[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Michael Sweet
msweet at apple.com
Thu Nov 29 15:12:42 UTC 2012
Marc,
On 2012-11-28, at 9:00 AM, Marc Deslauriers <marc.deslauriers at canonical.com> wrote:
> On 12-11-27 11:38 PM, Michael Sweet wrote:
>> After looking at this patch in detail, it doesn't actually prevent users in the lpadmin group from modifying cupsd.conf and performing the specified privilege escalation.
>>
>> An alternate fix for cups-1.5 and earlier that specifically addresses the reported problem by requiring the log files to reside in CUPS_LOGDIR:
>>
>
> Thanks for taking a look at it Michael. I now see what you meant by
> needing to disable HTTP PUT in cupsd.
>
> So, your alternate fix doesn't actually solve the problem as I can still
> do something like:
>
> PageLog /var/log/cups/../../../etc/shadow
Adding a check for "../" in the path will catch that, easy fix...
> Also, there are a lot of other directives that can pretty trivially
> escalate to root...for example, setting ConfigFilePerm to 04777...
Well, that would yield a world-writable cupsd.conf; I'll update things to mask out everything but read/write bits for both ConfigFilePerm and LogFilePerm.
________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
More information about the Pkg-cups-devel
mailing list