Ubuntu
cups package

Software runs as root

Bug #401107 reported by Fred
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
acpid (Ubuntu)
Invalid
Undecided
Unassigned
bluez (Ubuntu)
Invalid
Undecided
Unassigned
cron (Ubuntu)
Invalid
Undecided
Unassigned
cups (Ubuntu)
Invalid
Undecided
Unassigned
devicekit (Ubuntu)
Invalid
Undecided
Unassigned
devicekit-disks (Ubuntu)
Invalid
Undecided
Unassigned
devicekit-power (Ubuntu)
Invalid
Undecided
Unassigned
dhcp3 (Ubuntu)
Invalid
Undecided
Unassigned
gdm (Ubuntu)
Invalid
Undecided
Unassigned
lightdm (Ubuntu)
Invalid
Undecided
Unassigned
network-manager (Ubuntu)
Invalid
Undecided
Unassigned
ntfs-3g (Ubuntu)
Invalid
Undecided
Unassigned
samba (Ubuntu)
Invalid
Undecided
Unassigned
wpasupplicant (Ubuntu)
Invalid
Undecided
Unassigned
xorg (Ubuntu)
Invalid
Undecided
Unassigned
xorg-server (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

Software runs as root.
This is bad, it should not run as a superuser, it is dangerous in terms of system security. This is unsafe.
It should safely run as a non-privileged user.

Following the principle of least privilege.
http://en.wikipedia.org/wiki/Principle_of_least_privilege

See original description
Fred (eldmannen+launchpad)
description: updated
tags: added: superuser
description: updated
Fred (eldmannen+launchpad)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for opening this bug report.

Most of the daemons you've listed run as superuser as that is the only way to have the necessary privileges for them to operate correctly. In some cases, the daemons are protected by AppArmor profiles. This is the case with cups and dhcp3.

If you have discovered a way of running some of the daemons you've listed above as a non-root user, without losing functionality, please open a separate bug report for each of them that includes instructions/patches.

Thank you.

Changed in acpid (Ubuntu):
status: New → Invalid
Changed in bluez (Ubuntu):
status: New → Invalid
Changed in cron (Ubuntu):
status: New → Invalid
Changed in devicekit-power (Ubuntu):
status: New → Invalid
Changed in gdm (Ubuntu):
status: New → Invalid
Changed in ntfs-3g (Ubuntu):
status: New → Invalid
Changed in devicekit (Ubuntu):
status: New → Invalid
Changed in dhcp3 (Ubuntu):
status: New → Invalid
Changed in xorg (Ubuntu):
status: New → Invalid
Changed in xorg-server (Ubuntu):
status: New → Invalid
Changed in cups (Ubuntu):
status: New → Invalid
Changed in network-manager (Ubuntu):
status: New → Invalid
Changed in devicekit-disks (Ubuntu):
status: New → Invalid
Changed in samba (Ubuntu):
status: New → Invalid
Changed in wpasupplicant (Ubuntu):
status: New → Invalid
Revision history for this message
Fred (eldmannen+launchpad) wrote :

If that is the only way, then the software is bad, and needs to be fixed or replaced.

I do not want an insecure system and potentially exploitable system because of a setup with badly isolated processes and crappy software that requires superuser privileges.

X.org can be fixed so it wont need to run as root, using kernel mode setting (KMS). OpenBSD is interested in this.
http://www.phoronix.com/scan.php?page=news_item&px=NzM2MA

I don't understand why a network daemon (winbindd from samba) needs root. That is absolutely stupid, and just begging to get hacked.
It cant be much different from a HTTP or FTP server, and running that as root would be stupid.

In dhcp3 there was recently discovered several security vulnerabilities. How convenient that it runs as root.
http://www.debian.org/security/2009/dsa-1833

description: updated
Changed in xorg-server (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Feel free to open bugs with upstream software if you think they need fixing. If they need to be replaced, feel free to open bugs here and suggest adequate replacements.

Of course we want to reduce the quantity of software running as root. As such, as soon as it is feasible to run X.org without the setuid bit set, we will.

Our dhcp3 packages provide an AppArmor policy which greatly reduces the risks of running it as root.

Changed in xorg-server (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Bryce Harrington (bryce) wrote :

Upstream video drivers require running as root in order to set the video modes.

Some video drivers upstreams (-intel, -ati, -nouveau) are working on moving mode setting to the kernel, which in theory would enable X to run as non-root some day, but consider that Ubuntu works with a range of other video drivers from common ones like -nvidia to rarer ones like -geode, -psb, and -openchrome, all of which are popular in certain user segments but none of which have plans to implement KMS any time soon.

Changed in xorg-server (Ubuntu):
status: Confirmed → Won't Fix
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Sigh, please stop doing this. You've been asked not to on more than one occasion already.

no longer affects: accountsservice (Ubuntu)
no longer affects: udisks (Ubuntu)
no longer affects: ubuntu-system-service (Ubuntu)
no longer affects: util-linux (Ubuntu)
Revision history for this message
Robert Ancell (robert-ancell) wrote :

LightDM must run as root to do authentication correctly and be able to create user session.

Changed in lightdm (Ubuntu):
status: New → Invalid
Martin Pitt (pitti)
no longer affects: consolekit (Ubuntu)
no longer affects: modemmanager (Ubuntu)
no longer affects: udev (Ubuntu)
no longer affects: upower (Ubuntu)
Revision history for this message
Fred (eldmannen+launchpad) wrote :

Security vulnerabilities must not be ignored!

Robert,
Cant LightDM use AppArmor or PolicyKit?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.