[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Security question [#58427]
From:       Michael Goffioul <goffioul () imec ! be>
Date:       2003-05-14 11:41:04
[Download RAW message or body]

> "When cupsdoprint is killed, the kprinter application is displaying a message
> that shows the user id and password it was trying to use."
> 
> If that's true, then that's a security concern. It shouldn't display the
> password. (See also http://bugs.kde.org/show_bug.cgi?id=57366 btw)

This is just debug output, and should be removed, of course.

> I don't see a problem allowing a user to print using another user-id. If the
> user has the credentials to do so, he is apparantly allowed to do so.

At first, I allowed to change the username, than reverted it because I
thought this might be misused regarding print quota. Letting the user
change its identity assumes that on the other end, the CUPS server WILL
ask for a password. If the server is not configured to ask for a password,
any user can use any identity to print, it's really "too easy".
For me, it's a very small code change, but I prefer to have external
opinions before making changes.

Michael.

-- 
------------------------------------------------------------------
Michael Goffioul		IMEC-DESICS-MIRA
e-mail: goffioul@imec.be	(Mixed-Signal and RF Applications)
Tel:    +32/16/28-8510		Kapeldreef, 75
Fax:    +32/16/28-1515		3001 HEVERLEE, BELGIUM
------------------------------------------------------------------
This e-mail and/or its attachments may contain confidential
information.  It is intended solely for the intended addressee(s). 
Any use of the information contained herein by other persons is
prohibited.  IMEC vzw does not accept any liability for the contents
of this e-mail and/or its attachments.
------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]