48 +0100]:
> * Have cupsd run as lp user

We had done that in Debian for several years for security reasons. We
had a huge patch to make most of cups work as user "lp", but at some
point I gave up: it caused too many bugs, didn't work with a lot of
third-party drivers, and broke with every new upstream release.
Upstream has never bought into the idea of running the main server as
an unprivileged system user unfortunately.

So this is possible in principle, but will mean a huge maintenance
overhead.

> * Forbid any changes to the config file from the webinterface

That would drop a huge piece of functionality.

> * Another idea ?

cupsd could temporarily drop privileges to lp when reading log files;
with that you are restricted to reading world-readable files as well
as cups' own files, which should be fine?

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20121110/2ab8a41c/attachment.pgp>