[cups.general] Q. Proper way to startup cupsd as anon-rootuserasopposed to debian hacks?
Michael Sweet
mike at easysw.com
Tue Jun 6 13:50:58 PDT 2006
Klaus Singvogel wrote:
> ...
> If we use this knowledge and extrapolate this to the future (what an
> impertinent idea :), then it will be better to RunAsUser, and not
> having administrator priviledges (if there will be another issues in
> the scheduler).
The problem with RunAsUser is that every filter issue becomes a
server issue that can bring the entire print server down. Without
RunAsUser it is simply an annoyance.
Also, the issue you are referring to was reported in 2002, thus the
CVE number. Here is a list of the reports of cupsd or CUPS API
privilege escalation bugs:
CVE-2002-1383 2002-12-19
CVE-2002-1369 2002-12-19
CVE-2002-1368 2002-12-19
CVE-2002-1367 2002-12-19
CVE-2002-1366 2002-12-19
CVE-2002-0063 2002-06-25
CVE-2001-1332 2001-03-??
CVE-2001-0194 2001-05-07
So, from 2001 through 2002, there were 8 privilege escalation bugs
found out of 43 total CUPS-related CVEs. If we break them down
by type:
Number Type Last Issue Reported
------ --------------------- -------------------
12 Xpdf issues 2005
9 Denial of Service 2005
8 Escalation 2002
4 MacOS X-specific 2005
4 Other filter issues 2004
3 lppasswd 2004
1 Temp files 2001
1 Disclosure 2004
1 Foomatic 2004
you'll see that Xpdf has the most and all filter issues combined
(12 + 4 + 1 = 17) are a little more than twice the number of
cupsd escalation issues. Do you really want to argue that tripling
(17 + 8 = 25, or 3.125 times 8) the potential number of privilege
escalation bugs is a good thing?
Remember, root != the only privilege escalation path - CUPS manages
all printing, so if you run as an unprivileged user, everything it
manages can be destroyed by someone that doesn't have root access.
>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0558
>> DoS attack - ALL network services are subject to this, and NONE are
>> immune...
>
> I stronly disagree. You mix two different forms of DoS and compare
> them as being the same.
>
> Whereas the first represents the fact that network services aren't
> immune to DoS, if they are attacked by _many_ requests/hosts, the
> later is vulnerable by only a _single_ packet.
which times out after 5 minutes and then the system is back...
Granted, some denial of service vulnerabilities are more serious
than others, but none of them are as critical as a privilege
escalation or complete trashing of your server.
At least we have some control over cupsd and can audit all of the
code that runs as root. The same can't be said about third-party
filters!
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
More information about the cups
mailing list