[Bug 752454] New: AUDIT: need cups & cups-pk-helper audit to allow change in cups-pk-helper policies
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c0 Summary: AUDIT: need cups & cups-pk-helper audit to allow change in cups-pk-helper policies Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Printing AssignedTo: jsmeix@suse.com ReportedBy: vuntz@suse.com QAContact: jsmeix@suse.com CC: lnussel@suse.com, aj@suse.com Blocks: 749451 Found By: --- Blocker: --- To allow changing the cups-pk-helper policies, we need a new audit. Currently, all policies are auth_admin_keep. We'd like to relax some of those. Fixing this will result in fixing bug 749451. The result will likely affect the decisions taken upstream, see https://bugs.freedesktop.org/show_bug.cgi?id=46943 ================================================== 1. org.opensuse.cupspkhelper.mechanism.devices-get ================================================== This gets a list of available devices; internally, this uses cupsGetDevices(). => We'd like to change this policy to "yes". Here's some preliminary analysis I did: === I don't know cups code in details, but a quick look tells me that this runs /usr/lib/cups/daemon/cups-deviced. This small utility will then run all binaries in /usr/lib/cups/backend/ with no argument and analyze their output. On my system, I have those ones in /usr/lib/cups/backend/: -rwxr-xr-x 1 root root 7250 16 févr. 15:18 beh -rwxr-xr-x 1 root root 18088 3 mars 16:19 hp lrwxrwxrwx 1 root root 3 8 mars 18:21 http -> ipp lrwxrwxrwx 1 root root 3 8 mars 18:21 https -> ipp -rwx------ 1 root root 59456 3 mars 15:48 ipp lrwxrwxrwx 1 root root 3 8 mars 18:21 ipps -> ipp -rwx------ 1 root root 38780 3 mars 15:48 lpd -r-xr-xr-x 1 root root 30540 3 mars 15:48 parallel -r-xr-xr-x 1 root root 30532 3 mars 15:48 serial lrwxrwxrwx 1 root root 17 12 mars 15:18 smb -> /usr/bin/smbspool -r-xr-xr-x 1 root root 22292 3 mars 15:48 snmp -r-xr-xr-x 1 root root 30528 3 mars 15:48 socket -r-xr-xr-x 1 root root 30532 3 mars 15:48 usb I haven't read the code of all of those, but: - http/https/ipp/ipps: doesn't do anything with no argument (just printf) - lpd: same, just printf - parallel: calls a list_devices() function, that opens file in /dev (/dev/parallel/{0,1,2,3}, /dev/printers/{0,1,2,3}, /dev/lp{0,1,2,3}) to get some information about the device ID - serial: calls a list_devices() function, that opens file in /dev (/dev/ttyS*, /dev/ttyUSB*, /dev/ttyQ*e* -- it's not really "*", see the code), just to see if the open() works - socket: doesn't do anything with no argument (just printf) The snmp binary seems to do something based on a configuration file; for the usb binary, I'm unsure which source file is being used... === ========================================================== 2. org.opensuse.cupspkhelper.mechanism.printer-set-default ========================================================== This just changes the default printer. This can easily be reverted. => We'd like to change this policy to "yes". ===================================================== 3. org.opensuse.cupspkhelper.mechanism.printer-enable ===================================================== This enables/disable a printer. This can easily be reverted. => We'd like to change this policy to "yes". ========================================================== 4. All of: org.opensuse.cupspkhelper.mechanism.printer-local-edit org.opensuse.cupspkhelper.mechanism.printer-remote-edit org.opensuse.cupspkhelper.mechanism.class-edit ========================================================== Those can involve uploading a PPD file to CUPS, so we need to have some authentication to prevent this happening without the user being aware of the change. However, I don't think it's useful to assume the user will be malicious, so authentication from user is enough, I'd say. I'd like to move this to auth_self_keep, but Ludwig points out that we don't want to use such a policy. If the PPD file is the only use that causes the use of auth_admin_keep, then we could add some polkit acitons, so that auth_admin_keep is used when a PPD file is involved, and yes is used in other cases. To know what can be done, Ludwig mentioned the code needs to be audited. => Find during the audit what we can do to improve things here. =============================================== 5. org.opensuse.cupspkhelper.mechanism.all-edit =============================================== This is "meta" action. So it needs to be set to the most restrictive value between devices-get, printer-set-default, printer-enable, printer-local-edit, printer-remote-edit, class-edit and job-edit. => We'd like to change this policy to whatever we decide in 4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c1 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.freedesktop.or | |g/show_bug.cgi?id=46943 --- Comment #1 from Vincent Untz <vuntz@suse.com> 2012-03-15 13:59:18 UTC --- For reference: an audit of the cups-pk-helper code itself was done in bug 447444. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT: need cups & |AUDIT-0: need cups & |cups-pk-helper audit to |cups-pk-helper audit to |allow change in |allow change in |cups-pk-helper policies |cups-pk-helper policies -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsmeix@suse.com Component|Printing |Security AssignedTo|jsmeix@suse.com |security-team@suse.de QAContact|jsmeix@suse.com |qa-bugs@suse.de1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c2 --- Comment #2 from Ludwig Nussel <lnussel@suse.com> 2012-03-15 15:05:57 CET --- (In reply to comment #0)
========================================================== 2. org.opensuse.cupspkhelper.mechanism.printer-set-default ========================================================== This just changes the default printer. This can easily be reverted.
=> We'd like to change this policy to "yes".
Note that this is something the user needs to decide whether it should be system wide or just personal preference (~/.cups/lpoptions). The latter naturally doesn't require any auth of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
From my point of view the real solution would be
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c3 --- Comment #3 from Johannes Meixner <jsmeix@suse.com> 2012-03-15 15:26:08 UTC --- Only FYI in particular for external readers: The main security issue with item 4. (provide a PPD file to set up a print queue) is that PPD files could contain a line like *cupsFilter: "application/vnd.cups-postscript 0 /path/to/executable" This way a user who is allowed to set up a print queue (i.e. who must be allowed to provide a PPD file) can provide a PPD file which runs commands as user "lp" ("lp" is used by CUPS to run filters to process print jobs). Therefore for a non-root user who is allowed to provide a PPD file a privilege escalation is possible. Therefore the default policy cannot be that non-root users are allowed to provide a PPD file and accordingly by default only root can set up a print queue. Of course root can change the default policy and allow any user(s) he trusts to set up a print queue. The crucial point is that privilege escalation must not be possible by default out of the box. Furthermore there is another way to set up the filtering for a print queue - not via providing a PPD file but instead by providing a "System V style interface script" see "man lpadmin". that root has an obvious and easy to use interface to specify which normal user(s) are allowed to do what in the system, e.g. something like this proposal: https://features.opensuse.org/313287 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c4 --- Comment #4 from Johannes Meixner <jsmeix@suse.com> 2012-03-15 15:42:00 UTC --- FYI: Recent CUPS versions are restrictive which exectuables in cupsFilter lines in the PPD are executed. I think by default CUPS >= 1.5.x does no longer execute files from directories where any user can write (e.g. /tmp/). But this does not really help because one would use a foomatic PPD with *FoomaticRIPCommandLine: "/any/path/to/any/executable with any options" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c7 --- Comment #7 from Sebastian Krahmer <krahmer@suse.com> 2012-03-27 09:16:20 UTC --- One thing that comes in mind is that _cph_cups_is_printer_name_valid_internal() which is called to verify the printer names when setting default printers checks for spaces, '/' etc., but doesnt realise that it is building a IPP/HTTP request where cups decodes anything escaped with %xy. So you end up having all the nasty chars or whitespaces inthere again? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c8 --- Comment #8 from Sebastian Krahmer <krahmer@suse.com> 2012-03-27 09:21:39 UTC --- (In reply to comment #4)
FYI:
Recent CUPS versions are restrictive which exectuables in cupsFilter lines in the PPD are executed.
I think by default CUPS >= 1.5.x does no longer execute files from directories where any user can write (e.g. /tmp/).
But this does not really help because one would use a foomatic PPD with
*FoomaticRIPCommandLine: "/any/path/to/any/executable with any options"
And /bin/sh is not from a user-writable directory anyways :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c9 --- Comment #9 from Johannes Meixner <jsmeix@suse.com> 2012-03-27 12:06:46 UTC --- Regarding the question in comment #6 "How is cups verifying that a request is legit?" See "Authentication Issues" at http://www.cups.org/documentation.php/doc-1.5/security.html In particular authentication for "root" on "localhost" happens via /var/run/cups/certs/0 By default /etc/cups/cupsd.conf contains -------------------------------------------------------------- Listen localhost:631 Listen /var/run/cups/cups.sock -------------------------------------------------------------- But listening on the domain socket is not required. It is only required that cupsd listens on localhost:631. Local clients can connect to the cupsd as they like but should fall-back to localhost:631 if connection via domain socket is not possible. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c10 --- Comment #10 from Sebastian Krahmer <krahmer@suse.com> 2012-03-27 13:47:00 UTC --- Ok, so cups-pk-helper uses /var/run/cups/certs/0 in some way, hm. The first 2 polkit action id's are probably not of a big problem (but keep comment#7 in mind) but adding a printer is probably less a code-review-problem but a general policy thing if users can execute commands via PPD. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c11 --- Comment #11 from Vincent Untz <vuntz@suse.com> 2012-03-27 13:54:13 UTC --- (In reply to comment #7)
One thing that comes in mind is that
_cph_cups_is_printer_name_valid_internal() which is called to verify the printer names when setting default printers checks for spaces, '/' etc., but doesnt realise that it is building a IPP/HTTP request where cups decodes anything escaped with %xy. So you end up having all the nasty chars or whitespaces inthere again?
Good catch. We need to escape the name. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c12 --- Comment #12 from Vincent Untz <vuntz@suse.com> 2012-03-27 14:13:31 UTC --- (In reply to comment #11)
(In reply to comment #7)
One thing that comes in mind is that
_cph_cups_is_printer_name_valid_internal() which is called to verify the printer names when setting default printers checks for spaces, '/' etc., but doesnt realise that it is building a IPP/HTTP request where cups decodes anything escaped with %xy. So you end up having all the nasty chars or whitespaces inthere again?
Good catch. We need to escape the name.
Done: http://cgit.freedesktop.org/cups-pk-helper/commit/?id=c9e0f69aefcbd21bc0b5a9... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c13 --- Comment #13 from Sebastian Krahmer <krahmer@suse.com> 2012-03-27 14:22:59 UTC --- Yes, but that patch only suffices if cups itself checks the decoded names for sanity, e.g. they do not contain newlines, spaces etc. so that config files would be fscked. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c14 --- Comment #14 from Vincent Untz <vuntz@suse.com> 2012-03-27 14:43:36 UTC --- (In reply to comment #13)
Yes, but that patch only suffices if cups itself checks the decoded names for sanity, e.g. they do not contain newlines, spaces etc. so that config files would be fscked.
We already validate the name before we even try to escape it (a printer name is always validated when it comes from the caller). What we don't do in a good enough way, though, is validating URIs that come from the caller. Right now, we just do some basic checks for the URIs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c15 --- Comment #15 from Sebastian Krahmer <krahmer@suse.com> 2012-03-27 14:47:19 UTC --- Yes, my point was that the validation function (_cph_cups_is_printer_name_valid_internal() that is?) must also check for '?', '+', '&', '=' and '%' characters. Otherwise you can inject variables or HTTP request stuff into the IPP request. Just encoding it is not enough, as cups will just decode it and see '?' etc. characters as separator? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c16 --- Comment #16 from Vincent Untz <vuntz@suse.com> 2012-03-27 15:14:38 UTC --- (In reply to comment #15)
Yes, my point was that the validation function (_cph_cups_is_printer_name_valid_internal() that is?) must also check for '?', '+', '&', '=' and '%' characters. Otherwise you can inject variables or HTTP request stuff into the IPP request. Just encoding it is not enough, as cups will just decode it and see '?' etc. characters as separator?
I'm sorry, I don't understand: all the '?', '+', '&', '=' and '%' characters will now be escaped in the IPP request; so I fail to see how you can inject variables or HTTP request stuff. The result is that cups will not see those characters in the IPP request, but when cups will decode the string, it will see those characters as part of the unescaped printer name (ie, the one ending in the config file). Now, if you tell me that the non-escaped printer name should not contain '?', '+', '&', '=' and '%' characters, that's something else. Right now, we accept all printable characters except whitespaces, '/' and '#'. It's trivial to change that in _cph_cups_is_printer_name_valid_internal(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c17 --- Comment #17 from Johannes Meixner <jsmeix@suse.com> 2012-03-27 15:19:13 UTC --- FYI: In yast2-printer I allow for the print queue name only letters (a-z and A-Z), numbers (0-9), and the underscore '_' and it must start with a letter. This is more restrictive than what CUPS allows. But it is recommended to avoid reserved characters and spaces for component values in URIs and the print queue name becomes part of a CUPS DeviceURI if CUPS Browsing is used to announce print queues over the network e.g. like in "ipp://IP.of.the.server:631/printers/print_queue_name". Unreserved characters in URIs are uppercase and lowercase letters, decimal digits, hyphen, period, underscore, and tilde. Even hyphen, period, tilde, and case sensitivity could cause special issues in special cases (e.g. only letters, digits, and underscore are known to work for a CUPS print queue name and case is not significant for CUPS). Therefore it is best to use only (lowercase) letters, digits, and underscore for all values in all URIs if possible. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c18 --- Comment #18 from Johannes Meixner <jsmeix@suse.com> 2012-03-27 15:28:23 UTC --- Regarding comment #16 "we accept all printable characters except whitespaces, '/' and '#'" As far as I know this is is not sufficient for a queue name. See the old CUPS 1.1 documentation http://www.cups.org/documentation.php/doc-1.1/sam.html ---------------------------------------------------------------------- Each printer queue has a name associated with it; the printer name must start with any printable character except " ", "/", and "@". It can contain up to 127 letters, numbers, and the underscore (_). Case is not significant, e.g. "PRINTER", "Printer", and "printer" are considered to be the same name. ---------------------------------------------------------------------- I don't know about a more up-to-date documentation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c19 --- Comment #19 from Vincent Untz <vuntz@suse.com> 2012-03-27 15:49:59 UTC --- Thanks for the link, Johannes! Fixed: http://cgit.freedesktop.org/cups-pk-helper/commit/?id=7bf9cbe43ef8f648f308e4... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c20 --- Comment #20 from Sebastian Krahmer <krahmer@suse.com> 2012-03-28 08:56:04 UTC --- Ah, thats better. :) BTW, for the add-printer for users, you could force pathnames to be inside a certain user-non-writable system-dir via _cph_cups_is_ppd_valid() (and check for ../ inside ppd-name). So users can add printers (maybe real printers, no socket or ipp forwards) where a PPD file already exists and root can add arbitrary PPD files? OTOH, you still dont want users to register a printer with highest priority in a company and let cups announce that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c21 --- Comment #21 from Johannes Meixner <jsmeix@suse.com> 2012-03-28 09:33:22 UTC --- Regarding "BTW" in comment #20: If I understand this correctly, you mean to check whether or not a PPD file content can be trusted? In this case wouldn't it be better to check who is allowed to create or change the PPD file (i.e. check directory and file permissions) and consider a PPD file as trusted if only root can create or change it (regardless of the content of the PPD file). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c22 --- Comment #22 from Sebastian Krahmer <krahmer@suse.com> 2012-03-28 11:19:33 UTC --- In theory, it would. In practise, you end up having a lot of trouble with symlinks, hardlinks, race conditions between check and use etc. And since you transfer a filename to CUPS rather than a fd, there will always be a race. Thats why my proposal was to install a ppd-files.rpm via root once cups is installed and then only allow users to chose ppd files from that trusted directory that was created back then. Not even allow them to install ipp:// socket:// printers; only real hardware which makes it less easy to grab print jobs. Do not know whether it is possible to only let root choose some kind of 'priority', and let user only install printers with lowest prio, so other users' print jobs cant be hijacked. User can still use that printer via -P or alike on his own box or make it default for his own box. Of course only if the user is on the console. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c23 --- Comment #23 from Johannes Meixner <jsmeix@suse.com> 2012-03-28 12:43:40 UTC --- Regarding "install a ppd-files.rpm via root": Only for PostScript a PPD file alone is sufficient. Other printers (i.e. non-PostScript printers) need printer driver software plus a PPD file which matches exactly to the particular driver. Therefore the PPD files for non-PostScript printers are included in the printer driver RPMs, see "PPD files" and "Printer drivers" and "openSUSE printer driver software packages" in http://en.opensuse.org/Concepts_printing Regarding "only allow users to chose ppd files from that trusted directory": Is there something wrong with /usr/share/cups/model/ ? This is the standard directory where PPD files are installed. Regarding "let user only install printers with lowest prio": CUPS policies do not support such detailed adjustments, see http://www.cups.org/documentation.php/doc-1.5/policies.html ---------------------------------------------------------------------- Table 1: IPP Operation Names ... CUPS-Add-Modify-Printer Adds or modifies a printer. ---------------------------------------------------------------------- I.e. either full permissions to add/modify a print queue or none. I don't know what PolicyKit can do - i.e. whether or not PolicyKit supports such detailed policy adjustments. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c24 --- Comment #24 from Johannes Meixner <jsmeix@suse.com> 2012-03-28 12:46:15 UTC --- FYI: Sebastian, note that CUPS policies and PolicyKit/cups-pk-helper are separated things, see https://bugzilla.novell.com/show_bug.cgi?id=749451#c8 and subsequent comments. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c25 --- Comment #25 from Sebastian Krahmer <krahmer@suse.com> 2012-03-28 12:56:32 UTC --- /usr/share/cups as a trusted directory would be perfectly OK, yet if you want to allow users to install new printers, the PPD files need to be installed there by rpm, so you would also need to allow users to install rpm's then. Or you need to auth as admin again, this time not for installing the printer via cups, but for installing the RPM containing the PPD and the driver. I am just thinking how you can allow users to install new printers but still forcing them to only install "system-owned" drivers/PPDs and not his own evil PPD's. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c26 --- Comment #26 from Johannes Meixner <jsmeix@suse.com> 2012-03-28 13:12:55 UTC --- Proposal regarding "only install 'system-owned' drivers/PPDs": Test if all official openSUSE printer driver software packages (i.e. packages from official openSUSE respositories) are installed and if not, offer a dialog to let normal users choose which to install. Then install them as setuid-root background process. Afterwards restrict normal users to use only PPDs below /usr/share/cups/model/. Of course normal users can then not set up printers which require a driver which is not provided by openSUSE. E.g. HP printers which require a proprietary plugin to be downloaded from HP and installed, see the output of # lpinfo -m | grep 'proprietary' By the way, regarding comment #22: I do not understand why "Not even allow them to install socket:// printers only real hardware"? For me a network printer is "real hardware". What is the security issue with network printers? If a network printer is directly accessible via TCP socket, all normal users can send any data to it. Therefore I do not see a security issue when the same would be done as user "lp" via a print queue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c27 --- Comment #27 from Sebastian Krahmer <krahmer@suse.com> 2012-03-28 14:36:56 UTC --- Something like that, but we dont want another setuid process. Maybe this can be solved with some packagekit polkit rules. Thats beyond my scope of the cups-pk-helper review. Needs to be discussed with Ludwig and Marcus on how we solve the RPM-install problem, even if we solved the 'only-system-PPDs' (which yet lacks an implementation) in cups-pk-helper itself. The idea of not allowing network printer setups is to prevent that evil users set up a fake network printer on their localhost:1234 and just capture any job. By forcing 'real hardware' this would be more difficult? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c28 --- Comment #28 from Johannes Meixner <jsmeix@suse.com> 2012-03-28 14:58:39 UTC --- Regarding "evil users set up a fake network printer": Do you mean that an evil user set up a fake network printer (e.g. a listening process at port 9100 which is the usual port to access a network printer via plain TCP socket) and then innocent normal users on other hosts who are allowed to set up print queues with socket:// deviceURI may set up a queue for the fake network printer so that the evil user can capture the print jobs from the innocent normal users? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c29 --- Comment #29 from Sebastian Krahmer <krahmer@suse.com> 2012-03-28 15:07:27 UTC --- Yes, something like that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c30 --- Comment #30 from Johannes Meixner <jsmeix@suse.com> 2012-03-29 07:26:20 UTC --- A malicious user on another host (where he has root permissions e.g. a malicious user who connects his own laptop to the network) can usually fake whatever server and service in the network. As far as I see the particular "fake network printer" security issue is the same as the general "print job phishing" security issue which I described in "What is Specific Regarding Firewall Setup for Printing" in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings And - as far as I see - the "print job phishing" issue is the same as the general phishing security issue. When a user submits data into a network he must care whether or not he trusts this network. If he cannot trust the network he must not submit private or confidential data into this network - except he had set up in advance sufficient encryption and authentication stuff to ensure that only his intended recipient can decode his data (regardless that all others in those network could have also received his encrypted data). If he cannot trust the network he must not log in on arbitrary web interfaces which are "just accessible" for him. If he cannot trust the network he must not submit his private or confidential print jobs into arbitrary print queues which are "just accessible" for him. If he cannot trust the network he must not set up print queues for network printers which are "just accessible" for him. Therefore I think it does not provide real better security to forbid only one "possibly phishing" case to set up print queues where the connection happens via network (i.e. with DeviceURIs like socket:/ lpd:/ smb:/ ipp:/ hp:/net/ ...). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c31 --- Comment #31 from Andreas Jaeger <aj@suse.com> 2012-05-24 08:38:06 UTC --- What is the status here? What needs to be done to move this forward? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c32 --- Comment #32 from Sebastian Krahmer <krahmer@suse.com> 2013-02-18 09:47:33 UTC --- Ok, lets put aside the fake-network printer thing and focus on how it can be ensured that users cannot install their own PPD files, which is equal to code execution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com