On Thu, 13 Jul 2006 09:15:25 -0000 Mozg <[EMAIL PROTECTED]> wrote: > After your suggestion, i've found out that the default install, for > some reason did not add cupsys to the shadow group. Perhaps install > scripts should sort that out, or did I miss something during the > installation?
Exactly. cups user by default isn't part of shadow group. If you need to read shadow, pam or ldap, you have to add it to shadow group. It's that or runing it completly as root. > Adding cupsys to the shadow group fixes the printing issues, however, > it introduces a security risk to the system. We all know that cupsys > has a long history of vulnerabilities. Adding cupsys user to the > shadow group could compromise the authentication information of the > server, if one of the vulnerabilities is obused and local access to > the server is obtained. From the security perspective, this, in turn, > makes the option of running the service as unpriveleged user > pointless. But I guess the cupsys developers and the debian/ubuntu > team know what they are doing. If you add cupsys to shadow group, cupsys will be able to authenticate user trough pam. If it isn't in shadow group, which is default, cupsys user doesn't have any privileges. OTOH, if CUPS is runing under root privileges (default by upstream), exploiting CUPS would be much worse than exploiting Ubuntu's CUPS (attacker would have total, root, control over computer). So, runining as unprivileged user isn't that pointless, but then again it isn't bulletproof (*if* you add cupsys to shadow). This is how CUPS works now. Only way out of this situation (IMHO) is rewriting CUPS in modular design (like postfix does it), but I'm the wrong person to do that :) We even can't secure it more in Ubuntu since current situation allready introduces some functionality problems. So, OK to reject this bug as misconfigured? -- Ante Karamatic | 0xD3BDA225 | 0x0A4A0161 [EMAIL PROTECTED] | [EMAIL PROTECTED] | ivoks.blogspot.com "Tomorrow is my day off, so please stay off the powder!" -- nsswitch.conf + ldap brakes cupsys printing https://launchpad.net/bugs/52350 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
