[cups.general] Possibly insecure default LogFilePerm value 0644

Michael Sweet msweet at apple.com
Tue Jul 12 15:22:16 PDT 2011 

On Jul 12, 2011, at 6:22 AM, Johannes Meixner wrote:
> 
> Hello,
> 
> the CUPS 1.4.6 "configure --help" reads:
> -----------------------------------------------------------------------
> --with-config-file-perm set default ConfigFilePerm value, default=0640
> --with-log-file-perm    set default LogFilePerm value, default=0644
> -----------------------------------------------------------------------
> 
> I wonder whether world-readable log files might be insecure
> as the logs might contain sensitive data and in general
> the logs are probably not useful for normal users.

The default log level is "warning" in recent versions of CUPS. Thus, almost nothing gets logged unless there are issues, and then it is incredibly annoying when you can't look at the log as an ordinary user (I've had to work around various Linux distro choices WRT Apache log permissions, for example) or for automated log processing programs that need access but won't run with the "right" group.

> On the other hand I assume there is a reason why the log files should
> be world-readable but I don't know it (my search for "LogFilePerm" on
> http://www.cups.org/newsgroups.php did not result anything).

Probably because nobody changes the default unless they have a reason to (which is why we have a directive to control the permissions).

> Perhaps /var/log/cups/page_log could be world-readable so that accounting
> software run by normal users could evaluate it to show normal users their
> current accounting state but then any normal user would be allowed
> to read all the accounting informantion for all other users.

The page_log file might contain more "sensitive" information than a normal error_log file - owner, title, job ticket information, date/time, page information, etc.

> By the way, I found two bugs in the documentation:

Please file bugs here:

	http://www.cups.org/str.php

Thanks!

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

More information about the cups mailing list