[Casper] non-admin printer access
Ryan Harter
rharter at uwsp.edu
Wed Apr 8 20:01:21 PDT 2009
Easy as pie. You can download a ppd from the web, say, if you need to
install a printer and that's all it needs. Or you can just go to /
Library/Printers/PPDs/Contents/Resources/ and copy one to your
desktop. Then just pick one and copy it to your desktop. they are
all gz'ed up in there, but you just unzip it and it's just a text
file, add a ppd extension if you want. Since you copied it, you now
have ownership.
In the olden days before Casper on my campus (up until last summer) we
had loginhooks on the machines that mounted a network share and ran a
series of scripts. One of these installed the correct printers if
they weren't installed, determined by the computers location in AD,
and used PPDs that we stored on the servers, not the ones on the local
machines.
The reason we used PPDs from the server is because we had customized
them based on the printer's capabilities, duplexing, third tray, etc.
The lpadmin command lets you add a printer and point it to any ppd
file, it doesn't have to be in any particular spot, or even on the
local machine.
Hence, you could easily just copy a ppd out to /Library/..., modify
it, and then install a printer that uses that ppd.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
On Apr 8, 2009, at 9:58 PM, Jeff Strauss wrote:
> If a PPD can be modified without admin privs, that's pretty cool.
> Thanks for the details. :)
>
> Sent from my iPhone
>
> On Apr 8, 2009, at 7:55 PM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>
>> Well, in theory, yes. But one thing I remember reading was them
>> saying PPDs could fire off the arbitrary code. I thought PPDs were
>> just a description of the printer, but they can tell CUPS if there
>> are any programs (perhaps for formatting, it's been about a year
>> since my work with CUPS) that need to be run on the job before it
>> gets sent to the backend. I could be wrong, but I think I remember
>> Adobe doing something with this.
>>
>> That would allow you to put a program on your desktop, and also a
>> PPD setup to fire off that program, then add a printer and tell it
>> to use that PPD, which doesn't need to be installed, and then it
>> will fire off the program in the alternate user context.
>>
>> Ryan Harter
>> UW - Stevens Point
>> Workstation Developer
>> 715.346.2716
>> Ryan.Harter at uwsp.edu
>>
>> On Apr 8, 2009, at 9:50 PM, Jeff Strauss wrote:
>>
>>> That's what I remember reading... But wouldn't installing a
>>> printer that OS X already has drivers for negate that danger?
>>> Installing a printer via the method we're discussing and
>>> installing a new print driver use two different methods, right? In
>>> other words, even if you allow a standard user to install printers
>>> via cupsd.conf modification, installing a driver would still
>>> require admin privs, wouldn't it?
>>>
>>> Sent from my iPhone
>>>
>>> On Apr 8, 2009, at 7:32 PM, "Ryan Harter" <rharter at uwsp.edu> wrote:
>>>
>>>> The security risk is that when you install a printer, the
>>>> backend, or even the PPD can run code. A malicious user could
>>>> potentially write a "printer driver" and then install the printer
>>>> and, when printed to, it would execute that code as root (or at
>>>> least the lp user, I'm not really sure).
>>>>
>>>> This was actually a pretty big vulnerability from what I've
>>>> read. I did some work with the printing system and emailed quite
>>>> a bit with Michael Sweet (the guy who invented cups), he seems to
>>>> think it's a good idea.
>>>>
>>>>
>>>> Ryan Harter
>>>> UW - Stevens Point
>>>> Workstation Developer
>>>> 715.346.2716
>>>> Ryan.Harter at uwsp.edu
>>>>
>>>> On Apr 8, 2009, at 7:17 PM, Jeff Strauss wrote:
>>>>
>>>>> Did you kill cupsd? I usually restart instead of a killall.
>>>>> Should work. BTW, what security hole was supposed to be fixed by
>>>>> requiring admins to install printers?
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>> On Apr 8, 2009, at 1:31 PM, "Thomas Larkin" <tlarki at kckps.org>
>>>>> wrote:
>>>>>
>>>>>> I just edited the /etc/cups/cupsd.conf file to allow non admins
>>>>>> access to install printers and it did not work. Am I missing
>>>>>> something?
>>>>>>
>>>>>>
>>>>>> ___________________________
>>>>>> Thomas Larkin
>>>>>> TIS Department
>>>>>> KCKPS USD500
>>>>>> tlarki at kckps.org
>>>>>> blackberry: 913-449-7589
>>>>>> office: 913-627-0351
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> >>> "Gibson, Robb" <RobbGibson at OfficeMax.com> 04/08/09 1:54 PM
>>>>>> >>>
>>>>>> Thanks Steve, I’ll give it a whirl!
>>>>>>
>>>>>> It’s probably worth mentioning to everyone that a similar
>>>>>> discussion took place back in December and Ryan Harter observed
>>>>>> that the reason that CUPS requires an admin authorization for
>>>>>> adding and removing printers was to close a security hole in
>>>>>> the OS.
>>>>>>
>>>>>>
>>>>>> On 4/8/09 1:15 PM, "Steve Wood" <swood at integerdallas.com> wrote:
>>>>>>
>>>>>> Easiest way I know to do it, short of an Apple supplied script/
>>>>>> method, would be to delete/move the printers.conf file and
>>>>>> restart cups:
>>>>>>
>>>>>> #!/bin/bash
>>>>>> #
>>>>>> # Name: removeallprinters.sh
>>>>>> # Date: 4-3-09
>>>>>> # Author: Steve Wood (swood at integerdallas.com)
>>>>>> #
>>>>>> # This script will move the current printers.conf file to
>>>>>> printers.conf.old so we can remove
>>>>>> # all printers from the machine.
>>>>>>
>>>>>> mv /etc/cups/printers.conf printers.conf.old
>>>>>>
>>>>>> # now restart cupsd
>>>>>> killall -HUP cupsd
>>>>>>
>>>>>> exit 0
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Steve Wood
>>>>>> Director of IT
>>>>>> swood at integerdallas.com
>>>>>>
>>>>>> The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
>>>>>> T 214.758.6813 | F 214.758.6901 | C 940.312.2475
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 8, 2009 at 1:00 PM, Gibson, Robb <RobbGibson at officemax.com
>>>>>> > wrote:
>>>>>> Tiger’s Printer Setup Utility has a PrintingReset.sh command
>>>>>> within it’s contents folder, is anyone aware of a similar
>>>>>> command within Leopard client? I’d love to provide our end
>>>>>> users with a Self Service policy for blowing away any printers
>>>>>> they’ve acquired and then simply add new ones (again through
>>>>>> Self Service) based on their location in our organization.
>>>>>>
>>>>>> We’ve gone the route of modifying the cups.conf file, but the
>>>>>> next security update or OS update always seems to fix it again.
>>>>>>
>>>>>>
>>>>>> Robb Gibson
>>>>>> System Engineer - eMMS, Publishing Systems
>>>>>> OfficeMax : 263 Shuman Blvd. : Naperville, IL 60563
>>>>>> (630) 864-5242
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 4/3/09 3:56 PM, "Jeff Strauss" <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu
>>>>>> > > wrote:
>>>>>>
>>>>>> I know you weren’t implying you didn’t have to leave it
>>>>>> unmodified. So, you’re right: that’s a faster and better way
>>>>>> to allow them to add printers. :)
>>>>>>
>>>>>>
>>>>>> On 4/3/09 1:44 PM, "Jeff Strauss" <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu
>>>>>> > > wrote:
>>>>>>
>>>>>> True; AddPrinter.app will bring up the same dialogue you’ll
>>>>>> find if you add a printer from the Print menu of an app.
>>>>>> However, you’ll still need to modify cupsd.conf since a
>>>>>> standard user will still be asked to authenticate as an admin.
>>>>>>
>>>>>> On 4/3/09 1:33 PM, "Bryan Vines" <bkvines at wgclawfirm.com <http://bkvines@wgclawfirm.com
>>>>>> > > wrote:
>>>>>>
>>>>>> Jeff,
>>>>>>
>>>>>> I think a lot of folks are thinking that modifying the CUPS
>>>>>> configuration file will allow users to add printers via System
>>>>>> Preferences -- I know that's what I thought until I started
>>>>>> reading deeper.
>>>>>>
>>>>>> I have discovered if you want to give users quick access to
>>>>>> adding printers, instead of sending them to a print dialog, you
>>>>>> can place an alias to /System/Library/CoreServices/
>>>>>> AddPrinter.app in their dock or on their desktop.
>>>>>>
>>>>>> --
>>>>>> Bryan Vines
>>>>>> Systems Administrator
>>>>>> Watts Guerra Craft LLP
>>>>>>
>>>>>>
>>>>>> On Apr 3, 2009, at 2:00 PM, casper-
>>>>>> request at list.jamfsoftware.com <http://casper-request@list.jamfsoftware.com
>>>>>> > wrote:
>>>>>>
>>>>>> Date: Fri, 3 Apr 2009 09:04:07 -0700
>>>>>> From: Jeff Strauss <jstrauss at loyolahs.edu <http://jstrauss@loyolahs.edu
>>>>>> > >
>>>>>> Subject: Re: [Casper] non-admin printer access..
>>>>>>
>>>>>> Yep. Like I mentioned to John just a second ago off-list, users
>>>>>> still can't add printers via System Prefs, but they can add it
>>>>>> from the print dialogue of any app.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jeffrey A. Strauss
>>>>>> Department of Educational Technology
>>>>>> Systems Administrator
>>>>>> Loyola High School of Los Angeles
>>>>>> 1901 Venice Blvd.
>>>>>> Los Angeles, Ca 90006
>>>>>> (213) 381-5121 x265
>>>>>>
>>>>>> Apple Certified Support Professional
>>>>>> Apple Certified Technical Coordinator
>>>>>>
>>>>>> Please consider the environment before printing this e-mail.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jeffrey A. Strauss
>>>>>> Department of Educational Technology
>>>>>> Systems Administrator
>>>>>> Loyola High School of Los Angeles
>>>>>> 1901 Venice Blvd.
>>>>>> Los Angeles, Ca 90006
>>>>>> (213) 381-5121 x265
>>>>>>
>>>>>> Apple Certified Support Professional
>>>>>> Apple Certified Technical Coordinator
>>>>>>
>>>>>> Please consider the environment before printing this e-mail.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Casper mailing list
>>>>>> Casper at list.jamfsoftware.com <http://
>>>>>> Casper at list.jamfsoftware.com>
>>>>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>>>>
>>>>>> _______________________________________________
>>>>>> Casper mailing list
>>>>>> Casper at list.jamfsoftware.com
>>>>>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>>>>>
>>>>>>
>>>>>>
>>>>>> <ATT00001.c>
>>>>> <ATT00001.txt>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090408/9ab032a7/attachment.html
More information about the Casper
mailing list