https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT: need cups & |AUDIT-0: need cups & |cups-pk-helper audit to |cups-pk-helper audit to |allow change in |allow change in |cups-pk-helper policies |cups-pk-helper policies -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c2 --- Comment #2 from Ludwig Nussel 2012-03-15 15:05:57 CET --- (In reply to comment #0)

========================================================== 2. org.opensuse.cupspkhelper.mechanism.printer-set-default ========================================================== This just changes the default printer. This can easily be reverted.

=> We'd like to change this policy to "yes".

Note that this is something the user needs to decide whether it should be system wide or just personal preference (~/.cups/lpoptions). The latter naturally doesn't require any auth of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c4 --- Comment #4 from Johannes Meixner 2012-03-15 15:42:00 UTC --- FYI: Recent CUPS versions are restrictive which exectuables in cupsFilter lines in the PPD are executed. I think by default CUPS >= 1.5.x does no longer execute files from directories where any user can write (e.g. /tmp/). But this does not really help because one would use a foomatic PPD with *FoomaticRIPCommandLine: "/any/path/to/any/executable with any options" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c8 --- Comment #8 from Sebastian Krahmer 2012-03-27 09:21:39 UTC --- (In reply to comment #4)

FYI:

Recent CUPS versions are restrictive which exectuables in cupsFilter lines in the PPD are executed.

I think by default CUPS >= 1.5.x does no longer execute files from directories where any user can write (e.g. /tmp/).

But this does not really help because one would use a foomatic PPD with

*FoomaticRIPCommandLine: "/any/path/to/any/executable with any options"

And /bin/sh is not from a user-writable directory anyways :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c10 --- Comment #10 from Sebastian Krahmer 2012-03-27 13:47:00 UTC --- Ok, so cups-pk-helper uses /var/run/cups/certs/0 in some way, hm. The first 2 polkit action id's are probably not of a big problem (but keep comment#7 in mind) but adding a printer is probably less a code-review-problem but a general policy thing if users can execute commands via PPD. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c12 --- Comment #12 from Vincent Untz 2012-03-27 14:13:31 UTC --- (In reply to comment #11)

(In reply to comment #7)

...

One thing that comes in mind is that

_cph_cups_is_printer_name_valid_internal() which is called to verify the printer names when setting default printers checks for spaces, '/' etc., but doesnt realise that it is building a IPP/HTTP request where cups decodes anything escaped with %xy. So you end up having all the nasty chars or whitespaces inthere again?

Good catch. We need to escape the name.

Done: http://cgit.freedesktop.org/cups-pk-helper/commit/?id=c9e0f69aefcbd21bc0b5a9... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c14 --- Comment #14 from Vincent Untz 2012-03-27 14:43:36 UTC --- (In reply to comment #13)

Yes, but that patch only suffices if cups itself checks the decoded names for sanity, e.g. they do not contain newlines, spaces etc. so that config files would be fscked.

We already validate the name before we even try to escape it (a printer name is always validated when it comes from the caller). What we don't do in a good enough way, though, is validating URIs that come from the caller. Right now, we just do some basic checks for the URIs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c16 --- Comment #16 from Vincent Untz 2012-03-27 15:14:38 UTC --- (In reply to comment #15)

Yes, my point was that the validation function (_cph_cups_is_printer_name_valid_internal() that is?) must also check for '?', '+', '&', '=' and '%' characters. Otherwise you can inject variables or HTTP request stuff into the IPP request. Just encoding it is not enough, as cups will just decode it and see '?' etc. characters as separator?

I'm sorry, I don't understand: all the '?', '+', '&', '=' and '%' characters will now be escaped in the IPP request; so I fail to see how you can inject variables or HTTP request stuff. The result is that cups will not see those characters in the IPP request, but when cups will decode the string, it will see those characters as part of the unescaped printer name (ie, the one ending in the config file). Now, if you tell me that the non-escaped printer name should not contain '?', '+', '&', '=' and '%' characters, that's something else. Right now, we accept all printable characters except whitespaces, '/' and '#'. It's trivial to change that in _cph_cups_is_printer_name_valid_internal(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c18 --- Comment #18 from Johannes Meixner 2012-03-27 15:28:23 UTC --- Regarding comment #16 "we accept all printable characters except whitespaces, '/' and '#'" As far as I know this is is not sufficient for a queue name. See the old CUPS 1.1 documentation http://www.cups.org/documentation.php/doc-1.1/sam.html ---------------------------------------------------------------------- Each printer queue has a name associated with it; the printer name must start with any printable character except " ", "/", and "@". It can contain up to 127 letters, numbers, and the underscore (_). Case is not significant, e.g. "PRINTER", "Printer", and "printer" are considered to be the same name. ---------------------------------------------------------------------- I don't know about a more up-to-date documentation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c20 --- Comment #20 from Sebastian Krahmer 2012-03-28 08:56:04 UTC --- Ah, thats better. :) BTW, for the add-printer for users, you could force pathnames to be inside a certain user-non-writable system-dir via _cph_cups_is_ppd_valid() (and check for ../ inside ppd-name). So users can add printers (maybe real printers, no socket or ipp forwards) where a PPD file already exists and root can add arbitrary PPD files? OTOH, you still dont want users to register a printer with highest priority in a company and let cups announce that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c22 --- Comment #22 from Sebastian Krahmer 2012-03-28 11:19:33 UTC --- In theory, it would. In practise, you end up having a lot of trouble with symlinks, hardlinks, race conditions between check and use etc. And since you transfer a filename to CUPS rather than a fd, there will always be a race. Thats why my proposal was to install a ppd-files.rpm via root once cups is installed and then only allow users to chose ppd files from that trusted directory that was created back then. Not even allow them to install ipp:// socket:// printers; only real hardware which makes it less easy to grab print jobs. Do not know whether it is possible to only let root choose some kind of 'priority', and let user only install printers with lowest prio, so other users' print jobs cant be hijacked. User can still use that printer via -P or alike on his own box or make it default for his own box. Of course only if the user is on the console. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c24 --- Comment #24 from Johannes Meixner 2012-03-28 12:46:15 UTC --- FYI: Sebastian, note that CUPS policies and PolicyKit/cups-pk-helper are separated things, see https://bugzilla.novell.com/show_bug.cgi?id=749451#c8 and subsequent comments. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c26 --- Comment #26 from Johannes Meixner 2012-03-28 13:12:55 UTC --- Proposal regarding "only install 'system-owned' drivers/PPDs": Test if all official openSUSE printer driver software packages (i.e. packages from official openSUSE respositories) are installed and if not, offer a dialog to let normal users choose which to install. Then install them as setuid-root background process. Afterwards restrict normal users to use only PPDs below /usr/share/cups/model/. Of course normal users can then not set up printers which require a driver which is not provided by openSUSE. E.g. HP printers which require a proprietary plugin to be downloaded from HP and installed, see the output of # lpinfo -m | grep 'proprietary' By the way, regarding comment #22: I do not understand why "Not even allow them to install socket:// printers only real hardware"? For me a network printer is "real hardware". What is the security issue with network printers? If a network printer is directly accessible via TCP socket, all normal users can send any data to it. Therefore I do not see a security issue when the same would be done as user "lp" via a print queue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c28 --- Comment #28 from Johannes Meixner 2012-03-28 14:58:39 UTC --- Regarding "evil users set up a fake network printer": Do you mean that an evil user set up a fake network printer (e.g. a listening process at port 9100 which is the usual port to access a network printer via plain TCP socket) and then innocent normal users on other hosts who are allowed to set up print queues with socket:// deviceURI may set up a queue for the fake network printer so that the evil user can capture the print jobs from the innocent normal users? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c30 --- Comment #30 from Johannes Meixner 2012-03-29 07:26:20 UTC --- A malicious user on another host (where he has root permissions e.g. a malicious user who connects his own laptop to the network) can usually fake whatever server and service in the network. As far as I see the particular "fake network printer" security issue is the same as the general "print job phishing" security issue which I described in "What is Specific Regarding Firewall Setup for Printing" in http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings And - as far as I see - the "print job phishing" issue is the same as the general phishing security issue. When a user submits data into a network he must care whether or not he trusts this network. If he cannot trust the network he must not submit private or confidential data into this network - except he had set up in advance sufficient encryption and authentication stuff to ensure that only his intended recipient can decode his data (regardless that all others in those network could have also received his encrypted data). If he cannot trust the network he must not log in on arbitrary web interfaces which are "just accessible" for him. If he cannot trust the network he must not submit his private or confidential print jobs into arbitrary print queues which are "just accessible" for him. If he cannot trust the network he must not set up print queues for network printers which are "just accessible" for him. Therefore I think it does not provide real better security to forbid only one "possibly phishing" case to set up print queues where the connection happens via network (i.e. with DeviceURIs like socket:/ lpd:/ smb:/ ipp:/ hp:/net/ ...). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=752454 https://bugzilla.novell.com/show_bug.cgi?id=752454#c32 --- Comment #32 from Sebastian Krahmer 2013-02-18 09:47:33 UTC --- Ok, lets put aside the fake-network printer thing and focus on how it can be ensured that users cannot install their own PPD files, which is equal to code execution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.