[cups.general] Possibly insecure default LogFilePerm value 0644

Helge Blischke h.blischke at acm.org
Tue Jul 12 03:42:56 PDT 2011


Johannes Meixner wrote:

> 
> Hello,
> 
> the CUPS 1.4.6 "configure --help" reads:
> -----------------------------------------------------------------------
> --with-config-file-perm set default ConfigFilePerm value, default=0640
> --with-log-file-perm    set default LogFilePerm value, default=0644
> -----------------------------------------------------------------------
> 
> I wonder whether world-readable log files might be insecure
> as the logs might contain sensitive data and in general
> the logs are probably not useful for normal users.
> 
> I see that user names and passwords are removed from device URIs
> like smb://username:password@server/share in /var/log/cups/error_log
> but arbitrary filters and backends could log arbitrary sensitive
> data nevertheless so that a default LogFilePerm value 0640
> should be better to be by default on the safe side.
> 
> On the other hand I assume there is a reason why the log files should
> be world-readable but I don't know it (my search for "LogFilePerm" on
> http://www.cups.org/newsgroups.php did not result anything).
> 
> Perhaps /var/log/cups/page_log could be world-readable so that accounting
> software run by normal users could evaluate it to show normal users their
> current accounting state but then any normal user would be allowed
> to read all the accounting informantion for all other users.
> 
> 
> By the way, I found two bugs in the documentation:
> 
> There is a typo in the documentation regarding LogFilePerm
> http://www.cups.org/documentation.php/doc-1.5/ref-cupsd-conf.html
> --------------------------------------------------------------------------
> The LogFilePerm directive specifies the permissions to use when writing
> configuration files.
> --------------------------------------------------------------------------
> should probably be
> --------------------------------------------------------------------------
> The LogFilePerm directive specifies the permissions to use when writing
> log files.
> --------------------------------------------------------------------------
> 
> There is missing information regarding ConfigFilePerm in
> http://www.cups.org/documentation.php/doc-1.5/ref-cupsd-conf.html
> --------------------------------------------------------------------------
> The ConfigFilePerm directive specifies the permissions to use when writing
> configuration files.
> --------------------------------------------------------------------------
> should be enhanced with something like
> --------------------------------------------------------------------------
> The ConfigFilePerm directive specifies the permissions to use when writing
> configuration files like cupsd.conf, config files uploaded via HTTP PUT
> requests, the remote.cache file, the subscriptions.conf file,
> and the job.cache file but except classes.conf and printers.conf files
> because of potential security issues.
> --------------------------------------------------------------------------
> according to
> http://www.cups.org/newsgroups.php?s1+gcups.general+v2+T0+Qfileperm
> 
> 
> Kind Regards
> Johannes Meixner

Making the error_log at least world readable makes sense in cases where 
utilities outside of CUPS are used to schow diagnostic or status information 
for aborted jobs to the user. For instance I myself often use WARNING and 
NOTICE messages in my filters to log the occurance of arguable conditions to 
the error_log.

Helge





More information about the cups mailing list