[cups.bugs] [HIGH] STR #4223: lpadmin to (limited) root privilege escalation
Tim Waugh
twaugh at redhat.com
Thu Feb 14 06:48:41 PST 2013
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR Closed w/Resolution]
FWIW, in Red Hat Enterprise Linux we'll be addressing this differently: all
options will still be in cupsd.conf but a new option
"ConfigurationChangeRestriction" will govern checks that are performed on
new cupsd.conf files that are received via POST. Default value is "all",
meaning that all changes to security-sensitive options via POST will be
forbidden. Other options are "none" (prior behaviour) and "root-only"
(only root-authenticated users may make such changes).
Link: https://www.cups.org/str.php?L4223
Version: 1.5.3
Fix Version: 1.7-current (r10752)
More information about the cups-devel
mailing list