[cups] Question about CUPS 1.6.3 on RHEL SELINUX 7.0 (Presently "Permissive")

Kevin King kevin at precisonline.com
Mon Feb 23 08:15:20 PST 2015


To test lp security I set a password and logged in as the lp user and it
has full write permissions to /tmp and /tmp/spool in the present
configuration.  The only issue seems to be with this interface script
running under CUPS.  I did find some reference on the web about certain
operating systems have additional security built into CUPS - the article in
particular mentioned OS X - and was wondering if there is some additional
configuration in CUPS that causes scripts to be limited to outputting to
certain directories.  Is there such a configuration or limitation on RHEL?

-K

On Mon, Feb 23, 2015 at 7:20 AM, Kevin King <kevin at precisonline.com> wrote:

> I have tried with SELINUX both disabled and in permissive mode with no
> change. In either of these configurations does it not rule out SELINUX as
> being the cause? Is CUPS using the enhanced security even when it has been
> disabled? We have this working on other SELINUX systems in permissive mode.
>
>
> On Monday, February 23, 2015, Helge Blischke <helgeblischke at web.de> wrote:
>
>> You need to investigate the following SELinux settings:
>> 1.      Check out what SELinux user is associated with the operating
>> system user „lp“.
>> 2.      Check the role, objects and rules defined for that SELinux user
>> 3.      Modify the rules/objects to make your destination directory
>> accessible
>>         (writable) for this SELinux user.
>>
>> Note that a modification like this might be repeated after system updates.
>>
>>
>> > Am 23.02.2015 um 00:32 schrieb Kevin King <kevin at precisonline.com>:
>> >
>> > The problem I'm having isn't really a printer, but rather a script that
>> > I've setup to print to a file. We use this script on all our Linux
>> systems,
>> > but this is the first time on RHEL 7.  The script is an interface script
>> > for a printer (0) that just copies a file from the spool directory to a
>> tmp
>> > directory.
>> >
>> > #!/bin/ksh
>> > # This printer will output the spooler job to /tmp/spool.
>> >
>> > ENTRY=$1
>> > USER=$2
>> > FILE=$6
>> > NEWFILE=/tmp/spool/${USER}-${ENTRY}
>> >
>> > echo cp ${FILE} ${NEWFILE} >&2
>> >
>> > cp ${FILE} ${NEWFILE}
>> > chmod 777 ${NEWFILE}
>> >
>> > exit 0
>> >
>> > This was then created as a printer 0 using this:
>> >
>> > lpadmin -p 0 -v file:/dev/null -i /tmp/0
>> >
>> > (/tmp/0 is this script.)
>> >
>> > Note how all this does is copy the CUPS spooler entry to /tmp/spool and
>> > give it a name of "user-job#".  I have an extra "echo" in there for
>> testing
>> > but that's inconsequential.
>> >
>> > /tmp exists.  /tmp/spool exists. Both are wide open in terms of
>> permissions:
>> >
>> > sh-4.2# ls -ld /tmp /tmp/spool
>> > drwxrwxrwt. 23 root root 4096 Feb 21 18:38 /tmp
>> > drwxrwxrwx   2 root root    6 Feb 21 18:38 /tmp/spool
>> >
>> > I should note that the script runs fine - no errors - when run outside
>> of
>> > the context of CUPS.  It also runs in CUPS 1.7.2 on an Ubuntu system
>> and on
>> > CUPS 1.4.2 on RHEL.
>> >
>> > In CUPS, however, here's what happens (from the error_log in CUPS)
>> First
>> > up, here's the output of the first echo that I added to show the command
>> > that is about to run:
>> >
>> > D [21/Feb/2015:18:26:47 -0500] [Job 60] cp /var/spool/cups/d00060-001
>> > /tmp/spool/root-60
>> >
>> > And then this:
>> >
>> > D [21/Feb/2015:18:26:47 -0500] [Job 60] cp: cannot create regular file
>> > '/tmp/spool/root-60': No such file or directory
>> > D [21/Feb/2015:18:26:47 -0500] [Job 60] chmod: cannot access
>> > '/tmp/spool/root-60': No such file or directory
>> >
>> > This appears to be telling me that CUPS interface scripts (presently
>> > configured to run as the lp user) has no visibility to the /tmp
>> directory.
>> > I've also tried updating a log with:
>> >
>> > echo "i am here" > /tmp/out.log
>> >
>> > But nothing ever shows up, as if /tmp is entirely missing.
>> >
>> > I've gone as far as to enable the lp user to login so that I could
>> verify
>> > that it can see and write to the /tmp/spool directory.  The lp user can
>> see
>> > the /tmp and /tmp/spool directories, and can write freely to them.  So
>> it
>> > doesn't appear to be a limitation to permissions or that specific user.
>> >
>> > But what could it be?  I'm running out of options to check.  This exact
>> > script works brilliantly on RHEL 6.6/CUPS 1.4.2 and also on Ubuntu 14.04
>> > LTS/CUPS 1.7.2.  On this one system, however, it's as if /tmp just
>> doesn't
>> > exist.
>> >
>> > Any ideas?
>> >
>> > -K
>> > _______________________________________________
>> > cups mailing list
>> > cups at cups.org
>> > https://www.cups.org/mailman/listinfo/cups
>>
>> _______________________________________________
>> cups mailing list
>> cups at cups.org
>> https://www.cups.org/mailman/listinfo/cups
>>
>
>
> --
> -K
>
>



More information about the cups mailing list