[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Nov 29 15:19:04 UTC 2012
Michael,
On 12-11-29 10:12 AM, Michael Sweet wrote:
>> So, your alternate fix doesn't actually solve the problem as I can still
>> do something like:
>>
>> PageLog /var/log/cups/../../../etc/shadow
>
> Adding a check for "../" in the path will catch that, easy fix...
>
>> Also, there are a lot of other directives that can pretty trivially
>> escalate to root...for example, setting ConfigFilePerm to 04777...
>
> Well, that would yield a world-writable cupsd.conf; I'll update things to mask out everything but read/write bits for both ConfigFilePerm and LogFilePerm.
We'll most likely be using your approach of splitting the config files
out in our stable releases, so I don't think it's worth investing time
in trying to find an alternative fix.
Thanks!
Marc.
More information about the Pkg-cups-devel
mailing list