On Sun, Aug 01, 2004 at 11:13:44 +0300, Martin-Éric Racine wrote:
> On Sat, 31 Jul 2004, Matt Zimmerman wrote:
> > That is, an attacker could submit a print job containing PostScript
> > commands which, when interpreted by gs, would open files, etc. with the
> > privileges of cups-pdf (apparently, root).
>
> My question here, since Volker's time is currently limitted because of his
> work on his thesis is, will using -dSAFER fix this particular problem, as
> previously suggested, yes or no? If yes, then I could fix that part on my
> own and include the file permission fix from 1.4.1 as well.
-dSAFER is documented as follows:
Disables the "deletefile" and "renamefile" operators and the
ability to open files in any mode other than read-only. This
strongly recommended for spoolers, conversion scripts or other
sensitive environments where a badly written or malicious
PostScript program code must be prevented from changing impor-
tant files.
If cups-pdf invoked on behalf of a regular user is actually run with root
privileges (I haven't checked), then -dSAFER only alleviates the security
problems resulting from that situation, but it certainly doesn't end them,
as sensitive information could easily be leaked; consider a simple .ps
program that reads a file (say /etc/shadow) and prints its contents.
Ray
--
Those who are willing to trade their liberty for security deserve neither.
Benjamin Franklin
