-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
please support less restricted root backend permissions #2935
Comments
CUPS.org User: mike First, this should be an enhancement request, not a bug report. Second, I don't know whether we will make this change since it has serious security issues. IMHO any integrity checker needs to run as root as well. |
CUPS.org User: martin.pitt.canonical I am curious, what are those "serious security issues"? Built binaries from open source software are hardly that secret? (And if you do local s3kr1t modifications, nobody stops you from chmoding them to 700). Feel free to drop the Makefile part of the patch. The more important issue is to run backends with 744 permisssions as root as well. |
CUPS.org User: mike The main security issue is that some system files/directories are restricted to provide necessary security, but a non-root tool will not be able to validate them - you would be missing a fairly significant portion of sensitive system/log files... Also, it is fairly easy to accidentally install with partial execute permissions, which would lead to accidental running of the backends as root with your patch. Anyways, don't expect any change (if we do decide to make a change) until CUPS 1.5 at the earliest. |
CUPS.org User: martin.pitt.canonical Posted updated patch which also checks for group/other writeability.
But in principle that is the same in the current version as well, just the particularly tested privileges are a bit different (if you install backends with umask 077, you'd get backends installed as root as well). That's why we are using distro packages, or at least "make install" instead of setting up files by hand, right? :-) |
CUPS.org User: martin.pitt.canonical Updated patch, missed the identical test in deviced. |
CUPS.org User: mike Fixed in Subversion repository. The final patch allows group read and execute, but not group write. |
"str2935.patch": Index: scheduler/cups-deviced.c--- scheduler/cups-deviced.c (revision 11775)
cupsDirClose(dir); Index: scheduler/job.c--- scheduler/job.c (revision 11775)
|
Version: 2.0-feature
CUPS.org User: martin.pitt.canonical
At the moment, backends which run as root need to be 0700, i. e. not have any privileges for group or others. This is very rigid and e. g. prevents system integrity checkers, bug report scripts, and other tools from verifying the contents of those backends (and also violates the Debian Policy). Distribution packages should not ship binaries which are not world readable, since anyone can just download the package and get it from there.
Would you consider relaxing the check in scheduler/job.c a bit?
this could become
so that it is possible to install those backends with 744 permissions.
Preferably the backends should installed with 744 mode as well, but if you don't like that, upstream could stay with installing them as 700 (distros can easily adapt the permissions in their build scripts without patching the source).
Thanks for considering,
Martin
The text was updated successfully, but these errors were encountered: