[Casper] non-admin printer access

Jeff Strauss jstrauss at loyolahs.edu
Wed Apr 8 19:58:44 PDT 2009 

If a PPD can be modified without admin privs, that's pretty cool. Thanks for the details. :)

Sent from my iPhone

On Apr 8, 2009, at 7:55 PM, "Ryan Harter" <rharter at uwsp.edu<mailto:rharter at uwsp.edu>> wrote:

Well, in theory, yes.  But one thing I remember reading was them saying PPDs could fire off the arbitrary code.  I thought PPDs were just a description of the printer, but they can tell CUPS if there are any programs (perhaps for formatting, it's been about a year since my work with CUPS) that need to be run on the job before it gets sent to the backend.  I could be wrong, but I think I remember Adobe doing something with this.

That would allow you to put a program on your desktop, and also a PPD setup to fire off that program, then add a printer and tell it to use that PPD, which doesn't need to be installed, and then it will fire off the program in the alternate user context.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
<mailto:Ryan.Harter at uwsp.edu>Ryan.Harter at uwsp.edu<mailto:Ryan.Harter at uwsp.edu>

On Apr 8, 2009, at 9:50 PM, Jeff Strauss wrote:

That's what I remember reading... But wouldn't installing a printer that OS X already has drivers for negate that danger? Installing a printer via the method we're discussing and installing a new print driver use two different methods, right? In other words, even if you allow a standard user to install printers via cupsd.conf modification, installing a driver would still require admin privs, wouldn't it?

Sent from my iPhone

On Apr 8, 2009, at 7:32 PM, "Ryan Harter" <<mailto:rharter at uwsp.edu>rharter at uwsp.edu<mailto:rharter at uwsp.edu>> wrote:

The security risk is that when you install a printer, the backend, or even the PPD can run code.  A malicious user could potentially write a "printer driver" and then install the printer and, when printed to, it would execute that code as root (or at least the lp user, I'm not really sure).

This was actually a pretty big vulnerability from what I've read.  I did some work with the printing system and emailed quite a bit with Michael Sweet (the guy who invented cups), he seems to think it's a good idea.


Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
<mailto:Ryan.Harter at uwsp.edu><mailto:Ryan.Harter at uwsp.edu>Ryan.Harter at uwsp.edu<mailto:Ryan.Harter at uwsp.edu>

On Apr 8, 2009, at 7:17 PM, Jeff Strauss wrote:

Did you kill cupsd? I usually restart instead of a killall. Should work. BTW, what security hole was supposed to be fixed by requiring admins to install printers?

Sent from my iPhone

On Apr 8, 2009, at 1:31 PM, "Thomas Larkin" <<mailto:tlarki at kckps.org><mailto:tlarki at kckps.org>tlarki at kckps.org<mailto:tlarki at kckps.org>> wrote:

I just edited the /etc/cups/cupsd.conf file to allow non admins access to install printers and it did not work.  Am I missing something?


___________________________
Thomas Larkin
TIS Department
KCKPS USD500
<mailto:tlarki at kckps.org><mailto:tlarki at kckps.org><mailto:tlarki at kckps.org>tlarki at kckps.org<mailto:tlarki at kckps.org>
blackberry:  913-449-7589
office:  913-627-0351





>>> "Gibson, Robb" <<mailto:RobbGibson at OfficeMax.com><mailto:RobbGibson at OfficeMax.com>RobbGibson at OfficeMax.com<mailto:RobbGibson at OfficeMax.com>> 04/08/09 1:54 PM >>>
Thanks Steve, I’ll give it a whirl!

It’s probably worth mentioning to everyone that a similar discussion took place back in December and Ryan Harter observed that the reason that CUPS requires an admin authorization for adding and removing printers was to close a security hole in the OS.


On 4/8/09 1:15 PM, "Steve Wood" <<swood at integerdallas.com><mailto:swood at integerdallas.com><mailto:swood at integerdallas.com>swood at integerdallas.com<mailto:swood at integerdallas.com>> wrote:

Easiest way I know to do it, short of an Apple supplied script/method, would be to delete/move the printers.conf file and restart cups:

#!/bin/bash
#
# Name:  removeallprinters.sh
# Date:  4-3-09
# Author:  Steve Wood (<swood at integerdallas.com><mailto:swood at integerdallas.com><mailto:swood at integerdallas.com>swood at integerdallas.com<mailto:swood at integerdallas.com>)
#
# This script will move the current printers.conf file to printers.conf.old so we can remove
# all printers from the machine.

mv /etc/cups/printers.conf printers.conf.old

# now restart cupsd
killall -HUP cupsd

exit 0






Steve Wood
Director of IT
<swood at integerdallas.com><mailto:swood at integerdallas.com><mailto:swood at integerdallas.com>swood at integerdallas.com<mailto:swood at integerdallas.com>

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475


On Wed, Apr 8, 2009 at 1:00 PM, Gibson, Robb <<RobbGibson at officemax.com><mailto:RobbGibson at officemax.com><mailto:RobbGibson at officemax.com>RobbGibson at officemax.com<mailto:RobbGibson at officemax.com>> wrote:
Tiger’s Printer Setup Utility has a PrintingReset.sh command within it’s contents folder, is anyone aware of a similar command within Leopard client? I’d love to provide our end users with a Self Service policy for blowing away any printers they’ve acquired and then simply add new ones (again through Self Service) based on their location in our organization.

We’ve gone the route of modifying the cups.conf file, but the next security update or OS update always seems to fix it again.


Robb Gibson
System Engineer - eMMS, Publishing Systems
OfficeMax  :  263 Shuman Blvd.  :  Naperville, IL 60563
(630) 864-5242




On 4/3/09 3:56 PM, "Jeff Strauss" <<jstrauss at loyolahs.edu><mailto:jstrauss at loyolahs.edu><mailto:jstrauss at loyolahs.edu>jstrauss at loyolahs.edu<mailto:jstrauss at loyolahs.edu> <<http://jstrauss@loyolahs.edu><http://jstrauss@loyolahs.edu><http://jstrauss@loyolahs.edu>http://jstrauss@loyolahs.edu> > wrote:

I know you weren’t implying you didn’t have to leave it unmodified. So, you’re right: that’s a faster and better way to allow them to add printers. :)


On 4/3/09 1:44 PM, "Jeff Strauss" <<jstrauss at loyolahs.edu><mailto:jstrauss at loyolahs.edu><mailto:jstrauss at loyolahs.edu>jstrauss at loyolahs.edu<mailto:jstrauss at loyolahs.edu> <<http://jstrauss@loyolahs.edu><http://jstrauss@loyolahs.edu><http://jstrauss@loyolahs.edu>http://jstrauss@loyolahs.edu> > wrote:

True; AddPrinter.app will bring up the same dialogue you’ll find if you add a printer from the Print menu of an app. However, you’ll still need to modify cupsd.conf since a standard user will still be asked to authenticate as an admin.

On 4/3/09 1:33 PM, "Bryan Vines" <<bkvines at wgclawfirm.com><mailto:bkvines at wgclawfirm.com><mailto:bkvines at wgclawfirm.com>bkvines at wgclawfirm.com<mailto:bkvines at wgclawfirm.com> <<http://bkvines@wgclawfirm.com><http://bkvines@wgclawfirm.com><http://bkvines@wgclawfirm.com>http://bkvines@wgclawfirm.com> > wrote:

Jeff,

I think a lot of folks are thinking that modifying the CUPS configuration file will allow users to add printers via System Preferences -- I know that's what I thought until I started reading deeper.

I have discovered if you want to give users quick access to adding printers, instead of sending them to a print dialog, you can place an alias to /System/Library/CoreServices/AddPrinter.app in their dock or on their desktop.

--
Bryan Vines
Systems Administrator
Watts Guerra Craft LLP


On Apr 3, 2009, at 2:00 PM, <casper-request at list.jamfsoftware.com> <mailto:casper-request at list.jamfsoftware.com> <mailto:casper-request at list.jamfsoftware.com> casper-request at list.jamfsoftware.com<mailto:casper-request at list.jamfsoftware.com> <<http://casper-request@list.jamfsoftware.com><http://casper-request@list.jamfsoftware.com><http://casper-request@list.jamfsoftware.com>http://casper-request@list.jamfsoftware.com>  wrote:

Date: Fri, 3 Apr 2009 09:04:07 -0700
From: Jeff Strauss <<jstrauss at loyolahs.edu><mailto:jstrauss at loyolahs.edu><mailto:jstrauss at loyolahs.edu>jstrauss at loyolahs.edu<mailto:jstrauss at loyolahs.edu> <<http://jstrauss@loyolahs.edu><http://jstrauss@loyolahs.edu><http://jstrauss@loyolahs.edu>http://jstrauss@loyolahs.edu> >
Subject: Re: [Casper] non-admin printer access..

Yep. Like I mentioned to John just a second ago off-list, users still can't add printers via System Prefs, but they can add it from the print dialogue of any app.




Jeffrey A. Strauss
Department of Educational Technology
Systems Administrator
Loyola High School of Los Angeles
1901 Venice Blvd.
Los Angeles, Ca 90006
(213) 381-5121 x265

 Apple Certified Support Professional
 Apple Certified Technical Coordinator

Please consider the environment before printing this e-mail.




Jeffrey A. Strauss
Department of Educational Technology
Systems Administrator
Loyola High School of Los Angeles
1901 Venice Blvd.
Los Angeles, Ca 90006
(213) 381-5121 x265

 Apple Certified Support Professional
 Apple Certified Technical Coordinator

Please consider the environment before printing this e-mail.


________________________________

_______________________________________________
Casper mailing list
<Casper at list.jamfsoftware.com><mailto:Casper at list.jamfsoftware.com><mailto:Casper at list.jamfsoftware.com>Casper at list.jamfsoftware.com<mailto:Casper at list.jamfsoftware.com> <<http://Casper@list.jamfsoftware.com><http://Casper@list.jamfsoftware.com><http://Casper@list.jamfsoftware.com>http://Casper@list.jamfsoftware.com>
<http://list.jamfsoftware.com/mailman/listinfo/casper><http://list.jamfsoftware.com/mailman/listinfo/casper><http://list.jamfsoftware.com/mailman/listinfo/casper>http://list.jamfsoftware.com/mailman/listinfo/casper

_______________________________________________
Casper mailing list
<Casper at list.jamfsoftware.com><mailto:Casper at list.jamfsoftware.com><mailto:Casper at list.jamfsoftware.com>Casper at list.jamfsoftware.com<mailto:Casper at list.jamfsoftware.com>
<http://list.jamfsoftware.com/mailman/listinfo/casper><http://list.jamfsoftware.com/mailman/listinfo/casper><http://list.jamfsoftware.com/mailman/listinfo/casper>http://list.jamfsoftware.com/mailman/listinfo/casper



<ATT00001.c>
<ATT00001.txt>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090408/5fee6888/attachment.htm

More information about the Casper mailing list