CUPS 1.1.19 does not drop priveleges properly

Alexander E. Patrakov semzx at newmail.ru
Sun Jul 13 03:30:05 PDT 2003


Today I discovered a potential security hole in CUPS 1.1.19. I don't know any 
meaningful exploit but I didn't search well.

Here is a piece of cups-1.1.19.bad/scheduler/client.c
--->8---
    if (getuid() == 0)
    {
     /*
      * Running as root, so change to a non-priviledged user...
      */

      if (setgid(Group))
        exit(errno);

      if (setuid(User))
        exit(errno);
    }

   /*
    * Reset group membership to just the main one we belong to.
    */

    setgroups(0, NULL);
---8<---

The setgroup call always fails since it is executed after setuid. As a result, 
the CGI scripts called by CUPS run with uid=lp, gid=lp, and (unwanted) 
supplementary groups=0(root). This potential vulnerability can be closed by 
moving the setgroups call from the bottom to the top of the quoted code.

Note that this bug is present in the current CUPS CVS also.
-- 
Alexander E. Patrakov

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list