Bug#692791: running cupsd as root
I have a fix I am testing that is going through internal review. However, since Apple software engineering is off this week (extension of Thanksgiving holiday) I don't know if I'll have sign-off until next Monday. Will post something as soon as it is available, Sent from my iPad On 2012-11-19, at 1:59 AM, Yves-Alexis Perez cor...@debian.org wrote: On dim., 2012-11-11 at 17:53 +0100, Didier 'OdyX' Raboud wrote: Hi Michael, Le dimanche, 11 novembre 2012 14.57:05, Michael Sweet a écrit : Lest we forget why we run cupsd as root, here are a few reasons: (…) Thanks for the explanation. As for a proposed fix, I'm thinking we will disable the log file, RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and add command line arguments in their place. That will retain configurability while eliminating this particular attack vector. Thoughts? I don't quite like the command-line arguments solution, as it will probably lead to more machinery on our side (variable setting in /etc/default/cups , sourcing it from /etc/init.d/cups, etc). What about separating the configuration settings in two configuration files, one modifiable from the webinterface, and one only modifiable by root ? The first would contain the non-sensitive configuration settings, the latter would contain the paths, file definitions, etc. I would tend to prefer to keep configuration settings in configuration files. (But of course we'll cope with the upstream choice. :-) ) Any news on this? -- Yves-Alexis Perez Debian Security -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692791: running cupsd as root
On dim., 2012-11-11 at 17:53 +0100, Didier 'OdyX' Raboud wrote: Hi Michael, Le dimanche, 11 novembre 2012 14.57:05, Michael Sweet a écrit : Lest we forget why we run cupsd as root, here are a few reasons: (…) Thanks for the explanation. As for a proposed fix, I'm thinking we will disable the log file, RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and add command line arguments in their place. That will retain configurability while eliminating this particular attack vector. Thoughts? I don't quite like the command-line arguments solution, as it will probably lead to more machinery on our side (variable setting in /etc/default/cups , sourcing it from /etc/init.d/cups, etc). What about separating the configuration settings in two configuration files, one modifiable from the webinterface, and one only modifiable by root ? The first would contain the non-sensitive configuration settings, the latter would contain the paths, file definitions, etc. I would tend to prefer to keep configuration settings in configuration files. (But of course we'll cope with the upstream choice. :-) ) Any news on this? -- Yves-Alexis Perez Debian Security signature.asc Description: This is a digitally signed message part
Bug#692791: running cupsd as root
All, Lest we forget why we run cupsd as root, here are a few reasons: 1. Authentication (both Kerberos and PAM) 2. Privileged ports for LPD 3. Access to device files for printing 4. Privilege separation from/for filters. 1 and 4 basically require running as root unless we do a hairy mess of meta services between trusted programs. We /are/ looking into this for future versions of cupsd but I can't promise anything right now. 2 remains as intractable as before, but with OS support or future elimination of protocols like LPD perhaps it will go away, 3 requires OS support, and to date we have had only limited success for things like USB. As for a proposed fix, I'm thinking we will disable the log file, RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and add command line arguments in their place. That will retain configurability while eliminating this particular attack vector. Thoughts? Sent from my iPad -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692791: running cupsd as root
Hi Michael, Le dimanche, 11 novembre 2012 14.57:05, Michael Sweet a écrit : Lest we forget why we run cupsd as root, here are a few reasons: (…) Thanks for the explanation. As for a proposed fix, I'm thinking we will disable the log file, RequestRoot, ServerRoot, and DocumentRoot directives in cupsd.conf, and add command line arguments in their place. That will retain configurability while eliminating this particular attack vector. Thoughts? I don't quite like the command-line arguments solution, as it will probably lead to more machinery on our side (variable setting in /etc/default/cups , sourcing it from /etc/init.d/cups, etc). What about separating the configuration settings in two configuration files, one modifiable from the webinterface, and one only modifiable by root ? The first would contain the non-sensitive configuration settings, the latter would contain the paths, file definitions, etc. I would tend to prefer to keep configuration settings in configuration files. (But of course we'll cope with the upstream choice. :-) ) Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org