Security question [#58427]
Michael Goffioul
goffioul at imec.be
Wed May 14 12:41:04 BST 2003
> "When cupsdoprint is killed, the kprinter application is displaying a message
> that shows the user id and password it was trying to use."
>
> If that's true, then that's a security concern. It shouldn't display the
> password. (See also http://bugs.kde.org/show_bug.cgi?id=57366 btw)
This is just debug output, and should be removed, of course.
> I don't see a problem allowing a user to print using another user-id. If the
> user has the credentials to do so, he is apparantly allowed to do so.
At first, I allowed to change the username, than reverted it because I
thought this might be misused regarding print quota. Letting the user
change its identity assumes that on the other end, the CUPS server WILL
ask for a password. If the server is not configured to ask for a password,
any user can use any identity to print, it's really "too easy".
For me, it's a very small code change, but I prefer to have external
opinions before making changes.
Michael.
--
------------------------------------------------------------------
Michael Goffioul IMEC-DESICS-MIRA
e-mail: goffioul at imec.be (Mixed-Signal and RF Applications)
Tel: +32/16/28-8510 Kapeldreef, 75
Fax: +32/16/28-1515 3001 HEVERLEE, BELGIUM
------------------------------------------------------------------
This e-mail and/or its attachments may contain confidential
information. It is intended solely for the intended addressee(s).
Any use of the information contained herein by other persons is
prohibited. IMEC vzw does not accept any liability for the contents
of this e-mail and/or its attachments.
------------------------------------------------------------------
More information about the kde-core-devel
mailing list