Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please add a configure option for the installed cupsd permissions #3459

Closed
michaelrsweet opened this issue Dec 22, 2009 · 3 comments
Closed
Labels
enhancement
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Dec 22, 2009

Version: 1.6-feature
CUPS.org User: twaugh.redhat

There is no particular reason to install cupsd with mode 0500, and it does even make sense to run cupsd as a non-root process in some cases (e.g. freenx-server does this).

Original report:
https://bugzilla.redhat.com/show_bug.cgi?id=546004

@michaelrsweet
Copy link
Collaborator Author

michaelrsweet commented Dec 23, 2009

CUPS.org User: mike

Actually, there are a LOT of good reasons for installing cupsd mode 0500, most notably that it prevents a class of attacks that can be installed by malicious software. It also prevents bug reports about custom configurations not working when somebody tries running cupsd as a non-root user and suddenly loses support for most types of authentication, LPD, and usually all local devices.

I'll add a configure-time option (--with-cupsd-perm) so you can specify different permissions, but the default will still be 0500.

@michaelrsweet
Copy link
Collaborator Author

michaelrsweet commented Mar 5, 2012

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet
Copy link
Collaborator Author

michaelrsweet commented Mar 5, 2012

"str3459.patch":

Index: Makedefs.in

--- Makedefs.in (revision 10326)
+++ Makedefs.in (working copy)
@@ -63,6 +63,7 @@

CUPS_CONFIG_FILE_PERM = @CUPS_CONFIG_FILE_PERM@
+CUPS_CUPSD_FILE_PERM = @CUPS_CUPSD_FILE_PERM@
CUPS_LOG_FILE_PERM = @CUPS_LOG_FILE_PERM@

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 10326)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -3,7 +3,7 @@
dnl
dnl Default cupsd configuration settings for CUPS.
dnl
-dnl Copyright 2007-2011 by Apple Inc.
+dnl Copyright 2007-2012 by Apple Inc.
dnl Copyright 2006-2007 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
@@ -25,7 +25,7 @@
AC_SUBST(LANGUAGES)

dnl Mac OS X bundle-based localization support
-AC_ARG_WITH(bundledir, [ --with-bundledir set Mac OS X localization bundle directory ],
+AC_ARG_WITH(bundledir, [ --with-bundledir set Mac OS X localization bundle directory ],
CUPS_BUNDLEDIR="$withval",
if test "x$uname" = xDarwin -a $uversion -ge 100; then
CUPS_BUNDLEDIR="/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A"
@@ -50,6 +50,12 @@
AC_SUBST(CUPS_CONFIG_FILE_PERM)
AC_DEFINE_UNQUOTED(CUPS_DEFAULT_CONFIG_FILE_PERM, 0$CUPS_CONFIG_FILE_PERM)

+dnl Default permissions for cupsd
+AC_ARG_WITH(cupsd_file_perm, [ --with-cupsd-file-perm set default cupsd permissions, default=0500],

  • CUPS_CUPSD_FILE_PERM="$withval",
  • CUPS_CUPSD_FILE_PERM="500")
    +AC_SUBST(CUPS_CUPSD_FILE_PERM)

dnl Default LogFilePerm
AC_ARG_WITH(log_file_perm, [ --with-log-file-perm set default LogFilePerm value, default=0644],
CUPS_LOG_FILE_PERM="$withval",
Index: scheduler/Makefile

--- scheduler/Makefile (revision 10326)
+++ scheduler/Makefile (working copy)
@@ -211,7 +211,7 @@
install-exec:
echo Installing programs in $(SBINDIR)...
$(INSTALL_DIR) -m 755 $(SBINDIR)

  • $(INSTALL_BIN) -m 500 cupsd $(SBINDIR)
  • $(INSTALL_BIN) -m $(CUPS_CUPSD_FILE_PERM) cupsd $(SBINDIR)
    $(INSTALL_BIN) cupsfilter $(SBINDIR)
    echo Installing programs in $(SERVERBIN)/daemon...
    $(INSTALL_DIR) -m 755 $(SERVERBIN)

@michaelrsweet michaelrsweet added the enhancement label Mar 17, 2016
@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement
Projects
None yet
Development

No branches or pull requests

1 participant