[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Didier 'OdyX' Raboud
odyx at debian.org
Wed Nov 28 09:54:41 UTC 2012
Le mercredi, 28 novembre 2012 05.38:58, Michael Sweet a écrit :
> After looking at this patch in detail, it doesn't actually prevent users in
> the lpadmin group from modifying cupsd.conf and performing the specified
> privilege escalation.
>
> An alternate fix for cups-1.5 and earlier that specifically addresses the
> reported problem by requiring the log files to reside in CUPS_LOGDIR:
Indeed, thanks. BUT, as far as I can test, this patch lets some potential
attacks open, such as setting DocumentRoot to /etc (then access
http://localhost:631/shadow …). With some imagination, you could set
SystemGroup to "lpadmin other-group", granting cups administration rights to
"other-group", etc.
At least DocumentRoot has to be constrained to stay what the package says it
is IMHO.
Cheers,
OdyX
More information about the Pkg-cups-devel
mailing list