Comment 4 for bug 52350
Revision history for this message
| Ante Karamatić (ivoks) wrote Re: [Bug 52350] Re: nsswitch.conf + ldap brakes cupsys printing | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On Thu, 13 Jul 2006 09:15:25 -0000
Mozg <email address hidden> wrote:
> After your suggestion, i've found out that the default install, for
> some reason did not add cupsys to the shadow group. Perhaps install
> scripts should sort that out, or did I miss something during the
> installation?
Exactly. cups user by default isn't part of shadow group. If you need
to read shadow, pam or ldap, you have to add it to shadow group. It's
that or runing it completly as root.
> Adding cupsys to the shadow group fixes the printing issues, however,
> it introduces a security risk to the system. We all know that cupsys
> has a long history of vulnerabilities. Adding cupsys user to the
> shadow group could compromise the authentication information of the
> server, if one of the vulnerabilities is obused and local access to
> the server is obtained. From the security perspective, this, in turn,
> makes the option of running the service as unpriveleged user
> pointless. But I guess the cupsys developers and the debian/ubuntu
> team know what they are doing.
If you add cupsys to shadow group, cupsys will be able to authenticate
user trough pam. If it isn't in shadow group, which is default, cupsys
user doesn't have any privileges. OTOH, if CUPS is runing under root
privileges (default by upstream), exploiting CUPS would be much worse
than exploiting Ubuntu's CUPS (attacker would have total, root,
control over computer). So, runining as unprivileged user isn't that
pointless, but then again it isn't bulletproof (*if* you add cupsys to
shadow).
This is how CUPS works now. Only way out of this situation (IMHO) is
rewriting CUPS in modular design (like postfix does it), but I'm the
wrong person to do that :)
We even can't secure it more in Ubuntu since current situation allready
introduces some functionality problems.
So, OK to reject this bug as misconfigured?
--
Ante Karamatic | 0xD3BDA225 | 0x0A4A0161
<email address hidden> | <email address hidden> | ivoks.blogspot.com
"Tomorrow is my day off, so please stay off the powder!"