Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information disclosure in CUPS 1.3.x #2751

Closed
michaelrsweet opened this issue Mar 12, 2008 · 3 comments
Closed

Information disclosure in CUPS 1.3.x #2751

michaelrsweet opened this issue Mar 12, 2008 · 3 comments
Labels
priority-high
Milestone
Stable

Comments

@michaelrsweet
Copy link
Collaborator

Version: 1.3.6
CUPS.org User: twaugh.redhat

When a job is submitted for a printer with an ipp://... URI, and the IPP backend cannot proceed because the remote IPP instance requires auth-info, the job cannot be authenticated.

Details:

  1. Set up a CUPS server on the network and share a queue using CUPS Browsing. Add this policy fragment:
AuthType Basic Require valid-user

so that authentication is required before a job can be submitted.

  1. Configure a CUPS 1.3.6 client to discover browsed printers using CUPS Browsing
  2. On this client machine, submit a print job to the browsed queue. The job will stop because authentication is required.
  3. Send a CUPS-Authenticate-Job IPP request for that job to the client, with auto-info set to the correct values.
  4. The job restarts but stops again as in step 3. The authentication details were not given to the CUPS server.

There are two things wrong:

A. The IPP backend does not try to send authentication details unless it is running as root, and the scheduler does not run it as root even if it sets authentication details in the environment.

B. The IPP backend is looking in the environment for AUTH_USERNAME and AUTH_PASSWORD, but the scheduler sets CUPSD_AUTH_USERNAME and CUPSD_AUTH_PASSWORD.

Attached is a fix for the second problem.
@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Your patch is wrong - scheduler/job.c sets the environment to AUTH_foo, not CUPSD_AUTH_foo.

That said, the environment logging code is looking for CUPS_AUTH_foo, which is wrong...

As for the IPP backend not running as root, verify that the permissions of /usr/lib/cups/backend/ipp are 0700...

@michaelrsweet
Copy link
Collaborator Author

"cups-ipp-auth.patch":

diff -up cups-1.3.6/backend/ipp.c~ cups-1.3.6/backend/ipp.c
--- cups-1.3.6/backend/ipp.c~ 2008-03-05 15:40:11.000000000 +0000
+++ cups-1.3.6/backend/ipp.c 2008-03-12 12:55:20.000000000 +0000
@@ -544,12 +544,12 @@ main(int argc, /* I - Number of comm
* Try loading authentication information from the environment.
*/

  • const char *ptr = getenv("AUTH_USERNAME");
  • const char *ptr = getenv("CUPSD_AUTH_USERNAME");

if (ptr)
cupsSetUser(ptr);

  • password = getenv("AUTH_PASSWORD");
  • password = getenv("CUPSD_AUTH_PASSWORD");
    }

/*

@michaelrsweet
Copy link
Collaborator Author

"str2751.patch":

Index: scheduler/job.c

--- scheduler/job.c (revision 7376)
+++ scheduler/job.c (working copy)
@@ -3166,8 +3166,8 @@
envp[envc] = NULL;

for (i = 0; i < envc; i ++)

  • if (!strncmp(envp[i], "CUPSD_AUTH_", 5))
  •  cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"CUPSD_AUTH_%c****\"",
  • if (!strncmp(envp[i], "AUTH_", 5))
  •  cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"AUTH_%c****\"",
               job->id, i, envp[i][5]);
    else if (strncmp(envp[i], "DEVICE_URI=", 11))
    cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]="%s"",

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority-high
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
1 participant
@michaelrsweet