[Bug 752454] New: AUDIT: need cups & cups-pk-helper audit to allow change in cups-pk-helper policies
https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c0 Summary: AUDIT: need cups & cups-pk-helper audit to allow change in cups-pk-helper policies Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Printing AssignedTo: jsmeix@suse.com ReportedBy: vuntz@suse.com QAContact: jsmeix@suse.com CC: lnussel@suse.com, aj@suse.com Blocks: 749451 Found By: --- Blocker: --- To allow changing the cups-pk-helper policies, we need a new audit. Currently, all policies are auth_admin_keep. We'd like to relax some of those. Fixing this will result in fixing bug 749451. The result will likely affect the decisions taken upstream, see https://bugs.freedesktop.org/show_bug.cgi?id=46943 ================================================== 1. org.opensuse.cupspkhelper.mechanism.devices-get ================================================== This gets a list of available devices; internally, this uses cupsGetDevices(). => We'd like to change this policy to "yes". Here's some preliminary analysis I did: === I don't know cups code in details, but a quick look tells me that this runs /usr/lib/cups/daemon/cups-deviced. This small utility will then run all binaries in /usr/lib/cups/backend/ with no argument and analyze their output. On my system, I have those ones in /usr/lib/cups/backend/: -rwxr-xr-x 1 root root 7250 16 févr. 15:18 beh -rwxr-xr-x 1 root root 18088 3 mars 16:19 hp lrwxrwxrwx 1 root root 3 8 mars 18:21 http -> ipp lrwxrwxrwx 1 root root 3 8 mars 18:21 https -> ipp -rwx------ 1 root root 59456 3 mars 15:48 ipp lrwxrwxrwx 1 root root 3 8 mars 18:21 ipps -> ipp -rwx------ 1 root root 38780 3 mars 15:48 lpd -r-xr-xr-x 1 root root 30540 3 mars 15:48 parallel -r-xr-xr-x 1 root root 30532 3 mars 15:48 serial lrwxrwxrwx 1 root root 17 12 mars 15:18 smb -> /usr/bin/smbspool -r-xr-xr-x 1 root root 22292 3 mars 15:48 snmp -r-xr-xr-x 1 root root 30528 3 mars 15:48 socket -r-xr-xr-x 1 root root 30532 3 mars 15:48 usb I haven't read the code of all of those, but: - http/https/ipp/ipps: doesn't do anything with no argument (just printf) - lpd: same, just printf - parallel: calls a list_devices() function, that opens file in /dev (/dev/parallel/{0,1,2,3}, /dev/printers/{0,1,2,3}, /dev/lp{0,1,2,3}) to get some information about the device ID - serial: calls a list_devices() function, that opens file in /dev (/dev/ttyS*, /dev/ttyUSB*, /dev/ttyQ*e* -- it's not really "*", see the code), just to see if the open() works - socket: doesn't do anything with no argument (just printf) The snmp binary seems to do something based on a configuration file; for the usb binary, I'm unsure which source file is being used... === ========================================================== 2. org.opensuse.cupspkhelper.mechanism.printer-set-default ========================================================== This just changes the default printer. This can easily be reverted. => We'd like to change this policy to "yes". ===================================================== 3. org.opensuse.cupspkhelper.mechanism.printer-enable ===================================================== This enables/disable a printer. This can easily be reverted. => We'd like to change this policy to "yes". ========================================================== 4. All of: org.opensuse.cupspkhelper.mechanism.printer-local-edit org.opensuse.cupspkhelper.mechanism.printer-remote-edit org.opensuse.cupspkhelper.mechanism.class-edit ========================================================== Those can involve uploading a PPD file to CUPS, so we need to have some authentication to prevent this happening without the user being aware of the change. However, I don't think it's useful to assume the user will be malicious, so authentication from user is enough, I'd say. I'd like to move this to auth_self_keep, but Ludwig points out that we don't want to use such a policy. If the PPD file is the only use that causes the use of auth_admin_keep, then we could add some polkit acitons, so that auth_admin_keep is used when a PPD file is involved, and yes is used in other cases. To know what can be done, Ludwig mentioned the code needs to be audited. => Find during the audit what we can do to improve things here. =============================================== 5. org.opensuse.cupspkhelper.mechanism.all-edit =============================================== This is "meta" action. So it needs to be set to the most restrictive value between devices-get, printer-set-default, printer-enable, printer-local-edit, printer-remote-edit, class-edit and job-edit. => We'd like to change this policy to whatever we decide in 4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c1
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c2
--- Comment #2 from Ludwig Nussel
========================================================== 2. org.opensuse.cupspkhelper.mechanism.printer-set-default ========================================================== This just changes the default printer. This can easily be reverted.
=> We'd like to change this policy to "yes".
Note that this is something the user needs to decide whether it should be system wide or just personal preference (~/.cups/lpoptions). The latter naturally doesn't require any auth of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
From my point of view the real solution would be
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c3
--- Comment #3 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c4
--- Comment #4 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c7
--- Comment #7 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c8
--- Comment #8 from Sebastian Krahmer
FYI:
Recent CUPS versions are restrictive which exectuables in cupsFilter lines in the PPD are executed.
I think by default CUPS >= 1.5.x does no longer execute files from directories where any user can write (e.g. /tmp/).
But this does not really help because one would use a foomatic PPD with
*FoomaticRIPCommandLine: "/any/path/to/any/executable with any options"
And /bin/sh is not from a user-writable directory anyways :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c9
--- Comment #9 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c10
--- Comment #10 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c11
--- Comment #11 from Vincent Untz
One thing that comes in mind is that
_cph_cups_is_printer_name_valid_internal() which is called to verify the printer names when setting default printers checks for spaces, '/' etc., but doesnt realise that it is building a IPP/HTTP request where cups decodes anything escaped with %xy. So you end up having all the nasty chars or whitespaces inthere again?
Good catch. We need to escape the name. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c12
--- Comment #12 from Vincent Untz
(In reply to comment #7)
One thing that comes in mind is that
_cph_cups_is_printer_name_valid_internal() which is called to verify the printer names when setting default printers checks for spaces, '/' etc., but doesnt realise that it is building a IPP/HTTP request where cups decodes anything escaped with %xy. So you end up having all the nasty chars or whitespaces inthere again?
Good catch. We need to escape the name.
Done: http://cgit.freedesktop.org/cups-pk-helper/commit/?id=c9e0f69aefcbd21bc0b5a9... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c13
--- Comment #13 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c14
--- Comment #14 from Vincent Untz
Yes, but that patch only suffices if cups itself checks the decoded names for sanity, e.g. they do not contain newlines, spaces etc. so that config files would be fscked.
We already validate the name before we even try to escape it (a printer name is always validated when it comes from the caller). What we don't do in a good enough way, though, is validating URIs that come from the caller. Right now, we just do some basic checks for the URIs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c15
--- Comment #15 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c16
--- Comment #16 from Vincent Untz
Yes, my point was that the validation function (_cph_cups_is_printer_name_valid_internal() that is?) must also check for '?', '+', '&', '=' and '%' characters. Otherwise you can inject variables or HTTP request stuff into the IPP request. Just encoding it is not enough, as cups will just decode it and see '?' etc. characters as separator?
I'm sorry, I don't understand: all the '?', '+', '&', '=' and '%' characters will now be escaped in the IPP request; so I fail to see how you can inject variables or HTTP request stuff. The result is that cups will not see those characters in the IPP request, but when cups will decode the string, it will see those characters as part of the unescaped printer name (ie, the one ending in the config file). Now, if you tell me that the non-escaped printer name should not contain '?', '+', '&', '=' and '%' characters, that's something else. Right now, we accept all printable characters except whitespaces, '/' and '#'. It's trivial to change that in _cph_cups_is_printer_name_valid_internal(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c17
--- Comment #17 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c18
--- Comment #18 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c19
--- Comment #19 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c20
--- Comment #20 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c21
--- Comment #21 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c22
--- Comment #22 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c23
--- Comment #23 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c24
--- Comment #24 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c25
--- Comment #25 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c26
--- Comment #26 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c27
--- Comment #27 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c28
--- Comment #28 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c29
--- Comment #29 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c30
--- Comment #30 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c31
--- Comment #31 from Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=752454
https://bugzilla.novell.com/show_bug.cgi?id=752454#c32
--- Comment #32 from Sebastian Krahmer
participants (1)
-
bugzilla_noreply@novell.com