Permalink
Browse files

Made the snapped CUPS mostly completely working under confinement

* Patched CUPS to

  * allow root as CUPS user and group
    (`cupsd-allow-root-as-cups-user.patch`)
  * allow the system groups containing the CUPS group
    (`cupsd-allow-group-and-systemgroup-be-the-same.patch`)
  * not do setgroups() system calls (`sed` magic in `snapcraft.yaml`)
  * pass the `$PATH` environment variable on to programs called by
    CUPS (`cupsd-pass-on-path.patch`)
  * let its utilities access cupsd.conf only via HTTP and not via
    local file access
    (`libcups-do-not-read-cupsd-conf-from-local-file.patch`)

  The first three changes make CUPS able to run helper programs
  (filters, backends, CGI programs, ...) as root and trying to set any
  user or group relations. Needed for printing and for making the
  pages of the web interface work.

  The forth makes filters and backends find helper utilities which are
  part of the snap (like Poppler's `pdftocairo`).

  The last one makes the `cupsctl` utility work.

* Set CUPS user and CUPS group to root, so that all helper programs
  called by CUPS run as root and so they can access all needed files
  which are owned by root.

* Added "adm" group to the system groups. This is a temporary hack
  until we can create and use the "lpadmin" group the snap. Now the
  first user (also member of "adm" group can do CUPS administration
  tasks with `lpadmin`, `cupsctl`, ...

* Added plug "home" to the `lp`, `lpoptions`, `lpadmin`, and
  `cupsfilter` utilities.

* Set maximum size for error_log to 10 MB.
  • Loading branch information...
tillkamppeter committed Nov 16, 2017
1 parent 31f9088 commit fa4a62d514955b62a33f0d3ac946b11eb359ee71
@@ -0,0 +1,11 @@
--- scheduler/conf.c.orig 2017-11-16 15:46:46.570154424 -0200
+++ scheduler/conf.c 2017-11-16 17:40:15.722758104 -0200
@@ -1016,7 +1016,7 @@
* a password!
*/
- if (!RunUser)
+ if (0 && !RunUser)
{
for (i = 0; i < NumSystemGroups; i ++)
if (Group == SystemGroupIDs[i])
@@ -0,0 +1,20 @@
--- scheduler/conf.c.orig 2017-11-01 12:57:53.000000000 -0200
+++ scheduler/conf.c 2017-11-16 15:46:46.570154424 -0200
@@ -3572,7 +3572,7 @@
{
int uid = atoi(value);
- if (!uid)
+ if (0 && !uid)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Will not use User 0 as specified on line %d of %s "
@@ -3594,7 +3594,7 @@
if (p)
{
- if (!p->pw_uid)
+ if (0 && !p->pw_uid)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Will not use User %s (UID=0) as specified on line "
View
@@ -0,0 +1,19 @@
--- scheduler/env.c.orig 2017-11-01 12:57:53.000000000 -0200
+++ scheduler/env.c 2017-11-16 15:59:30.831945067 -0200
@@ -212,8 +212,14 @@
set_if_undefined("LD_PRELOAD", NULL);
set_if_undefined("NLSPATH", NULL);
if (find_env("PATH") < 0)
- cupsdSetEnvf("PATH", "%s/filter:" CUPS_BINDIR ":" CUPS_SBINDIR
- ":/bin:/usr/bin", ServerBin);
+ {
+ char *value;
+ if ((value = getenv("PATH")) != NULL)
+ cupsdSetEnvf("PATH", "%s/filter:%s", ServerBin, value);
+ else
+ cupsdSetEnvf("PATH", "%s/filter:" CUPS_BINDIR ":" CUPS_SBINDIR
+ ":/bin:/usr/bin", ServerBin);
+ }
set_if_undefined("SERVER_ADMIN", ServerAdmin);
set_if_undefined("SHLIB_PATH", NULL);
set_if_undefined("SOFTWARE", CUPS_MINIMAL);
@@ -0,0 +1,20 @@
--- cups/adminutil.c.orig 2017-11-01 12:57:53.000000000 -0200
+++ cups/adminutil.c 2017-11-16 16:05:52.355213390 -0200
@@ -2191,7 +2191,7 @@
snprintf(name, namesize, "%s/cupsd.conf", cg->cups_serverroot);
*remote = 0;
-#ifndef WIN32
+#if 0
if (!_cups_strcasecmp(host, "localhost") && !access(name, R_OK))
{
/*
@@ -2218,7 +2218,7 @@
status = HTTP_STATUS_OK;
}
else
-#endif /* !WIN32 */
+#endif /* 0 */
{
/*
* Read cupsd.conf via a HTTP GET request...
View
@@ -20,7 +20,7 @@ LC_ALL=C.UTF-8
LANG=C.UTF-8
cp -r $SNAP/etc/cups/. $SNAP_DATA/etc/
cat $CUPSFILESCONF | perl -p -e 's:^(\s*)\#?(\s*\S+\s+)/:\1\2'"$SNAP"'/:g' | perl -p -e 's:^(\s*)\#?(\s*\S+\s+)\S*/var/(\S*?)/cups(.*)$:\1\2'"$SNAP_DATA"'/var/\3\4:g' | perl -p -e 's:^(\s*)\#?(\s*\S+\s+)\S*/etc:\1\2'"$SNAP_DATA"'/etc\3\5:g' | perl -p -e 's:/etc/cups:/etc:g' > $SNAP_DATA/etc/cups-files.conf
cat $CUPSFILESCONF | perl -p -e 's:^(\s*)\#?(\s*\S+\s+)/:\1\2'"$SNAP"'/:g' | perl -p -e 's:^(\s*)\#?(\s*\S+\s+)\S*/var/(\S*?)/cups(.*)$:\1\2'"$SNAP_DATA"'/var/\3\4:g' | perl -p -e 's:^(\s*)\#?(\s*\S+\s+)\S*/etc:\1\2'"$SNAP_DATA"'/etc\3\5:g' | perl -p -e 's:/etc/cups:/etc:g' | perl -p -e 's:^(\s*)\#?(User|Group)(\s+)\S+:\1\2\3root:g' | perl -p -e 's:^(\s*)\#?(SystemGroup\s+)\S+:\1\2\3root adm:g' > $SNAP_DATA/etc/cups-files.conf
cat $CUPSDCONF | grep -v 'Listen' | perl -p -e 's:^(\s*<Location\s*/>\s*)$:$1 Allow \@LOCAL\n:' > $SNAP_DATA/etc/cupsd.conf
if [ -e $SNAP/default.yaml ]; then
@@ -43,7 +43,7 @@ export FONTCONFIG_FILE=$SNAP_DATA/etc/fonts/fonts.conf
echo PassEnv FONTCONFIG_FILE >> $SNAP_DATA/etc/cupsd.conf
echo MaxLogSize 99999 >> $SNAP_DATA/etc/cupsd.conf
echo MaxLogSize 9999999 >> $SNAP_DATA/etc/cupsd.conf
perl -p -i -e 's:^(\s*)\#?(\s*LogLevel\s+)\S+:\1\2debug:g' $SNAP_DATA/etc/cupsd.conf
View
@@ -22,16 +22,16 @@ apps:
plugs: [network, avahi-control]
lpadmin:
command: lpadmin
plugs: [network, avahi-control]
plugs: [network, avahi-control, home]
lpstat:
command: lpstat
plugs: [network, avahi-control]
lpoptions:
command: lpoptions
plugs: [network, avahi-control]
plugs: [network, avahi-control, home]
lp:
command: lp
plugs: [network, avahi-control]
plugs: [network, avahi-control, home]
cancel:
command: cancel
plugs: [network, avahi-control]
@@ -40,7 +40,7 @@ apps:
plugs: [network, avahi-control]
cupsfilter:
command: cupsfilter
plugs: [network, avahi-control]
plugs: [network, avahi-control, home]
#mutool:
# command: ./usr/bin/mutool
@@ -50,10 +50,16 @@ parts:
plugin: autotools
prepare: |
patch -p0 < ../../../cupsd-pass-on-ld-library-path.patch
patch -p0 < ../../../cupsd-pass-on-path.patch
patch -p0 < ../../../cupsd-allow-root-as-cups-user.patch
patch -p0 < ../../../cupsd-allow-group-and-systemgroup-be-the-same.patch
patch -p0 < ../../../libcups-do-not-read-cupsd-conf-from-local-file.patch
sed -i 's|$(DSTROOT)|'"${SNAPCRAFT_PART_INSTALL}"'|g' Make*
sed -i 's|fchown(cupsFileNumber(fp), getuid(), Group)|0|g' scheduler/file.c
sed -i 's|(fchmod(cupsFileNumber(fp), mode))|(0)|g' scheduler/file.c
sed -i 's|chown(filename, user, group)|0|g' scheduler/conf.c
sed -i 's|setgroups(1, &Group)|0|g' scheduler/process.c
sed -i 's|setgroups(1, &gid)|0|g' scheduler/cups-exec.c
sed -i 's|fchown(|// fchown(|g' cups/*.c
sed -i 's|chown(|// chown(|g' cups/*.c
sed -i 's|fchmod(|// fchmod(|g' cups/*.c

0 comments on commit fa4a62d

Please sign in to comment.