[Casper] non-admin printer access

Ryan Harter rharter at uwsp.edu
Wed Apr 8 19:27:33 PDT 2009 

The security risk is that when you install a printer, the backend, or  
even the PPD can run code.  A malicious user could potentially write a  
"printer driver" and then install the printer and, when printed to, it  
would execute that code as root (or at least the lp user, I'm not  
really sure).

This was actually a pretty big vulnerability from what I've read.  I  
did some work with the printing system and emailed quite a bit with  
Michael Sweet (the guy who invented cups), he seems to think it's a  
good idea.


Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

On Apr 8, 2009, at 7:17 PM, Jeff Strauss wrote:

> Did you kill cupsd? I usually restart instead of a killall. Should  
> work. BTW, what security hole was supposed to be fixed by requiring  
> admins to install printers?
>
> Sent from my iPhone
>
> On Apr 8, 2009, at 1:31 PM, "Thomas Larkin" <tlarki at kckps.org> wrote:
>
>> I just edited the /etc/cups/cupsd.conf file to allow non admins  
>> access to install printers and it did not work.  Am I missing  
>> something?
>>
>>
>> ___________________________
>> Thomas Larkin
>> TIS Department
>> KCKPS USD500
>> tlarki at kckps.org
>> blackberry:  913-449-7589
>> office:  913-627-0351
>>
>>
>>
>>
>>
>> >>> "Gibson, Robb" <RobbGibson at OfficeMax.com> 04/08/09 1:54 PM >>>
>> Thanks Steve, I’ll give it a whirl!
>>
>> It’s probably worth mentioning to everyone that a similar  
>> discussion took place back in December and Ryan Harter observed  
>> that the reason that CUPS requires an admin authorization for  
>> adding and removing printers was to close a security hole in the OS.
>>
>>
>> On 4/8/09 1:15 PM, "Steve Wood" <swood at integerdallas.com> wrote:
>>
>> Easiest way I know to do it, short of an Apple supplied script/ 
>> method, would be to delete/move the printers.conf file and restart  
>> cups:
>>
>> #!/bin/bash
>> #
>> # Name:  removeallprinters.sh
>> # Date:  4-3-09
>> # Author:  Steve Wood (swood at integerdallas.com)
>> #
>> # This script will move the current printers.conf file to  
>> printers.conf.old so we can remove
>> # all printers from the machine.
>>
>> mv /etc/cups/printers.conf printers.conf.old
>>
>> # now restart cupsd
>> killall -HUP cupsd
>>
>> exit 0
>>
>>
>>
>>
>>
>>
>> Steve Wood
>> Director of IT
>> swood at integerdallas.com
>>
>> The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
>> T 214.758.6813 | F 214.758.6901 | C 940.312.2475
>>
>>
>> On Wed, Apr 8, 2009 at 1:00 PM, Gibson, Robb <RobbGibson at officemax.com 
>> > wrote:
>> Tiger’s Printer Setup Utility has a PrintingReset.sh command  
>> within it’s contents folder, is anyone aware of a similar command  
>> within Leopard client? I’d love to provide our end users with a  
>> Self Service policy for blowing away any printers they’ve acquired  
>> and then simply add new ones (again through Self Service) based on  
>> their location in our organization.
>>
>> We’ve gone the route of modifying the cups.conf file, but the next  
>> security update or OS update always seems to fix it again.
>>
>>
>> Robb Gibson
>> System Engineer - eMMS, Publishing Systems
>> OfficeMax  :  263 Shuman Blvd.  :  Naperville, IL 60563
>> (630) 864-5242
>>
>>
>>
>>
>> On 4/3/09 3:56 PM, "Jeff Strauss" <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu 
>> > > wrote:
>>
>> I know you weren’t implying you didn’t have to leave it  
>> unmodified. So, you’re right: that’s a faster and better way to  
>> allow them to add printers. :)
>>
>>
>> On 4/3/09 1:44 PM, "Jeff Strauss" <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu 
>> > > wrote:
>>
>> True; AddPrinter.app will bring up the same dialogue you’ll find  
>> if you add a printer from the Print menu of an app. However,  
>> you’ll still need to modify cupsd.conf since a standard user will  
>> still be asked to authenticate as an admin.
>>
>> On 4/3/09 1:33 PM, "Bryan Vines" <bkvines at wgclawfirm.com <http://bkvines@wgclawfirm.com 
>> > > wrote:
>>
>> Jeff,
>>
>> I think a lot of folks are thinking that modifying the CUPS  
>> configuration file will allow users to add printers via System  
>> Preferences -- I know that's what I thought until I started reading  
>> deeper.
>>
>> I have discovered if you want to give users quick access to adding  
>> printers, instead of sending them to a print dialog, you can place  
>> an alias to /System/Library/CoreServices/AddPrinter.app in their  
>> dock or on their desktop.
>>
>> --
>> Bryan Vines
>> Systems Administrator
>> Watts Guerra Craft LLP
>>
>>
>> On Apr 3, 2009, at 2:00 PM, casper-request at list.jamfsoftware.com <http://casper-request@list.jamfsoftware.com 
>> >  wrote:
>>
>> Date: Fri, 3 Apr 2009 09:04:07 -0700
>> From: Jeff Strauss <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu 
>> > >
>> Subject: Re: [Casper] non-admin printer access..
>>
>> Yep. Like I mentioned to John just a second ago off-list, users  
>> still can't add printers via System Prefs, but they can add it from  
>> the print dialogue of any app.
>>
>>
>>
>>
>> Jeffrey A. Strauss
>> Department of Educational Technology
>> Systems Administrator
>> Loyola High School of Los Angeles
>> 1901 Venice Blvd.
>> Los Angeles, Ca 90006
>> (213) 381-5121 x265
>>
>>  Apple Certified Support Professional
>>  Apple Certified Technical Coordinator
>>
>> Please consider the environment before printing this e-mail.
>>
>>
>>
>>
>> Jeffrey A. Strauss
>> Department of Educational Technology
>> Systems Administrator
>> Loyola High School of Los Angeles
>> 1901 Venice Blvd.
>> Los Angeles, Ca 90006
>> (213) 381-5121 x265
>>
>>  Apple Certified Support Professional
>>  Apple Certified Technical Coordinator
>>
>> Please consider the environment before printing this e-mail.
>>
>>
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com <http://Casper@list.jamfsoftware.com>
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>>
>> <ATT00001.c>
> <ATT00001.txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090408/d70a839a/attachment.html

More information about the Casper mailing list