Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
CUPS admin user can execute arbitrary files as *cupsFilter #790
Assume the CUPS admin user is not root.
The easiest case is for a PostScript printer but for any other
copy the PPD for any existing queue from /etc/cups/ppd/.ppd
add the following line to /tmp/myppd
*cupsFilter: "application/vnd.cups-postscript 0 /tmp/mfilter"
Make /tmp/myfilter as you like - for example
echo "I am $( id )" >>/tmp/myfilter.out
Change the queue to use /tmp/myppd.ppd
At least the CUPS admin user can copy this way any printout
I think this is more than the CUPS admin user should be able to do.
Therefore I suggest that cupsd doesn't execute filters which are
CUPS.org User: mike
This is a known issue, however disabling the functionality would prevent driver developers from installing in alternate locations and referencing them from the PPD file. I believe that this functionality is used by many Apple developers, for example, so we can't change it wholesale.
I don't think this is a realistic security concern, given the user "lp" typically has little or no access to critical resources and that you need administrative priviledges to perform the type of attack you outlined. The only time it can affect the printing system configuration is if you use the RunAsUser mode, and that mode has a number of similar side-effects for malicious filters or documents that are passed through the system (which is why we don't use that mode by default...)
If you would like to contribute a patch which adds a "RestrictFilters" option (or a list of allowed paths, or something like that), we will consider it for inclusion in CUPS 1.2.