Non-admin user can make changes to config file
angelb
angelb at bugarin.us
Fri Aug 11 15:25:06 PDT 2006
CUPS 1.2.2
Hello all.
I've recently found out that a regular non-admin user can actualy make
changes to the configuration file and restart the server anytime
without authentication.
To check I didn't have admin rights, I tried to Stop or Reject a
printer device and it asked that I entered my id and password. Try and
try I go, it won't let me because I don't belong to the SystemGroup.
I then went to Administration, click on "Edit Configuration File", I
entered a "#" character, and then click on "Save Changes". It went on
restarting the server without even asking for authentication. The
server restarted, the cupsd.conf didn't change, and I was able to
access the web interface.
Out of curiosity, again as a regular non-admin user, I decided to just
click on "Change Settings" from the Administration window and it went
ahead and restart the server. Consistently, it updated the cupsd.conf
file effectively disabling access to the web interface.
Can someone else verify this in their environment?
Another STR has been posted accordingly.
Thanks,
Angel
More information about the cups
mailing list