[cups.general] Q. Proper way to startup cupsd as a non-rootuserasopposed to debian hacks?
Michael Sweet
mike at easysw.com
Tue Jun 6 11:15:36 PDT 2006
Klaus Singvogel wrote:
> Michael Sweet wrote:
> [...]
>> *All* of the CUPS-related advisories in the last
>> 4 years have been in the filters or support programs and not in the
>> scheduler, backend, or CUPS API code that runs as root.
>
> *smile* In the last 4 years nothing in the scheduler?! :-)
> Very funny. Harhar. :-)
These are not problems that cause privilege escalation, which
is what I was referring to... None of the advisories you pointed
out required running cupsd as root to exploit, and I would argue that
"RunAsUser" was a bigger security issue than any of these!
> Here are three issues from 2004 concerning the scheduler:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2154
Case sensitive comparisons for <Location> would allow users to
bypass printer-specific security limits and print something...
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0923
Logging of username and password from device URI with LogLevel
set to debug2 (something we have always documented and warned
against...)
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0558
DoS attack - ALL network services are subject to this, and NONE are
immune...
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
More information about the cups
mailing list