[cups.bugs] [MOD] STR #2668: Cups backend permissions (700 not 755) break diskless clients

Michael R Sweet msweet at apple.com
Mon Jan 14 12:09:34 PST 2008

Richard Neill wrote:
> Dear Michael,
> Thanks for your message. Sorry if I seem a little baffled, but that does 
> not make sense to me.
>  - Why should proxy authentication and LPD support require an *absence* 
> of permissions to work?

Mode 0700 means "run me as root", which give the backend access to the
job's auth data (Kerberos, etc.) as well as specific privileges needed
for kernel-level stuff (such as using a privileged source port...)

>  - How is it harmful for an unprivileged user to be able to read the 
> contents of the binaries? It's open-source - a potential attacker could 
> compile them himself!

That's not the point.

>  - What happens if an unprivileged use user just copies the binary file 
> /usr/lib/cups/backend/ipp from somewhere else, and then executes it, 
> while still remaining the "nobody" user ? Surely that can't be a 
> security hole either?

No, it isn't.  However, those backends will only have access to the
privileged information and capabilities when run as root, and CUPS
uses mode 0700 (or 0500) as an indicator that a particular backend
needs to run as root.  This is safer than a setuid executable (where
anyone could run the program as the owner of the file) and a simple,
backwards-compatible way to introduce greater security into CUPS
(which used to run all backends as root...)

 > ...
> P.S. I tried to add the above to your bugzilla, but it seems to be 
> missing the a link for comments on re-opening bugs.

That's on purpose - too many users abused the ability to re-open bugs,
so you can no longer post to a closed bug.

Michael R Sweet                        Senior Printing System Engineer

More information about the cups-devel mailing list