Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cupsaddsmb leaves password in cleartext on harddisk when no drivers are installed #2779

Closed
michaelrsweet opened this issue Mar 31, 2008 · 2 comments
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

@michaelrsweet michaelrsweet commented Mar 31, 2008

Version: 1.2.7
CUPS.org User: larso_64

I am an OpenBSD-user (at home) and recently intstalled smb-support for cups (so cups exports the printer to samba).

When running cupsaddsmb in debug-mode I noticed that it started rpcclient in a mode that requested login and password from a file on a local disk!

This must be mentioned in man (8) cupsaddsmb as a real security threat!

There are two solutions - either ask for password again or advice the user to change root password to an easy one with both passwd and smbpasswd before running cupsaddsmb. Afterwards users can change it back to the normal complex one.

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Mar 31, 2008

CUPS.org User: mike

First, the temporary file is created so only the owner can read the file.

Second, the method is the recommended one by the Samba folks and was a recommended change by an OpenBSD person (we used to pass the username and password on the command-line...)

So, we aren't going to change this behavior - it is working as designed.

That said, I did find one instance (when no drivers are installed) which did not remove the temporary file. A fix is attached and will be part of the next CUPS 1.3.x release.

Loading

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented Mar 31, 2008

"str2779.patch":

Index: cups/adminutil.c

--- cups/adminutil.c (revision 7410)
+++ cups/adminutil.c (working copy)
@@ -808,6 +808,9 @@
if (have_drivers == 0)
{
_cupsSetError(IPP_NOT_FOUND, message);
+

  • unlink(authfile);

return (0);
}

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant