Please add a configure option for the installed cupsd permissions #3459

Closed
michaelrsweet opened this Issue Dec 22, 2009 · 3 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Dec 22, 2009

Version: 1.6-feature
CUPS.org User: twaugh.redhat

There is no particular reason to install cupsd with mode 0500, and it does even make sense to run cupsd as a non-root process in some cases (e.g. freenx-server does this).

Original report:
https://bugzilla.redhat.com/show_bug.cgi?id=546004

Collaborator

michaelrsweet commented Dec 23, 2009

CUPS.org User: mike

Actually, there are a LOT of good reasons for installing cupsd mode 0500, most notably that it prevents a class of attacks that can be installed by malicious software. It also prevents bug reports about custom configurations not working when somebody tries running cupsd as a non-root user and suddenly loses support for most types of authentication, LPD, and usually all local devices.

I'll add a configure-time option (--with-cupsd-perm) so you can specify different permissions, but the default will still be 0500.

Collaborator

michaelrsweet commented Mar 5, 2012

CUPS.org User: mike

Fixed in Subversion repository.

Collaborator

michaelrsweet commented Mar 5, 2012

"str3459.patch":

Index: Makedefs.in

--- Makedefs.in (revision 10326)
+++ Makedefs.in (working copy)
@@ -63,6 +63,7 @@

CUPS_CONFIG_FILE_PERM = @CUPS_CONFIG_FILE_PERM@
+CUPS_CUPSD_FILE_PERM = @CUPS_CUPSD_FILE_PERM@
CUPS_LOG_FILE_PERM = @CUPS_LOG_FILE_PERM@

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 10326)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -3,7 +3,7 @@
dnl
dnl Default cupsd configuration settings for CUPS.
dnl
-dnl Copyright 2007-2011 by Apple Inc.
+dnl Copyright 2007-2012 by Apple Inc.
dnl Copyright 2006-2007 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
@@ -25,7 +25,7 @@
AC_SUBST(LANGUAGES)

dnl Mac OS X bundle-based localization support
-AC_ARG_WITH(bundledir, [ --with-bundledir set Mac OS X localization bundle directory ],
+AC_ARG_WITH(bundledir, [ --with-bundledir set Mac OS X localization bundle directory ],
CUPS_BUNDLEDIR="$withval",
if test "x$uname" = xDarwin -a $uversion -ge 100; then
CUPS_BUNDLEDIR="/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A"
@@ -50,6 +50,12 @@
AC_SUBST(CUPS_CONFIG_FILE_PERM)
AC_DEFINE_UNQUOTED(CUPS_DEFAULT_CONFIG_FILE_PERM, 0$CUPS_CONFIG_FILE_PERM)

+dnl Default permissions for cupsd
+AC_ARG_WITH(cupsd_file_perm, [ --with-cupsd-file-perm set default cupsd permissions, default=0500],

  • CUPS_CUPSD_FILE_PERM="$withval",
  • CUPS_CUPSD_FILE_PERM="500")
    +AC_SUBST(CUPS_CUPSD_FILE_PERM)

dnl Default LogFilePerm
AC_ARG_WITH(log_file_perm, [ --with-log-file-perm set default LogFilePerm value, default=0644],
CUPS_LOG_FILE_PERM="$withval",
Index: scheduler/Makefile

--- scheduler/Makefile (revision 10326)
+++ scheduler/Makefile (working copy)
@@ -211,7 +211,7 @@
install-exec:
echo Installing programs in $(SBINDIR)...
$(INSTALL_DIR) -m 755 $(SBINDIR)

  • $(INSTALL_BIN) -m 500 cupsd $(SBINDIR)
  • $(INSTALL_BIN) -m $(CUPS_CUPSD_FILE_PERM) cupsd $(SBINDIR)
    $(INSTALL_BIN) cupsfilter $(SBINDIR)
    echo Installing programs in $(SERVERBIN)/daemon...
    $(INSTALL_DIR) -m 755 $(SERVERBIN)

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment