[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups

[Didier 'OdyX' Raboud]

Le mercredi, 28 novembre 2012 12.41:27, Michael Sweet a écrit :
> Indeed, we can add additional directory checks to the "simple" fix, or for
> purposes of the Debian packages just disable certain directives if they
> should not be configured from their defaults.

Sure; sounds good.

> WRT setting SystemGroup, that /is/ a valid configuration change that some
> sites make; disabling that directive might break some sites, but at least
> they can tweak their policy sections to grant printer admin rights as a
> workaround?

I feel it's not quite OK to let root delegate rights to a group (lpadmin in 
our case) that can then extend these rights to any other group (even one they 
are not part of).

I'm not to say root shouldn't be allowed to grant SystemGroup rights to any 
group he wants through /etc/cups/cupsd.conf , but I'm really uncomfortable 
letting lpadmin users (whose primary right is the right to add printers as far 
as I understand it) do this through the webinterface.

> Seems like maybe the simplest fix is to disable the problematic directives
> (just use defaults); sites that need to change from the defaults can
> install their own versions of the cups packages. Thoughts?

DocumentRoot has to be fixed that way IMHO as the attack is immediate and I 
think it's a suitable fix for our stable releases. For SystemGroup, I think 
it's reasonably okay to leave that bug open for stable releases; the long-term 
fix (to push that to cups-files.conf) is okay in that regard.

Any idea/patch on how you'd enforce default DocumentRoot (including making 
sure the tests still run? )?

Cheers,

OdyX