RunAsUser removed; reassurance wanted
John A. Murdie
john at cs.york.ac.uk
Tue Jul 25 03:50:52 PDT 2006
The CUPS book says on page 95 "The default configuration of CUPS runs the CUPS server as the root user ... because the server is running as root it may be possible to exploit an undiscovered bug to gain root access. CUPS provides a RunAsUser directive to run the server as an unpriviledged [sic] user ..."
I see from item 58 in Article 370 "CUPS 1.2b1" (release notes) that RunAsUser has been removed, apparently on security grounds.
I've been unable to find a statement anywhere about where that leaves CUPS systems managers re. the possibility of a root exploit. Is it planned to return RunAsUser in a secure manner one day?
More information about the cups
mailing list