Security question [#58427]

Kurt Pfeifle kpfeifle at danka.de
Wed May 14 15:55:21 CEST 2003 

Michael Goffioul wrote:

> I'm looking for external opinions. See 
> 
> http://bugs.kde.org/show_bug.cgi?id=58427
> 
> Thanks.
> Michael.


Sorry to be a bit late...

I am not sure if I fully understood everything.


* No idea why the CUPS server was "flooded". But there was a
   bug in an older CUPS version that made this happen from *any*
   client under certain circumstances.... I don't believe this
   is a KDEPrint problem. A CUPS update would proof me right
   or wrong on this assumption.

* I am not sure how the user "changed" user to arrive at
   the problem he describes. Did he click "System Options...
   --> CUPS Server --> (Server Information) --> Account
   Information" ?

* Anyway, I don't think it is a security problem in and of
   itself if switching to another user is possible. It is
   rather a *feature*.
    -- a security problem is, of course if the password is
       displayed in clear text on a window heading, of course.
    -- switching the user sometimes is *required* by certain
       CUPS setups. Not supporting it in KDEPrint would make
       it useless in these environments, and users would need
       to use the CUPS commandline for printing.
    -- if the user knows the other username/passwd combination
       anyway, it is because he either is entitled to use it
       or because he has acquired it by dirty means (or a
       security hole) -- in both cases he can easily use other
       means than kprinter to print jobs (or do worse things).
    -- quotas are of no concern for the same reason. (And quotas
       only make sense if you are using a minimal authentication
       scheme on the CUPS server).
    -- CUPS has several methods at its disposal for authentication.
       One is "HTTP basic". This one does not encrypt passwords,
       it only encodes them.
    -- If CUPS uses "HTTP Digest", it is a separate password
       repository ("lppasswd"), and therefore often also a separate
       password from the normal system password. I think we should
       make it easy to key in once and safe and re-use that
       password for KDEPrint -- just as it is implemented now.

So my plea is from a users' perspective: Don't remove that feature
(to log in as another user to the localhost or a remote CUPS server)
in KDEPrint! It is an important feature. (I admit that I don't
fully understand all the security implications...)

Cheers,
Kurt

More information about the kde-print mailing list