[cups.bugs] [LOW] STR #2935: please support less restricted root backend permissions
martin.pitt.canonical
martin.pitt at canonical.com
Sat Sep 6 04:39:04 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
At the moment, backends which run as root need to be 0700, i. e. not have
any privileges for group or others. This is very rigid and e. g. prevents
system integrity checkers, bug report scripts, and other tools from
verifying the contents of those backends (and also violates the Debian
Policy). Distribution packages should not ship binaries which are not
world readable, since anyone can just download the package and get it from
there.
Would you consider relaxing the check in scheduler/job.c a bit?
backroot = !(backinfo.st_mode & (S_IRWXG | S_IRWXO));
this could become
backroot = !(backinfo.st_mode & (S_IXGRP | S_IXOTH));
so that it is possible to install those backends with 744 permissions.
Preferably the backends should installed with 744 mode as well, but if you
don't like that, upstream could stay with installing them as 700 (distros
can easily adapt the permissions in their build scripts without patching
the source).
Thanks for considering,
Martin
Link: http://www.cups.org/str.php?L2935
Version: 1.3.8
More information about the cups
mailing list