incorrect permissions on dnssd and lpd

Michael Johnson - MJ mj at revmj.com
Thu Apr 12 15:25:49 PDT 2012


Thanks for the reply.  I had done some digging to try and determine what the reason for setting the permissions to '700' were and was not able to find anything.  It might be worth while to add this info as a comment in the make file.  But then this question will probably no come up again.  :)

I ran into this as a problem under Fedora 16.  The first bit was specifically that it was trying to run dnssd to get the printer status / detect printers and it was failing.  Making dnssd executable by 'other' resolved the problem.  Perhaps Fedora is running cupsd as a non root user, but given this response it sounds like this is either a Fedora issue or something with the GUI tools that Fedora uses by default for managing printers.  I'll do some more digging and see what I find.

Thanks again!

> These backends must run as root in order to do certain things - get a privileged port (lpd), support Kerberos (IPP), and run either one of those (dnssd). Cupsd only runs backends as root when they do not have world and group read/execute permissions. And users do not run backends directly, cupsd does so on their behalf.
>
> So everything is as is should be...
>
> Sent from my iPhone
>
> On Apr 11, 2012, at 11:01 PM, Michael Johnson - MJ <mj at revmj.com> wrote:
>
> > The permissions on the dnssd and lpd backends appear to be incorrect.  They are set to 700.  However, this prevents things from working properly.  From what I can tell non-root users should be able to access these binaries to make basic printer discovery and printing work.  The permissions should really be 755.
> >
> > I suspect some might thing that having them be 700 is for security, but that argument seems invalid for the following reasons:
> >
> > 1. They work fine as a non-root user if the permissions are set to 755.
> > 2. This is opensource software, and thus there is nothing contained in these binaries that is sensitive.
> >
> > Beyond that, even if there is some "security" reason behind this, these permissions do not provide any real protection.  I can simply compile cups as my own users and now I have a copy of the binary this is executable by my non-root user.
> >
> > I am posting this to the forum on the off chance I am missing something, but I don't think I am.  I will file a bug report in a few days if nobody can come up with a better reason for why these binaries should not be executable by non-root users.
> >
> > Thanks!
> > _______________________________________________
> > cups-bugs mailing list
> > cups-bugs at easysw.com
> > http://lists.easysw.com/mailman/listinfo/cups-bugs
>





More information about the cups-devel mailing list