Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc
Package: cups-daemon
Version: 2.3~b5-2
Severity: normal
Dear Maintainer,
The AppArmor profile supplied with cupsd isn't much use against local
attackers, as it allows cupsd to create setuid binaries at paths it
can write to (e.g. under /etc/cups). Since cupsd is run as root by
default, these binaries can be setuid root.
In the following example, I replace cupsd with a shell and run it as
root to test the confinement. As you can see, AppArmor stops the
process writing to an unlisted path in /etc, but does allow it to
write and and set permissions under /etc/cups.
# mv -i /usr/sbin/cupsd /usr/sbin/cupsd.bak
# cp /bin/sh /usr/sbin/cupsd
# PS1='confined# ' /usr/sbin/cupsd
confined# cp /bin/true /etc
cp: cannot create regular file '/etc/true': Permission denied
confined# cp /bin/true /etc/cups
confined# chmod 4555 /etc/cups/true
confined# exit
# ls -l /etc/cups/true
-r-sr-xr-x 1 root root 35424 Nov 22 14:16 /etc/cups/true
(Creating a setuid binary at /etc/printcap also works, as does
removing any existing symlink there.)
In default installations /etc is not on a nosuid mount, so provided
that they have a suitable exploit, local attackers who are unconfined
but non-root can use cupsd to create a setuid binary, then run the
binary themselves to gain unconfined root privileges.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.118
ii bc 1.07.1-2+b1
ii libavahi-client3 0.7-4+b1
ii libavahi-common3 0.7-4+b1
ii libc6 2.27-8
ii libcups2 2.3~b5-2
ii libcupsmime1 2.3~b5-2
ii libdbus-1-3 1.12.10-1
ii libgssapi-krb5-2 1.16.1-1
ii libpam0g 1.1.8-3.8
ii libpaper1 1.1.24+nmu5
ii libsystemd0 239-13
ii lsb-base 9.20170808
ii procps 2:3.3.15-2
ii ssl-cert 1.0.39
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.7-4+b1
ii colord 1.4.3-3+b1
ii cups-browsed 1.21.3-3
Versions of packages cups-daemon suggests:
ii cups 2.3~b5-2
ii cups-bsd 2.3~b5-2
ii cups-client 2.3~b5-2
ii cups-common 2.3~b5-2
ii cups-filters [foomatic-filters] 1.21.3-3
pn cups-pdf <none>
ii cups-ppdc 2.2.9-2
ii cups-server-common 2.3~b5-2
ii foomatic-db-compressed-ppds [foomatic-db] 20180921-1
ii ghostscript 9.26~dfsg-1
pn hplip <none>
ii poppler-utils 0.69.0-2
ii printer-driver-gutenprint 5.3.1-2
pn printer-driver-hpcups <none>
pn smbclient <none>
ii udev 239-13
-- no debconf information
Reply to: