[redhat-lspp] Re: cups userspace -- trusted programs?

Michael C Thompson thompsmc at us.ibm.com
Thu Jun 1 16:29:00 UTC 2006 

Linda Knippers wrote:
> Hi Mike,
> 
> Matt is away this week so he'll probably have a more detailed response
> but in the meantime, I have a few comments/questions.
> 
>> I'm wondering if the intent of the cups userspace tools are to be 
>> trusted programs?  Specifically I'm curious about cupsaccept, cupsreject,
>> cupsenable and cupsdisable. The reason I ask is because if they are 
>> supposed to be trusted programs, they don't generate unique audit 
>> messages like other programs.
> 
> I don't think these programs are trusted programs because all they do
> is talk to the cupsd, which is a trusted program.  The cupsd makes
> all the decisions and takes all the actions.  These programs (really
> just 'accept' as the rest I believe are symlinks to it) are not setuid
> and do not make any access or other decisions, at least that's my
> understanding.

You are correct. accept, reject, cupsenable and cupsdisable are all done 
through the accept binary, and it does not responsible for decisions, it 
only facilitate actions. I learned this after reading some code :p

>> Personally, I think these tools should generate messages since they are 
>> a source for leaking information, and therefore should be restricted to 
>> administrators.
> 
> I think the real question is which actions should be audited.  Should
> enabling/disabling a printer queue be audited?  I don't believe its
> required to be and if its not security relevant, do we want it in the
> audit logs?  Cups has a comprehensive logging facility so there is all
> kinds of information about happening with the print subsystem that I
> don't think we want to replicate in the audit logs, but perhaps there
> are more actions that would make sense to audit than we currently are
> auditing.

According to Klaus, this is not strictly speaking required for LSPP. 
Your point about cups logging such actions is well taken (and over 
looked by me initially).

> Do you have specific examples of actions that you think should be
> audited aside from what's required for LSPP?

Aside from what is *required*, I thought it would be a good thing to log 
the queue/printer enable/disable. However, if cups is logging that, I'm 
not sure it is worth being redundant in our logs.

Mike

More information about the Linux-audit mailing list