Re: Bug#262402: Severity of bug #259993

To: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>
Cc: 262402@bugs.debian.org, debian-qa@lists.debian.org, Volker Behr <vrbehr@cip.physik.uni-wuerzburg.de>
Subject: Re: Bug#262402: Severity of bug #259993
From: Matt Zimmerman <mdz@debian.org>
Date: Sun, 1 Aug 2004 09:18:25 -0700
Message-id: <[🔎] 20040801161825.GE4156@alcor.net>
Mail-followup-to: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>, 262402@bugs.debian.org, debian-qa@lists.debian.org, Volker Behr <vrbehr@cip.physik.uni-wuerzburg.de>
In-reply-to: <[🔎] 20040801100512.GA9595@xinara.org>
References: <20040801041258.GC4156@alcor.net> <[🔎] Pine.LNX.4.21.0408011107110.27922-100000@hal.pp.fishpool.fi> <[🔎] 20040801100512.GA9595@xinara.org>

On Sun, Aug 01, 2004 at 12:05:12PM +0200, J.H.M. Dassen (Ray) wrote:

> If cups-pdf invoked on behalf of a regular user is actually run with root
> privileges (I haven't checked), then -dSAFER only alleviates the security
> problems resulting from that situation, but it certainly doesn't end them,
> as sensitive information could easily be leaked; consider a simple .ps
> program that reads a file (say /etc/shadow) and prints its contents.

Indeed.  Based on the description of the program, I do not see justification
for using root privileges.

-- 
 - mdz

Reply to:

References:
- Re: Bug#262402: Severity of bug #259993
  - From: Martin-Éric Racine <q-funk@iki.fi>
- Re: Bug#262402: Severity of bug #259993
  - From: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>

Prev by Date: Re: FWD: Squirrelmail XSS + SQL security bug?
Next by Date: Re: Is James R Van Zandt MIA?
Previous by thread: Re: Bug#262402: Severity of bug #259993
Next by thread: Re: FWD: Squirrelmail XSS + SQL security bug?
Index(es):
- Date
- Thread