Bug 509588 - Passwords in printer URIs are shown to normal users.
Summary: Passwords in printer URIs are shown to normal users.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-printer
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 516998
TreeView+ depends on / blocked
 
Reported: 2009-07-03 19:33 UTC by Bruno Wolff III
Modified: 2009-10-09 03:33 UTC (History)
2 users (show)

Fixed In Version: 1.1.13-3.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-09 03:33:21 UTC


Attachments (Terms of Use)

Description Bruno Wolff III 2009-07-03 19:33:54 UTC
Description of problem:
A normal user can use system-config-printer to see what password is used to connect to a network printer. This should be restricted to admin type access (root or policy kit equivalent).

Version-Release number of selected component (if applicable):
system-config-printer-1.1.8-3.fc11.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Set up a connection to a windows printer usign authentication
2. As a normal user run system-config-printer and look at the printer properties.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Tim Waugh 2009-07-06 11:00:56 UTC
I don't see this here.  CUPS "sanitises" device URIs before handing them to system-config-printer, so if there is information leakage it is a CUPS bug.

Can you please explain how to reproduce what you're seeing, step-by-step?  Thanks.

Comment 2 Bruno Wolff III 2009-07-08 19:33:18 UTC
I found I was doing something that's possibly off the beaten path.
An update last week broken DNS for some apps and I didn't notice the true problem right away. The first thing I noticed was that printing was broken. While trying to work on this I ended up selecting "Set authentication details now" instead of "Prompt user if authentication is required". Trying out the latter again results in a displayed uri without the password. But when I change the set up again using the former, the password does show up in the URI.
Is that enough information for you to duplicate the issue?

Comment 3 Tim Waugh 2009-07-10 15:51:21 UTC
Sorry, I still can't reproduce it from this.  Please tell me which buttons to click, and in which order.. ;-)

Comment 4 Bruno Wolff III 2009-07-10 16:44:28 UTC
First I go to System -> Admionistration -> Printing from the menu. (I have my system and normal menus combined on the panel.)
Then I double click on the icon for the one printer I have configured that is handled by a windows server using smb.
The I hit the higher of the two change buttons. This one is in line with the Device URI information.
Then I select the Set authentication now radio button.
Then I enter a my user name with 'ad/' as part of the username and password needed to access that printer.
Then I hit verify.
Then I hit apply.
Then I observe my password is shown.

While testing this I discovered that if I don't include 'ad/' the verify still works, but the password isn't shown. If I use 'ad\' then the password also isn't shown but verifies. I also don't need to hit the verify button, so it looks like this is testable even without an smb printer being available.

Example output from the device URI (with a bogus password):
smb://ad/bruno:fhthrthyhn@adprint01.ad.uwm.edu/bol225b_PS

Comment 5 Tim Waugh 2009-07-10 17:11:36 UTC
Ah, OK, I see it now.  Thanks.

Fix committed upstream.  Work-around is to use the CUPS web interface (or lpadmin) to alter the device URI by changing "/" in the username section to "%2F".

Comment 6 Fedora Update System 2009-07-28 11:59:16 UTC
system-config-printer-1.1.10-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/system-config-printer-1.1.10-1.fc11

Comment 7 Fedora Update System 2009-07-29 21:33:01 UTC
system-config-printer-1.1.10-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 8 Fedora Update System 2009-08-08 19:24:43 UTC
system-config-printer-1.1.11-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 9 Fedora Update System 2009-08-27 22:53:00 UTC
system-config-printer-1.1.12-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 10 Fedora Update System 2009-08-31 23:34:32 UTC
system-config-printer-1.1.12-6.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 11 Fedora Update System 2009-09-06 20:45:48 UTC
system-config-printer-1.1.12-8.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 12 Fedora Update System 2009-09-15 07:49:02 UTC
system-config-printer-1.1.13-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 13 Fedora Update System 2009-09-24 05:08:04 UTC
system-config-printer-1.1.13-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 14 Fedora Update System 2009-10-03 19:09:46 UTC
system-config-printer-1.1.13-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 15 Fedora Update System 2009-10-09 03:32:00 UTC
system-config-printer-1.1.13-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.