mailing list archives
Re: Privilege escalation (lpadmin -> root) in cups
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 11 Nov 2012 00:18:13 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 11/10/2012 05:49 AM, Yves-Alexis Perez wrote:
a Debian user reported a bug in our BTS concerning cupsd. The bug
is available at
upstream bug at http://www.cups.org/str.php?L4223 (restricted
because it's tagged security).
I'm unsure right now if it's an upstream issue or specific to
On Red Hat Enterprise 6 and Fedora 16 the file is owned by root:sys,
and the cupsd.conf defaults to:
Require user @SYSTEM
so that should be like "root", "bin" and "adm" so yeah it would appear
to be vendor specific.
Basically, members of the lpadmin group (which is the group having
admin rights to cups, meaning they're supposed to be able to
add/remove printeers etc.) have admin access to the web interface,
where they can edit the config file and set some “dangerous”
directives (like the log filenames), which enable them to read or
write files as the user running the cupsd webserver.
In Debian case at least, it's run as root, meaning we have a
privilege escalation issue from lpadmin group to root.
I think as a rule cupsd runs as root, to touch the various files/dirs/etc.
A fix would be to not run cupsd web server as root, and maybe to
restrict it to some kind of chroot so it doesn't have access to
Tricky, /dev/*, log dirs, etc. Probably better to just use a print
specific user/group and make all the standard locations owned by it,
and require the admin to setup anything like say
/non-standard/log/printers/ and so on.
Can a CVE be allocated for this?
Please use CVE-2012-5519 for this issue. Also if other vendors could
check the permissions/configs/etc. and reply if they are vulnerable
that would be good.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----