Root

Michael Sweet mike at easysw.com
Thu Jul 29 07:01:36 PDT 2004 

Troels Arvin wrote:
> Hello,
> 
> Why does cupsd run as root? - Couldn't it change to a dedicated user
> after having aquired the relevant port(s)? ntpd, named, and others do
> this.
> 
> I want to run cupsd as a non-root user to minimize the impact if a 
> security hole is found in Cups.

First, RTFM.  The "RunAsUser" option does this, however it is not
enabled by default for some very good reasons; when "RunAsUser" is
enabled:

     1. All filters and backends have write access to the
        configuration files in /etc/cups, spool files in
        /var/spool/cups, and log files in /var/log/cups,
     2. The LPD backend is unable to reserve a priviledged port,
        which disables printing to some LPD printers and print
        servers,
     3. You have to provide write access for the "lp" user and/or
        "sys" group to all parallel, USB, serial, and SCSI devices
        that you use.  This may open additional security holes.
     4. The scheduler (cupsd) cannot be restarted without killing
        the process and starting it again if you listen on a
        priviledged port like the default port 631; this means that
        SIGHUP and remote updates of cupsd.conf will not work,
        resulting in more down time when you make configuration
        changes.

In short, you lose functionality and have the possibility of a
vulnerable filter or backend trashing your print server
configuration.

The CUPS programs that run as root, along with the CUPS API which
they use, have been audited nearly a dozen times over the past
several years.  In addition, the last security advisory that could
provide a root exploit was reported against CUPS 1.1.14, which was
released 2.5 years ago...

The CUPS filters have received much less auditing, and so it is
more likely that an attacker could use a vulnerability in those
programs to disrupt your CUPS server when you use the "RunAsUser"
mode.

You can run cupsd in either mode, but my personal recommendation
is to not run with the "RunAsUser" mode.

In the future, we hope to leverage the selinux stuff to provide
the best of both worlds: don't run as root, but still be able
to change to other users (perhaps "lpfilter" and "lpbackend")
and reserve priviledged ports so that you don't lose the
functionality and don't open yourself up to additional exploits
when using "RunAsUser" or its successor.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Printing Software for UNIX                       http://www.easysw.com

More information about the cups mailing list