[cups-devel] [UNKN] STR #4720: World-writable __pycache__ directories?

lilydjwg noreply at cups.org
Wed Sep 16 07:18:15 PDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

I've found that there are two newly created __pycache__, one for Python
stdlib, one for python-dbus, that are world-writable, owned by root and
group is lp.

This should be what has happened:

1. I bought a new machine, then restored my whole system onto it, excluding
all *.pyc and *.pyo and __pycache__ files.
2. While I ran cups, it invoked some Python program, it imported some
libraries as root:lp. Since there were no compiled bytecode files, Python
wrote new ones, creating missing __pycache__ directories.

Python compiled bytecode files are executables. If an invader gets write
permissions to a __pycache__, it can place its own code there and wait a
root process to import them.

Some program must have forgotten to set up proper umask. This happend with
cups 2.0.2 but I've found no bug report on this. Please check if this is
still an issue.

Link: https://www.cups.org/str.php?L4720
Version: 2.0.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJV+XonAAoJENujp6sI12IjrhgP/iy6Euln2RH6cS3wNM1JQJiF
7VzwSuZteVM7FD8HDuRf6ETWIk4g2ci8ujZGSyoIEdWX8II9rPuTbE6lix5guRM9
8BOfc7CnTq7KXMbUCbZzLpZLsyNUQtmGQH75ynfmMqfooFiuZqFI09Wkf3cDO7sK
1Thlmhrk8pJ7vA1RAfwMyBNmPe0o6utPVXRi7rjst5kw8k9vikvF6AzN/YGw1od0
H6t2AGYVfbk5T3zVMSfZDpN0bUzVpuyi1fREJExMznwBhdo8+laYjilK4u7ZIl4O
7pRE5vfcs2M2IOVfOwE5zr8f7dhjKNk4BTjOFH64VulMk+tuao2/5Et0TGd5vwxF
ZHEkV0TMjihpuIJH0HdKxxqj9eGP7uZ1JXCQOEu/YZNGHmHHr8meZiOXpZpPHQtq
UHKy8+FfeHs2zpMKyPf5NhFyPgJkBQsc9NajD/9RJOQUJ9DA5n6t7bHSpnbcWLzA
EPT/0We++tkIk/d6dAIU/Uq7ApJfcYrOvOxf09vSU7ViShhn1owll8NR2ABKstfI
xRiKhriQlOGbJXZE86xtf8/K58XV0RVy/feR6SAxWYTlC5zxjde2AU+PZRHyQ8Gd
tnRrTEM2tYyIZGoaAo+OJqCM7gJD9bX7kbCtP9Rx/Hp2F/NUaQBfJeXgTooa0cBb
wlL36hjVqOemur9hW9iz
=QtoJ
-----END PGP SIGNATURE-----




More information about the cups mailing list