On 13/09/11 12:30, Laurie Brown wrote:
Here's one of mine (only checked one):
# ls -al /usr/sbin/cupsd -rwxr-xr-x 1 root root 365592 Jul 27 2009 /usr/sbin/cupsd
Stock Gentoo, stock cupsd install...
Ahh but cupsd should have needed a couple of security updates since Jul 2009 so maybe Dan is running a newer version than you, that when installed sets the daemon with tighter permissions.
On a side note you might want to consider upgrading cups at some point..from the top of my head there has been a rather nice privilege escalation flaw and one where a rogue IPP client can cause memory corruption in the cupsd process.
The second one would only be of concern if you were on a network shared with others. The first one could allow malicious code root access on your machine so affects you on or off a shared network.
Dan, It might take a bit more work than that as cupsd tries to open a couple of privileged ports (i.e <1024) and needs read/write access to bits of /dev to actually talk to local printers. But if the proprietary mess is just a cups filter or something you might be possible to run cupsd as root and fiddle with things so the filter blob or whatever runs as an lp user.