[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

Control: tags -1 +confirmed +help

Le jeudi, 22 novembre 2018, 19.05:19 h CET debbug@dbwats.plus.com a écrit :
> The AppArmor profile supplied with cupsd isn't much use against local
> attackers, as it allows cupsd to create setuid binaries at paths it
> can write to (e.g. under /etc/cups).  Since cupsd is run as root by
> default, these binaries can be setuid root.
> 
> (…)
> 
> In default installations /etc is not on a nosuid mount, so provided
> that they have a suitable exploit, local attackers who are unconfined
> but non-root can use cupsd to create a setuid binary, then run the
> binary themselves to gain unconfined root privileges.

As I only have vague understanding of AppArmor; I'll welcome help / patches.

@Intri: any insight in how to address this?

Cheers,
    OdyX
Reply to: