From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: [redhat-lspp] Re: cups userspace -- trusted programs? Date: Mon, 05 Jun 2006 14:29:25 -0500 Message-ID: <44848615.6060500@us.ibm.com> References: <447DF735.9090706@us.ibm.com> <447E1EB8.70907@hp.com> <447F15CC.4070308@us.ibm.com> <448473B1.5040501@hp.com> <44847727.6070800@us.ibm.com> <44847D9D.1010402@hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <44847D9D.1010402@hp.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linda Knippers Cc: redhat-lspp@redhat.com, Linux Audit List-Id: linux-audit@redhat.com Linda Knippers wrote: >>> I don't think they should be considered a source for leaking >>> information. The only thing I see isn't a leak so much as a >>> (extremely low bandwidth) covert channel of "is the printer enabled >>> or disabled?" Since the use of these programs is restricted, we're >>> covered under no-evil-admin. >> >> How are these restricted? Or rather, how are they supposed to be >> restricted? I am able to cupsenable, cupsdisable, accept and reject >> my printer as a non-root user under both permissive and enforcing >> modes. > > To which groups does your user account belong? uid=500(mcthomps) gid=500(mcthomps) groups=500(mcthomps) context=user_u:user_r:user_t:SystemLow > By default, cups > will allow anyone in group sys to perform administrative functions > but this is configurable in cupsd.conf. We'll have to decide > whether allowing sys group members is ok or we'll have to modify > the cupsd.conf for the evaluated config. I suspect we'll modify > cupsd.conf. I've butchered my cupsd.conf pretty badly, so it could be a result of that. I've not tried doing this with a fresh install, but if it works on your end, I'll assume it's my config mangling. Mike