Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sandboxing prevents access to UNIX domain sockets in /private/var/tmp #4471

Closed
michaelrsweet opened this issue Aug 19, 2014 · 2 comments
Closed

Comments

@michaelrsweet
Copy link
Collaborator

Version: 2.0-current
CUPS.org User: tmb

[1] states that filters and backends may access UNIX domain sockets under the /private/var/run and /private/var/tmp directories, but only rules for accessing /private/var/run and /private/tmp are present in scheduler/process.c.

[1] https://www.cups.org/documentation.php/doc-2.0/api-filter.html#SANDBOXING

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

That's actually supposed to be /private/tmp, but we'll allow both in the next release.

@michaelrsweet
Copy link
Collaborator Author

"str4471.patch":

Index: scheduler/process.c

--- scheduler/process.c (revision 12100)
+++ scheduler/process.c (working copy)
@@ -215,6 +215,8 @@
" #"^/private/var/mysql$""
" #"^/private/var/run$""
" #"^/private/var/spool$""

  •             " #\"^/private/var/tmp$\""
    
  •             " #\"^/private/var/tmp/\""
              " #\"^/usr/bin$\""    /\* /usr/bin _/
              " #\"^/usr/bin/\""    /_ /usr/bin/... _/
              " #\"^/usr/libexec/cups$\""   /_ /usr/libexec/cups _/
    
    @@ -223,27 +225,10 @@
    " #"^/usr/libexec/fax/"" /_ /usr/libexec/fax/... /
    " #"^/usr/sbin$"" /
    /usr/sbin /
    " #"^/usr/sbin/"" /
    /usr/sbin/... */
  •    " #\"^/Library/Application Support$\""
    
  •    " #\"^/Library/Application Support/\""
    
  •    " #\"^/Library/Caches$\""
    
  •    " #\"^/Library/ColorSync$\""
    
  •    " #\"^/Library/ColorSync/Profiles$\""
    
  •    " #\"^/Library/ColorSync/Profiles/\""
    
  •    " #\"^/Library/Fonts$\""
    
  •    " #\"^/Library/Fonts/\""
    
  •    " #\"^/Library/Frameworks$\""
    
  •    " #\"^/Library/Frameworks/\""
    
  •    " #\"^/Library/Keychains$\""
    
  •    " #\"^/Library/Keychains/\""
    
  •    " #\"^/Library/Logs$\""
    
  •    " #\"^/Library/Printers$\""
    
  •    " #\"^/Library/Printers/\""
    
  •    " #\"^/Library/Security$\""
    
  •    " #\"^/Library/Security/\""
    
  •    " #\"^/Library/WebServer$\""
    
  •    " #\"^/System/Library/ColorSync$\""
    
  •    " #\"^/System/Library/ColorSync/Profiles$\""
    
  •    " #\"^/System/Library/ColorSync/Profiles/\""
    
  •    " #\"^/Library$\"" /\* /Library */
    
  •    " #\"^/Library/\"" /\* /Library/... */
    
  •    " #\"^/System$\""  /\* /System */
    
  •    " #\"^/System/\""  /\* /System/... _/
     " #\"^%s/Library$\""   /_ RequestRoot/Library _/
     " #\"^%s/Library/\""   /_ RequestRoot/Library/... _/
     " #\"^%s$\""       /_ ServerBin _/
    
    @@ -292,6 +277,7 @@
    " #"^%s/"" /_ CUPS_TESTROOT/... */
    "))\n",
    testroot);
  • cupsFilePrintf(fp, "(allow sysctl_)\n");
    }
    if (job_id)
    {
    @@ -314,7 +300,7 @@
    cupsFilePuts(fp, "(allow distributed-notification-post)\n");
    /_ Allow outbound networking to local services */
    cupsFilePuts(fp, "(allow network-outbound"
  •      "\n       (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
    
  •      "\n       (regex #\"^/private/var/run/\" #\"^/private/tmp/\" #\"^/private/var/tmp/\")");
    
    for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
    lis;
    lis = (cupsd_listener_t *)cupsArrayNext(Listeners))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant