[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Nov 28 14:00:54 UTC 2012
On 12-11-27 11:38 PM, Michael Sweet wrote:
> After looking at this patch in detail, it doesn't actually prevent users in the lpadmin group from modifying cupsd.conf and performing the specified privilege escalation.
>
> An alternate fix for cups-1.5 and earlier that specifically addresses the reported problem by requiring the log files to reside in CUPS_LOGDIR:
>
Thanks for taking a look at it Michael. I now see what you meant by
needing to disable HTTP PUT in cupsd.
So, your alternate fix doesn't actually solve the problem as I can still
do something like:
PageLog /var/log/cups/../../../etc/shadow
Also, there are a lot of other directives that can pretty trivially
escalate to root...for example, setting ConfigFilePerm to 04777...
I'm starting to think that migrating stable releases to the dual config
files, while pretty intrusive, is something we need to consider...
Marc.
More information about the Pkg-cups-devel
mailing list