Package: cups-daemon Version: 2.3~b5-2 Severity: normal Dear Maintainer,
The AppArmor profile supplied with cupsd isn't much use against local attackers, as it allows cupsd to create setuid binaries at paths it can write to (e.g. under /etc/cups). Since cupsd is run as root by default, these binaries can be setuid root. In the following example, I replace cupsd with a shell and run it as root to test the confinement. As you can see, AppArmor stops the process writing to an unlisted path in /etc, but does allow it to write and and set permissions under /etc/cups. # mv -i /usr/sbin/cupsd /usr/sbin/cupsd.bak # cp /bin/sh /usr/sbin/cupsd # PS1='confined# ' /usr/sbin/cupsd confined# cp /bin/true /etc cp: cannot create regular file '/etc/true': Permission denied confined# cp /bin/true /etc/cups confined# chmod 4555 /etc/cups/true confined# exit # ls -l /etc/cups/true -r-sr-xr-x 1 root root 35424 Nov 22 14:16 /etc/cups/true (Creating a setuid binary at /etc/printcap also works, as does removing any existing symlink there.) In default installations /etc is not on a nosuid mount, so provided that they have a suitable exploit, local attackers who are unconfined but non-root can use cupsd to create a setuid binary, then run the binary themselves to gain unconfined root privileges. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.118 ii bc 1.07.1-2+b1 ii libavahi-client3 0.7-4+b1 ii libavahi-common3 0.7-4+b1 ii libc6 2.27-8 ii libcups2 2.3~b5-2 ii libcupsmime1 2.3~b5-2 ii libdbus-1-3 1.12.10-1 ii libgssapi-krb5-2 1.16.1-1 ii libpam0g 1.1.8-3.8 ii libpaper1 1.1.24+nmu5 ii libsystemd0 239-13 ii lsb-base 9.20170808 ii procps 2:3.3.15-2 ii ssl-cert 1.0.39 Versions of packages cups-daemon recommends: ii avahi-daemon 0.7-4+b1 ii colord 1.4.3-3+b1 ii cups-browsed 1.21.3-3 Versions of packages cups-daemon suggests: ii cups 2.3~b5-2 ii cups-bsd 2.3~b5-2 ii cups-client 2.3~b5-2 ii cups-common 2.3~b5-2 ii cups-filters [foomatic-filters] 1.21.3-3 pn cups-pdf <none> ii cups-ppdc 2.2.9-2 ii cups-server-common 2.3~b5-2 ii foomatic-db-compressed-ppds [foomatic-db] 20180921-1 ii ghostscript 9.26~dfsg-1 pn hplip <none> ii poppler-utils 0.69.0-2 ii printer-driver-gutenprint 5.3.1-2 pn printer-driver-hpcups <none> pn smbclient <none> ii udev 239-13 -- no debconf information