Bug 146593

Summary: cups-config-daemon allows unprivileged user to create a print queue
Product: [Fedora] Fedora Reporter: Robert Nichols <rnichols42>
Component: hal-cups-utilsAssignee: John (J5) Palmieri <johnp>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: jkeck
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-31 15:26:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Nichols 2005-01-30 05:59:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041020

Description of problem:
When a currently unconfigured USB printer is connected to the system,
a popup dialog appears prompting for the selection of a driver.  There
is no check for authorization.  An unprivileged user should not be
allowed to create a print queue.

Until this problem is corrected, cups-config-daemon should not be run
on any system where security of the printer configuration is a concern.


Version-Release number of selected component (if applicable):
hal-cups-utils-0.5.2-8

How reproducible:
Always

Steps to Reproduce:
1. Turn on or connect a currently unconfigured USB printer.


Additional info:

Comment 1 John (J5) Palmieri 2005-01-31 15:26:24 UTC
I fail to see how this is any different from mounting a disk, burning
to a cd or attaching a camera to a computer.  Risk is limited and
behavior can be modified by a sysadmin.

Comment 2 Robert Nichols 2005-01-31 18:15:26 UTC
When you unmount a disk or unplug a camera, the system goes back to
its previous state.  The added print queue, on the other hand,
persists until a system administrator removes it.

Comment 3 John (J5) Palmieri 2005-01-31 18:27:53 UTC
Ah, that is a bug.