An HTTP GET request on resources beginning "/rss/" will serve the corresponding file from /var/cache/cups/rss/. This directory has group lp write permission.
The cupsd service runs as root, and follows symlinks when serving files.
A user in the "lp" group is able to create a symlink in /var/cache/cups/rss/ pointing to a local target file which they are not able to read, and can gain read access by fetching the corresponding "/rss/" resource.
The text was updated successfully, but these errors were encountered:
OK, so you're good with the patch? I'd like to release 1.7.4 next week (say, July 10th) if you have no objection.
I'm not sure if any OS's put any user other than "lp" in the "lp" group; I know on OS X the only way you'd be able to take advantage of this is to escalate to root first, making this bug less of an issue (why bother if you have root, right?)