[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Michael Sweet
msweet at apple.com
Wed Nov 28 11:41:27 UTC 2012
Didier,
Indeed, we can add additional directory checks to the "simple" fix, or for purposes of the Debian packages just disable certain directives if they should not be configured from their defaults.
WRT setting SystemGroup, that /is/ a valid configuration change that some sites make; disabling that directive might break some sites, but at least they can tweak their policy sections to grant printer admin rights as a workaround?
Seems like maybe the simplest fix is to disable the problematic directives (just use defaults); sites that need to change from the defaults can install their own versions of the cups packages. Thoughts?
Sent from my iPad
On 2012-11-28, at 4:54 AM, Didier 'OdyX' Raboud <odyx at debian.org> wrote:
> Le mercredi, 28 novembre 2012 05.38:58, Michael Sweet a écrit :
>> After looking at this patch in detail, it doesn't actually prevent users in
>> the lpadmin group from modifying cupsd.conf and performing the specified
>> privilege escalation.
>>
>> An alternate fix for cups-1.5 and earlier that specifically addresses the
>> reported problem by requiring the log files to reside in CUPS_LOGDIR:
>
> Indeed, thanks. BUT, as far as I can test, this patch lets some potential
> attacks open, such as setting DocumentRoot to /etc (then access
> http://localhost:631/shadow …). With some imagination, you could set
> SystemGroup to "lpadmin other-group", granting cups administration rights to
> "other-group", etc.
>
> At least DocumentRoot has to be constrained to stay what the package says it
> is IMHO.
>
> Cheers,
>
> OdyX
More information about the Pkg-cups-devel
mailing list