[cups.bugs] [LOW] STR #2211: "Export Printers to Samba" doesn'tworkfornewly added printers

Christoph Peus cp at uni-wh.de
Tue Jan 30 15:05:39 PST 2007


Michael Sweet wrote:
> Christoph Peus wrote:
>> ...
>> Have you perhaps misunderstood me? I suggest to make this command part 
>> of the "Export Printers to Samba" feature, and you can be sure that 
>> *every* administrator, who clicks that button wants to share the 
>> printer via Samba.
> 
> We can't depend on sudoers being configured this way, and we'd have
> to open the account that the CGIs run under ("lp" with the default
> configuration on Linux), which is a HUGE security hole.

You don't have to depend on a special sudoers configuration. If this 
configuration doesn't exist, the system will behave exactly like it 
behaves now: the "sudo smbcontrol..." command will fail and the sysadmin 
has to send the reload-config command to samba manually. If it *is* 
configured this way - which is completely the sysadmins responsibility - 
the user lp is permitted to make samba reload the config and nothing 
else. I can't see the security hole here. But it's your software, so I 
have to respect your decision.

>> Would you *please* reconsider implemeting this feature?  :)
> 
> Sorry, no.

But it's opensource software too. So I did it myself... ;-)


*** cgi-bin/admin.c.org 2006-08-24 17:55:42.000000000 +0200
--- cgi-bin/admin.c     2007-01-30 14:00:31.000000000 +0100
***************
*** 2111,2116 ****
--- 2111,2119 ----
       * Do export...
       */

+     fputs("DEBUG: Make samba recognize newly added printers...\n", 
stderr);
+     system("sudo smbcontrol smbd reload-config");
+
       fputs("DEBUG: Export printers...\n", stderr);

       if (export_all)





More information about the cups-devel mailing list