[Casper] non-admin printer access

Wed Apr 8 19:50:55 PDT 2009

Well, in theory, yes.  But one thing I remember reading was them  
saying PPDs could fire off the arbitrary code.  I thought PPDs were  
just a description of the printer, but they can tell CUPS if there are  
any programs (perhaps for formatting, it's been about a year since my  
work with CUPS) that need to be run on the job before it gets sent to  
the backend.  I could be wrong, but I think I remember Adobe doing  
something with this.

That would allow you to put a program on your desktop, and also a PPD  
setup to fire off that program, then add a printer and tell it to use  
that PPD, which doesn't need to be installed, and then it will fire  
off the program in the alternate user context.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

On Apr 8, 2009, at 9:50 PM, Jeff Strauss wrote:

> That's what I remember reading... But wouldn't installing a printer  
> that OS X already has drivers for negate that danger? Installing a  
> printer via the method we're discussing and installing a new print  
> driver use two different methods, right? In other words, even if you  
> allow a standard user to install printers via cupsd.conf  
> modification, installing a driver would still require admin privs,  
> wouldn't it?
>
> Sent from my iPhone
>
> On Apr 8, 2009, at 7:32 PM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>
>> The security risk is that when you install a printer, the backend,  
>> or even the PPD can run code.  A malicious user could potentially  
>> write a "printer driver" and then install the printer and, when  
>> printed to, it would execute that code as root (or at least the lp  
>> user, I'm not really sure).
>>
>> This was actually a pretty big vulnerability from what I've read.   
>> I did some work with the printing system and emailed quite a bit  
>> with Michael Sweet (the guy who invented cups), he seems to think  
>> it's a good idea.
>>
>>
>> Ryan Harter
>> UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu
>>
>> On Apr 8, 2009, at 7:17 PM, Jeff Strauss wrote:
>>
>>> Did you kill cupsd? I usually restart instead of a killall. Should  
>>> work. BTW, what security hole was supposed to be fixed by  
>>> requiring admins to install printers?
>>>
>>> Sent from my iPhone
>>>
>>> On Apr 8, 2009, at 1:31 PM, "Thomas Larkin" <tlarki at kckps.org>  
>>> wrote:
>>>
>>>> I just edited the /etc/cups/cupsd.conf file to allow non admins  
>>>> access to install printers and it did not work.  Am I missing  
>>>> something?
>>>>
>>>>
>>>> ___________________________
>>>> Thomas Larkin
>>>> TIS Department
>>>> KCKPS USD500
>>>> tlarki at kckps.org
>>>> blackberry:  913-449-7589
>>>> office:  913-627-0351
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> >>> "Gibson, Robb" <RobbGibson at OfficeMax.com> 04/08/09 1:54 PM >>>
>>>> Thanks Steve, I’ll give it a whirl!
>>>>
>>>> It’s probably worth mentioning to everyone that a similar  
>>>> discussion took place back in December and Ryan Harter observed  
>>>> that the reason that CUPS requires an admin authorization for  
>>>> adding and removing printers was to close a security hole in the  
>>>> OS.
>>>>
>>>>
>>>> On 4/8/09 1:15 PM, "Steve Wood" <swood at integerdallas.com> wrote:
>>>>
>>>> Easiest way I know to do it, short of an Apple supplied script/ 
>>>> method, would be to delete/move the printers.conf file and  
>>>> restart cups:
>>>>
>>>> #!/bin/bash
>>>> #
>>>> # Name:  removeallprinters.sh
>>>> # Date:  4-3-09
>>>> # Author:  Steve Wood (swood at integerdallas.com)
>>>> #
>>>> # This script will move the current printers.conf file to  
>>>> printers.conf.old so we can remove
>>>> # all printers from the machine.
>>>>
>>>> mv /etc/cups/printers.conf printers.conf.old
>>>>
>>>> # now restart cupsd
>>>> killall -HUP cupsd
>>>>
>>>> exit 0
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Steve Wood
>>>> Director of IT
>>>> swood at integerdallas.com
>>>>
>>>> The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
>>>> T 214.758.6813 | F 214.758.6901 | C 940.312.2475
>>>>
>>>>
>>>> On Wed, Apr 8, 2009 at 1:00 PM, Gibson, Robb <RobbGibson at officemax.com 
>>>> > wrote:
>>>> Tiger’s Printer Setup Utility has a PrintingReset.sh command  
>>>> within it’s contents folder, is anyone aware of a similar  
>>>> command within Leopard client? I’d love to provide our end users  
>>>> with a Self Service policy for blowing away any printers they’ve  
>>>> acquired and then simply add new ones (again through Self  
>>>> Service) based on their location in our organization.
>>>>
>>>> We’ve gone the route of modifying the cups.conf file, but the  
>>>> next security update or OS update always seems to fix it again.
>>>>
>>>>
>>>> Robb Gibson
>>>> System Engineer - eMMS, Publishing Systems
>>>> OfficeMax  :  263 Shuman Blvd.  :  Naperville, IL 60563
>>>> (630) 864-5242
>>>>
>>>>
>>>>
>>>>
>>>> On 4/3/09 3:56 PM, "Jeff Strauss" <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu 
>>>> > > wrote:
>>>>
>>>> I know you weren’t implying you didn’t have to leave it  
>>>> unmodified. So, you’re right: that’s a faster and better way  
>>>> to allow them to add printers. :)
>>>>
>>>>
>>>> On 4/3/09 1:44 PM, "Jeff Strauss" <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu 
>>>> > > wrote:
>>>>
>>>> True; AddPrinter.app will bring up the same dialogue you’ll find  
>>>> if you add a printer from the Print menu of an app. However,  
>>>> you’ll still need to modify cupsd.conf since a standard user  
>>>> will still be asked to authenticate as an admin.
>>>>
>>>> On 4/3/09 1:33 PM, "Bryan Vines" <bkvines at wgclawfirm.com <http://bkvines@wgclawfirm.com 
>>>> > > wrote:
>>>>
>>>> Jeff,
>>>>
>>>> I think a lot of folks are thinking that modifying the CUPS  
>>>> configuration file will allow users to add printers via System  
>>>> Preferences -- I know that's what I thought until I started  
>>>> reading deeper.
>>>>
>>>> I have discovered if you want to give users quick access to  
>>>> adding printers, instead of sending them to a print dialog, you  
>>>> can place an alias to /System/Library/CoreServices/AddPrinter.app  
>>>> in their dock or on their desktop.
>>>>
>>>> --
>>>> Bryan Vines
>>>> Systems Administrator
>>>> Watts Guerra Craft LLP
>>>>
>>>>
>>>> On Apr 3, 2009, at 2:00 PM, casper-request at list.jamfsoftware.com <http://casper-request@list.jamfsoftware.com 
>>>> >  wrote:
>>>>
>>>> Date: Fri, 3 Apr 2009 09:04:07 -0700
>>>> From: Jeff Strauss <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu 
>>>> > >
>>>> Subject: Re: [Casper] non-admin printer access..
>>>>
>>>> Yep. Like I mentioned to John just a second ago off-list, users  
>>>> still can't add printers via System Prefs, but they can add it  
>>>> from the print dialogue of any app.
>>>>
>>>>
>>>>
>>>>
>>>> Jeffrey A. Strauss
>>>> Department of Educational Technology
>>>> Systems Administrator
>>>> Loyola High School of Los Angeles
>>>> 1901 Venice Blvd.
>>>> Los Angeles, Ca 90006
>>>> (213) 381-5121 x265
>>>>
>>>>  Apple Certified Support Professional
>>>>  Apple Certified Technical Coordinator
>>>>
>>>> Please consider the environment before printing this e-mail.
>>>>
>>>>
>>>>
>>>>
>>>> Jeffrey A. Strauss
>>>> Department of Educational Technology
>>>> Systems Administrator
>>>> Loyola High School of Los Angeles
>>>> 1901 Venice Blvd.
>>>> Los Angeles, Ca 90006
>>>> (213) 381-5121 x265
>>>>
>>>>  Apple Certified Support Professional
>>>>  Apple Certified Technical Coordinator
>>>>
>>>> Please consider the environment before printing this e-mail.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Casper mailing list
>>>> Casper at list.jamfsoftware.com <http://Casper@list.jamfsoftware.com>
>>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>>
>>>> _______________________________________________
>>>> Casper mailing list
>>>> Casper at list.jamfsoftware.com
>>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>>
>>>>
>>>>
>>>> <ATT00001.c>
>>> <ATT00001.txt>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090408/e2e249a2/attachment.html 