Root
Michael Sweet
mike at easysw.com
Thu Jul 29 21:25:02 PDT 2004
Troels Arvin wrote:
> On Thu, 29 Jul 2004 10:01:36 -0400, Michael Sweet wrote:
>
>
>>>I want to run cupsd as a non-root user to minimize the impact if a
>>>security hole is found in Cups.
>>
>>First, RTFM.
>
>
> Oops, sorry. I must have missed that when I read the administrator manual
> some years ago.
>
>
>> 1. All filters and backends have write access to the
>> configuration files in /etc/cups, spool files in
>> /var/spool/cups, and log files in /var/log/cups,
>
>
> I don't quite get this. Is your point, that even if cups is run as a
> non-root user, then the filters/backends might still be broken if a
> potential hole is exploited?
Yes; the scope of the exploit would, of course, be limited, but
I am just pointing out that running as a non-root user doesn't
provide complete safety.
>> 2. The LPD backend is unable to reserve a priviledged port,
>> which disables printing to some LPD printers and print
>> servers,
>> 3. You have to provide write access for the "lp" user and/or
>> "sys" group to all parallel, USB, serial, and SCSI devices
>> that you use. This may open additional security holes.
>
>
> I could live with that.
>
>
>> 4. The scheduler (cupsd) cannot be restarted without killing
>> the process and starting it again if you listen on a
>> priviledged port like the default port 631; this means that
>> SIGHUP and remote updates of cupsd.conf will not work,
>> resulting in more down time when you make configuration
>> changes.
>
>
> OK. I sometimes use a dirty trick for situations like this: Bind the
> daemon to an unprivilidged port outside the dynamically allocated port
> areas (could be port 2000 as an example) and then use iptables to forward
> trafic from the well known (priviliged) port.
>
>
>>In the future, we hope to leverage the selinux stuff to provide
>>the best of both worlds: don't run as root, but still be able
>>to change to other users (perhaps "lpfilter" and "lpbackend")
>>and reserve priviledged ports so that you don't lose the
>>functionality and don't open yourself up to additional exploits
>>when using "RunAsUser" or its successor.
>
>
> Sounds interesting. Until then: Have you looked into the "capability"
> system?
> http://www.linuxsecurity.com/resource_files/server_security/linux-privs/linux-privs-2.html
>
> (I believe that BIND uses those, for example.)
I haven't looked into this, mainly because I've not heard of this
interface on Linux before and it doesn't appear to be implemented
widely...
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Printing Software for UNIX http://www.easysw.com
More information about the cups
mailing list