Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?

To: debian-printing@lists.debian.org
Cc: Till Kamppeter <till.kamppeter@gmail.com>
Subject: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Tue, 29 Nov 2016 08:17:32 +0100
Message-id: <[🔎] 5110531.KtZAddEMO4@odyx.org>
In-reply-to: <[🔎] 5208f672-6a7f-c2a6-abdb-6d0de878dd13@gmail.com>
References: <[🔎] 2791883.j2Vj4C0Vnv@odyx.org> <[🔎] 28112016171619.2b1fba5ca9de@desktop.copernicus.org.uk> <[🔎] 5208f672-6a7f-c2a6-abdb-6d0de878dd13@gmail.com>

Le lundi, 28 novembre 2016, 17.07:14 h CET Till Kamppeter a écrit :
> On 11/28/2016 03:29 PM, Brian Potkin wrote:
> > I added root to SystemGroup in cups-files and restarted cups. A queue
> > was paused with cupsdisable. From g-c-c it was possible to cancel the
> > job without unlocking the printing dialog. After unlocking I was able
> > add/delete printers, start/stop a printer set a default printer and
> > apparently change queue options.
> > 
> > Sabotage of fine-grained privileges by cups might not go down well. :)
> 
> Then I would suggest to actually add root to SystemGroup.

What I understand from Brian's argument is as follows: adding 'root' to 
SystemGroup allows any user to administer CUPS through cups-pk-helper as if 
she were member of 'lpadmin' without a password prompt.

In other words, letting cups-pk-helper run as 'root' (but accept commands from 
any allowed users) leads to a user-to-lpadmin privilege escalation. At least, 
it defers access control away from CUPS to cups-pk-helper.

If cups-pk-helper runs as root, could it not drop privileges, and run the CUPS 
commands as the originating user?

-- 
Cheers,
    OdyX

Reply to:

Follow-Ups:
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Brian Potkin <claremont102@gmail.com>

References:
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Didier 'OdyX' Raboud <odyx@debian.org>
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Brian Potkin <claremont102@gmail.com>
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Till Kamppeter <till.kamppeter@gmail.com>

Prev by Date: ghostscript_9.20~dfsg-1_amd64.changes ACCEPTED into unstable
Next by Date: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Previous by thread: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Next by thread: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Index(es):
- Date
- Thread