On 12-11-27 11:38 PM, Michael Sweet wrote: > After looking at this patch in detail, it doesn't actually prevent users in > the lpadmin group from modifying cupsd.conf and performing the specified > privilege escalation. > > An alternate fix for cups-1.5 and earlier that specifically addresses the > reported problem by requiring the log files to reside in CUPS_LOGDIR: >
Thanks for taking a look at it Michael. I now see what you meant by needing to disable HTTP PUT in cupsd. So, your alternate fix doesn't actually solve the problem as I can still do something like: PageLog /var/log/cups/../../../etc/shadow Also, there are a lot of other directives that can pretty trivially escalate to root...for example, setting ConfigFilePerm to 04777... I'm starting to think that migrating stable releases to the dual config files, while pretty intrusive, is something we need to consider... Marc. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
