-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log/conf files not accessible via web interface when not world-readable #4461
Comments
CUPS.org User: twaugh.redhat Note that this is the case for authenticated requests. |
CUPS.org User: twaugh.redhat Here's a patch that works for me. Now 'cupsctl -U root' works, and 'View Error Log' in the web interface works when logged in. diff -up cups-1.7.4/scheduler/client.c.str4461 cups-1.7.4/scheduler/client.c if (!status && !(filestats->st_mode & S_IROTH))
/* |
CUPS.org User: odyx Indeed, that's been reported in Debian as https://bugs.debian.org/757964 . Mike: can you confirm inclusion of this patch? |
CUPS.org User: mike Dider, No, at the moment I am hip deep in PWG stuff (face-to-face meeting with OpenPrinting so you should expect that I will not be doing anything with this bug until next week at the earliest. |
CUPS.org User: mike P3 because this doesn't happen with the default settings we ship with. |
CUPS.org User: odyx Sure, no problem. I'll ship it as-is for Debian then. |
CUPS.org User: mike Fixed in Subversion repository. The changes whitelist any cupsd-generated file, limit /admin/conf access to cupsd.conf, and change the copy_model function to treat PPD files as config files (so they now use the ConfigFilePerm setting). Please let me know if you see any problems with the change - the patch applies cleanly to 1.7.x but we currently do not plan on releasing another 1.7.x with the change... |
CUPS.org User: twaugh.redhat Is there a reason rss files aren't permitted? It means RSS feeds can't be accessed. |
CUPS.org User: twaugh.redhat How about something like this for checking /rss/ resources?
Also, should the /icons/ check be stricter? It looks like you might get free access to CacheDir that way. |
CUPS.org User: mike Tim, the correct fix for RSS would be to make them world-readable. Second patch for that is attached. |
CUPS.org User: twaugh.redhat Oh. Doesn't that potential expose job-private information? I'm thinking of sites that have access control on /rss/. |
CUPS.org User: mike None of the RSS readers I've used support authentication, but for that we can just make CacheDir mode 770 so that only cupsd and the filters can read it directly. |
"str4461.patch": Index: scheduler/client.c--- scheduler/client.c (revision 12112)
/* if (!strncmp(con->uri, "/ppd/", 5) && !strchr(con->uri + 5, '/'))
Index: scheduler/ipp.c--- scheduler/ipp.c (revision 12112)
@@ -4623,7 +4622,7 @@
unlink(tempfile);
|
"str4461p2.patch": Index: notifier/rss.c--- notifier/rss.c (revision 12126)
fputs("\n", fp); |
"str4461p3.patch": Index: scheduler/Makefile--- scheduler/Makefile (revision 12131)
Index: scheduler/conf.c--- scheduler/conf.c (revision 12131) if ((cupsdCheckPermissions(RequestRoot, NULL, 0710, RunUser,
|
Version: 1.7.5
CUPS.org User: twaugh.redhat
Attempting GET for /admin/log/error_log or /admin/conf/cupsd.conf fails when either is not world-readable, due to the fix for STR #4455.
The text was updated successfully, but these errors were encountered: