Re: [redhat-lspp] Re: cups userspace -- trusted programs?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael C Thompson <thompsmc@us.ibm.com>
To: Linda Knippers <linda.knippers@hp.com>
Cc: redhat-lspp@redhat.com, Linux Audit <linux-audit@redhat.com>
Subject: Re: [redhat-lspp] Re: cups userspace -- trusted programs?
Date: Mon, 05 Jun 2006 14:29:25 -0500	[thread overview]
Message-ID: <44848615.6060500@us.ibm.com> (raw)
In-Reply-To: <44847D9D.1010402@hp.com>

Linda Knippers wrote:
>>> I don't think they should be considered a source for leaking
>>> information.  The only thing I see isn't a leak so much as a
>>> (extremely low bandwidth) covert channel of "is the printer enabled
>>> or disabled?" Since the use of these programs is restricted, we're
>>> covered under no-evil-admin.
>>  
>> How are these restricted? Or rather, how are they supposed to be
>> restricted? I am able to cupsenable, cupsdisable, accept and reject
>> my printer as a non-root user under both permissive and enforcing
>> modes.
> 
> To which groups does your user account belong?

uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps) 
context=user_u:user_r:user_t:SystemLow

 > By default, cups
> will allow anyone in group sys to perform administrative functions
> but this is configurable in cupsd.conf.  We'll have to decide
> whether allowing sys group members is ok or we'll have to modify
> the cupsd.conf for the evaluated config.  I suspect we'll modify
> cupsd.conf.

I've butchered my cupsd.conf pretty badly, so it could be a result of 
that. I've not tried doing this with a fresh install, but if it works on 
your end, I'll assume it's my config mangling.

Mike

     prev parent reply	other threads:[~2006-06-05 19:29 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-31 20:06 cups userspace -- trusted programs? Michael C Thompson
2006-05-31 22:54 ` Linda Knippers
2006-06-01 16:29   ` [redhat-lspp] " Michael C Thompson
2006-06-05 18:10     ` Matt Anderson
2006-06-05 18:25       ` Michael C Thompson
2006-06-05 18:53         ` [redhat-lspp] " Linda Knippers
2006-06-05 19:29           ` Michael C Thompson [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44848615.6060500@us.ibm.com \
    --to=thompsmc@us.ibm.com \
    --cc=linda.knippers@hp.com \
    --cc=linux-audit@redhat.com \
    --cc=redhat-lspp@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.