[cups.bugs] [HIGH] STR #2906: CUPS doesn't handle secure Linux passwords

Heiko Baums heiko at baums-on-web.de
Fri Aug 15 15:12:16 PDT 2008


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

CUPS, at least the web interface, doesn't handle secure Linux passwords.

Usually the CUPS authenticatition uses the Linux users' login passwords.
But if a user has a secure password, which is a long randomly generated
password with every possible character in it, it doesn't authenticate this
user.

If the user changes the password to a shorter password like the highly
insecure password "testpw", authentication is working again.

So a user with a secure password isn't able to administrate CUPS and
therefore every printer on a system.

CUPS has to accept every password, which is accepted by the Linux login
and which can be set by passwd.

I guess it's because CUPS' password field is far to short.

Link: http://www.cups.org/str.php?L2906
Version: 1.3.8





More information about the cups-devel mailing list