[nneonneo]

To be precise: you don't need to be in the sudo group, but in the lpadmin group. I'm not familiar with how Ubuntu groups are set up, but I guess it's likely that lpadmin is only granted to administrators by default.

That said, I'm guessing people aren't expecting lpadmin to mean a full privilege escalation to root.

There are two bugs here: one in cups, which allows it to chmod anything 777 (doesn't properly check for symlinks, or for the failure of bind), and one in wpa_supplicant, which lets it load arbitrary .so files as root. However, I suspect that even if these bugs are fixed, having access to lpadmin will still be a powerful enough primitive to escalate to root given the rather sizable attack surface of cups.

[justmarc]

It became crystal clear that cups is a can of worms, and it would be prudent to completely replace it with with a new solution built from the ground up, ideally using modern tools and standards.

[compsciphd]

or just sandbox cups. There's no reason cups needs to write anything beyond its "configuration" and its "print spool". And hence, shouldn't have access to anything beyond what it needs to configure itself and print.

thing like cups should be easy to sandbox, especially if we allow dbus like APIs as a means to cross sandbox boundaries (i.e. RPC mechanism).

and by sandbox, I dont mean simply use apparmor type rules (though that can work), but a cups that lives within its own file system and nothing else is even visible.

i.e. programs will always be buggy, even if we get rid of all language oriented bugs, there will still be logic bugs that will result in security holes. We just need to make it easy to isolate programs (and services) into their own sandboxes while retaining the ability for them to interact (as otherwise, lose much of the value of modern systems).

In practice, I would argue, a lot of modern systems do this already (ala ios/android). The apps run sandboxed and only have restricted abilities to interact with each other.

[jabl]

That's sort-of the direction they're going with CUPS 3. The 'local server', which is what most people will need, runs as a normal user, not root, doesn't listen on the internet, and talks only the IPP everywhere protocol. For supporting legacy printers, there will be separate sandboxed 'printer applications' which read in IPP Everywhere, run the driver code, and communicate with the backend printer using an appropriate protocol.

For enterprise users there will be a separate 'sharing server'.

https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentatio...

[nox101]

I'd prefer they make it the default to not install it. I don't need to print from Linux. I don't print from Windows nor MacOS much either. Less than once a year. But I particularly don't print from Linux. I suspect that true for most people. cups shouldn't be a default install IMO

[pxc]

> I don't print from Windows nor MacOS much either. Less than once a year.

Many Linux users and developers don't run anything else. If they're to print at all it'll be from Linux.

[nox101]

that's fine. They can install it. I suspect the actual number of computers running linux that need to able to print be less than 1 of 20.

[cherryteastain]

And that new solution will have only 70% of cups' features 15 years in with tons of gotchas in everyday use cases, like wayland

[pzmarzly]

> new solution will have only 70% of cups' features 15 years

Which sounds fine? Most people don't want LPT printers support, they want AirPrint and WSD to just work.

[ale42]

How many percent is "most" people? What about enterprise users with complex setups/requirements, will they be supported or out-of-luck? Typically you'll have print servers with centralized authentication, possibly logging/auditing/billing, any this might depend on "the" component they'll leave out in the new product because, well, most people don't care about it...

[JadeNB]

> How many percent is "most" people? What about enterprise users with complex setups/requirements, will they be supported or out-of-luck? Typically you'll have print servers with centralized authentication, possibly logging/auditing/billing, any this might depend on "the" component they'll leave out in the new product because, well, most people don't care about it...

But the old, complex cups doesn't go away if a new, sandboxed version is developed, so the people who want the complexities can evaluate whether the security trade-off is worth it, and use it anyway if so.

[nikanj]

Using modern tools and standards? So build with node.js, runs like a pig, only supports the three models made by the sponsoring company?

[Loudergood]

You honestly think you can do it without Electron?

[jabl]

Well it's your lucky day, they're working on rearchitecting cups to be, among other things, more secure. See https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentatio...

[panarky]

What if you don't need cups because you don't print anything?

Just sudo apt remove cups right?

No, because cups is a dependency of the entire graphical subsystem, just removing cups also removes everything from the Nautilus file manager to Firefox to ubuntu-desktop itself.

[normie3000]

Any idea why that is?!

[jbarrs]

This might be wrong, but based on my own experience of Ubuntu effectively uninstalling itself when I tried to remove a single package.

I think most of the default software gets installed as one large package group, rather than as individual pieces of software. Only the group is marked as manually installed, but the individual programs pulled in by that group are marked as automatically installed. If you try to apt install something you already have as part of the default distro software, you'll usually see a message saying something like "marked as manually installed."

When you go to uninstall one program from the group, that one program is uninstalled as requested, but the group itself has to be marked as uninstalled, since you've removed one of that group's "dependencies" and thus can no longer satisfy that group's installation requirements. You now have a load of software that was automatically installed as dependencies of another package, but are no longer dependencies of any manually-installed packages. The next time you run apt autoremove, it'll remove all of those automatically-installed components and leave you with an almost bare system.

[DiggyJohnson]

If it's printable...? Perhaps?

[cozzyd]

systemd-printd incoming