[redhat-lspp] Re: cups userspace -- trusted programs?
Michael C Thompson
thompsmc at us.ibm.com
Mon Jun 5 19:29:25 UTC 2006
Linda Knippers wrote:
>>> I don't think they should be considered a source for leaking
>>> information. The only thing I see isn't a leak so much as a
>>> (extremely low bandwidth) covert channel of "is the printer enabled
>>> or disabled?" Since the use of these programs is restricted, we're
>>> covered under no-evil-admin.
>>
>> How are these restricted? Or rather, how are they supposed to be
>> restricted? I am able to cupsenable, cupsdisable, accept and reject
>> my printer as a non-root user under both permissive and enforcing
>> modes.
>
> To which groups does your user account belong?
uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps)
context=user_u:user_r:user_t:SystemLow
> By default, cups
> will allow anyone in group sys to perform administrative functions
> but this is configurable in cupsd.conf. We'll have to decide
> whether allowing sys group members is ok or we'll have to modify
> the cupsd.conf for the evaluated config. I suspect we'll modify
> cupsd.conf.
I've butchered my cupsd.conf pretty badly, so it could be a result of
that. I've not tried doing this with a fresh install, but if it works on
your end, I'll assume it's my config mangling.
Mike
More information about the redhat-lspp
mailing list