CUPS 1.1.19 does not drop priveleges properly

Alexander E. Patrakov semzx at
Sun Jul 13 03:30:05 PDT 2003

Today I discovered a potential security hole in CUPS 1.1.19. I don't know any 
meaningful exploit but I didn't search well.

Here is a piece of cups-1.1.19.bad/scheduler/client.c
    if (getuid() == 0)
      * Running as root, so change to a non-priviledged user...

      if (setgid(Group))

      if (setuid(User))

    * Reset group membership to just the main one we belong to.

    setgroups(0, NULL);

The setgroup call always fails since it is executed after setuid. As a result, 
the CGI scripts called by CUPS run with uid=lp, gid=lp, and (unwanted) 
supplementary groups=0(root). This potential vulnerability can be closed by 
moving the setgroups call from the bottom to the top of the quoted code.

Note that this bug is present in the current CUPS CVS also.
Alexander E. Patrakov

Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list