[cups.bugs] [HIGH] STR #2906: CUPS doesn't handle secure Linux passwords
Heiko Baums
heiko at baums-on-web.de
Fri Aug 15 15:12:16 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
CUPS, at least the web interface, doesn't handle secure Linux passwords.
Usually the CUPS authenticatition uses the Linux users' login passwords.
But if a user has a secure password, which is a long randomly generated
password with every possible character in it, it doesn't authenticate this
user.
If the user changes the password to a shorter password like the highly
insecure password "testpw", authentication is working again.
So a user with a secure password isn't able to administrate CUPS and
therefore every printer on a system.
CUPS has to accept every password, which is accepted by the Linux login
and which can be set by passwd.
I guess it's because CUPS' password field is far to short.
Link: http://www.cups.org/str.php?L2906
Version: 1.3.8
More information about the cups-devel
mailing list