Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?

To: debian-printing@lists.debian.org
Subject: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
From: Brian Potkin <claremont102@gmail.com>
Date: Tue, 29 Nov 2016 18:25:04 +0000
Message-id: <[🔎] 29112016181733.413f3caf36da@desktop.copernicus.org.uk>
In-reply-to: <[🔎] 5110531.KtZAddEMO4@odyx.org>
References: <[🔎] 2791883.j2Vj4C0Vnv@odyx.org> <[🔎] 28112016171619.2b1fba5ca9de@desktop.copernicus.org.uk> <[🔎] 5208f672-6a7f-c2a6-abdb-6d0de878dd13@gmail.com> <[🔎] 5110531.KtZAddEMO4@odyx.org>

On Tue 29 Nov 2016 at 08:17:32 +0100, Didier 'OdyX' Raboud wrote:

> Le lundi, 28 novembre 2016, 17.07:14 h CET Till Kamppeter a écrit :
> > On 11/28/2016 03:29 PM, Brian Potkin wrote:
> > > I added root to SystemGroup in cups-files and restarted cups. A queue
> > > was paused with cupsdisable. From g-c-c it was possible to cancel the
> > > job without unlocking the printing dialog. After unlocking I was able
> > > add/delete printers, start/stop a printer set a default printer and
> > > apparently change queue options.
> > > 
> > > Sabotage of fine-grained privileges by cups might not go down well. :)
> > 
> > Then I would suggest to actually add root to SystemGroup.
> 
> What I understand from Brian's argument is as follows: adding 'root' to 
> SystemGroup allows any user to administer CUPS through cups-pk-helper as if 
> she were member of 'lpadmin' without a password prompt.

I was also thinking the present OOTB behaviour would be broken and could
lead to cups having a critical (makes unrelated software on the system
break) bug filed against it. Is that too fanciful?

> In other words, letting cups-pk-helper run as 'root' (but accept commands from 
> any allowed users) leads to a user-to-lpadmin privilege escalation. At least, 
> it defers access control away from CUPS to cups-pk-helper.
> 
> If cups-pk-helper runs as root, could it not drop privileges, and run the CUPS 
> commands as the originating user?

Or use the CUPS API for cancelling jobs. s-c-p probably does it because
there no problem with this when it uses c-p-h.

-- 
Brian.

Reply to:

Follow-Ups:
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Till Kamppeter <till.kamppeter@gmail.com>

References:
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Didier 'OdyX' Raboud <odyx@debian.org>
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Brian Potkin <claremont102@gmail.com>
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Till Kamppeter <till.kamppeter@gmail.com>
- Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
  - From: Didier 'OdyX' Raboud <odyx@debian.org>

Prev by Date: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Next by Date: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Previous by thread: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Next by thread: Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Index(es):
- Date
- Thread