Cups security issue - /etc/cups/cups-files.conf needed
|Reported by:||Fernando de Oliveira||Owned by:|
Members of lpadmin cat read /var/run/cups/certs/0. With this key it is possible to access the cups web interface as admin. You can edit the cups config file and set the page log to any filename you want (for example /etc/shadow). Then you can read the file contents by viewing the cups page log. By printing you can also write some random data to the given file. As it is not possible to use the cups authentication with a normal webbrowser I created a *simple shell script* to show the effect. When called as any unprivileged user which is member of lpadmin it should display the contents of /etc/shadow
... mdeslaur> Upstream patch moves dangerous configuration options to a mdeslaur> second config file which is not web-editable. Although this is mdeslaur> a good long-term solution, the changes are too intrusive for a mdeslaur> security update. The most sensible thing to do at this time is mdeslaur> to completely disable modifying the cupsd.conf file via the web mdeslaur> interface.
But slightly different solution seems to have been found in Debian. I am attaching a patch that could perhaps be used instead of the one proposed upstream and referred to by Armin in the dev list, I got it from