Marc, On 2012-11-28, at 9:00 AM, Marc Deslauriers <marc.deslauri...@canonical.com> wrote: > On 12-11-27 11:38 PM, Michael Sweet wrote: >> After looking at this patch in detail, it doesn't actually prevent users in >> the lpadmin group from modifying cupsd.conf and performing the specified >> privilege escalation. >> >> An alternate fix for cups-1.5 and earlier that specifically addresses the >> reported problem by requiring the log files to reside in CUPS_LOGDIR: >> > > Thanks for taking a look at it Michael. I now see what you meant by > needing to disable HTTP PUT in cupsd. > > So, your alternate fix doesn't actually solve the problem as I can still > do something like: > > PageLog /var/log/cups/../../../etc/shadow
Adding a check for "../" in the path will catch that, easy fix... > Also, there are a lot of other directives that can pretty trivially > escalate to root...for example, setting ConfigFilePerm to 04777... Well, that would yield a world-writable cupsd.conf; I'll update things to mask out everything but read/write bits for both ConfigFilePerm and LogFilePerm. ________________________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org