[cups.bugs] [HIGH] STR #1909: Non-admin user can change configuartion files
angelb
angelb at bugarin.us
Fri Aug 11 15:29:42 PDT 2006
[STR New]
I've recently found out that a regular non-admin user can actualy make
changes to the configuration file and restart the server anytime
without authentication.
To check I didn't have admin rights, I tried to Stop or Reject a
printer device and it asked that I entered my id and password. Try and
try I go, it won't let me because I don't belong to the SystemGroup lp.
I then went to Administration, click on "Edit Configuration File", I
entered a "#" character, and then click on "Save Changes". It went on
restarting the server without even asking for authentication. The
server restarted, the cupsd.conf didn't change, and I was able to
access the web interface.
Out of curiosity, again as a regular non-admin user, I decided to just
click on "Change Settings" from the Administration window and it went
ahead and restart the server. Consistently, it updated the cupsd.conf
file effectively disabling access to the web interface.
Link: http://www.cups.org/str.php?L1909
Version: 1.2.2
More information about the cups
mailing list