[cups-devel] Unable to create temporary folder or socket bind in CUPS(v2.0) backend

Michael Sweet msweet at apple.com
Tue Sep 23 04:38:26 PDT 2014 

In short: don't do this. You don't know that you are running on the same system as the user, and in general sandboxed apps do not have permission to talk to you anyways.

There *are* ways to make this happen using LaunchAgents and user-specific UNIX domain sockets in /private/tmp and /private/var/tmp, but in general we don't recommend this approach since it isn't compatible with printer sharing.


> On Sep 22, 2014, at 11:52 PM, Ajaydharan Mohandoss <MAjaydharan at novell.com> wrote:
> 
> Thank you Michael. I do have some doubts based on the security restriction implemented in CUPS 2.0v.
> 
> From my CUPS backend, I previously used to call the Mac Dialog UI from Mac app to get some text input from the user using sockets. Due to the permission restriction, my backend cannot read/write files or communicate to the directories other than location mentioned in Sandbox in order to use by the Mac app. Even if I create files in CUPS Sandbox, I cannot get access to read the CUPS private files from Mac app.
> 
> Is there any common approach practiced in CUPS 2.0v to communicate between CUPS backend and other apps? 
> 
> Thanks & Regards
> Ajay
> 
> 
> 
>>>> Michael Sweet <msweet at apple.com> 18-09-2014 20:28 >>>
> See:
> 
>    http://www.cups.org/documentation.php/doc-2.0/api-filter.html#SANDBOXING
> 
> Basically, OS X Yosemite further enforces the documented restrictions for filters and backends in CUPS, and even backends running as root cannot do anything they want on the system.  The above link provides an unambiguous definition of the directories you can write to from a backend, along with the other documented restrictions.
> 
> 
> On Sep 18, 2014, at 10:31 AM, Ajaydharan Mohandoss <MAjaydharan at novell.com> wrote:
> 
>> Hi,
>> 
>> I am trying to create a folder using mkdir in my backend program. When the backend is executed, it returns an errno EPERM(Operation not permitted) when mkdir is called.
>> 
>> I manually created a directory and tried to create/bind the socket in my backend program. The bind function also returns EPERM code. This restriction in not found in earlier CUPS verison 1.X (Mac OS 10.9 & below). If the restriction is introduced in Mac 10.10 OS, can any of you explain the need of it and any alternate approaches to overcome this issue?
>> 
>> Thanks & Regards
>> Ajay
>> 
>> 
>> 
>> _______________________________________________
>> cups-devel mailing list
>> cups-devel at cups.org
>> https://www.cups.org/mailman/listinfo/cups-devel
> 
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
> 
> _______________________________________________
> cups-devel mailing list
> cups-devel at cups.org
> https://www.cups.org/mailman/listinfo/cups-devel
> 
> _______________________________________________
> cups-devel mailing list
> cups-devel at cups.org
> https://www.cups.org/mailman/listinfo/cups-devel

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

More information about the cups-devel mailing list