[cups-devel] [UNKN] STR #4495: cups-files.conf - Group and SystemGroup directives collision causes printing to fail silently

James noreply at cups.org
Fri Oct 3 09:40:59 PDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

In the file "/etc/cups/cups-files.conf", if a named group in the "Group"
directive is also a named group in the "SystemGroup" directive, then cupsd
"filters/backends/helper programs" will run as group "nobody" instead of
the group named in the "Group" directive, for security reasons.

If the printer devices in "/dev/", such as "/dev/parport0", are created
with user "root" and group "lp", then, when cupsd runs as group "nobody",
cupsd will not have permission to access the printer devices, AND ALL
PRINTING WILL FAIL, WITH "USELESS" STATUS MESSAGES!

Falling back to group "nobody" is a very inappropriate solution to a
security problem, exactly because the net result is a silent printing
failure, and the cause is very difficult to discover.  Really, this can be
very exasperating.

Instead, cupsd should simply fail to start at all, with an explicit error
message that the Group group is in the list of SystemGroup groups, and that
this is not allowed.


James

Link: https://www.cups.org/str.php?L4495
Version: 2.0.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJULtGbAAoJENujp6sI12IjeAQP/it9MCE3+VaL/tLRKfNyAYTc
HsumUGRh0BOg6fzj0ew389zybujy7XLdozz1Ygklrk1pLXdT2zyubxi7c3pOJgqN
rgFvwJVRgFRO4Tg5Pys9Vsnn/cjea2H9WOnFQ6L/RTLqt+3FD2Xd/gopku6nDUbO
Zcr75AaBeoQ8hx3wZJi4PkpjnO5571sF+S5vxi8MVtx64t+eB3tGjLg20H9nzEQC
VGop14jwiOhD/8nxCEtdwWNELmP60foq1B9rkvYWajIag1OU8Yv7dmm7J+it2CAk
pVIFgxJ8z5iI9UYstufOr/sCGD+p7Q7EWbRT2LQ/xLJT/lcUsIkFQH/KZTZXtSBt
Cmi8PGCOEXZIJ+NbE+rslGwanUACUMkuKG0kDZwgcOHoGQhF0cUchA/SIBsRKLHk
EqWR6FTylguSwcuBEdEbg2K4B2sounsAX2Gr1yT5jquEyZ3Bonli2UVMJS6XWT6x
IBrLmcWlzU/PL2bNFgSKl5k3kN1LJYAdnKMS3+nj6l/vN0+6Q1NgnPoZwwdYYMp0
f6vuTVe3YdiMXW6nJamdi2HHFddeUUcueQ6J2Vw0BlQtfpwZKybJVMf3ZfagXFdP
x4uL+K82m0CEMzVhhjWA61Cii92xqO+pdiEdRF1zOKO9o1sZyb9bQntALhxihbA8
SpFiqvBp3VRNPUQurx9v
=lKHK
-----END PGP SIGNATURE-----

More information about the cups-devel mailing list