[Pkg-cups-devel] r46 - in cupsys/branches/cups-1.2/debian: . patches
Martin Pitt
mpitt at costa.debian.org
Wed Dec 7 13:55:35 UTC 2005
Author: mpitt
Date: Wed Dec 7 13:55:33 2005
New Revision: 46
Modified:
cupsys/branches/cups-1.2/debian/changelog
cupsys/branches/cups-1.2/debian/patches/44_fixconfdirperms.dpatch
Log:
debian/patches/44_fixconfdirperms.dpatch:
- Put configuration files into group root instead of nobody to avoid
privilege escalation of nobody/nogroup and comply to Debian standards.
- Disable changing permissions of cupsd.conf conffile.
Modified: cupsys/branches/cups-1.2/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2/debian/changelog (original)
+++ cupsys/branches/cups-1.2/debian/changelog Wed Dec 7 13:55:33 2005
@@ -18,8 +18,12 @@
* debian/rules: Remove empty debian/patched on clean.
* debian/patches/10_cupsd.conf2.dpatch: Re-enable listening to localhost to
make the web interface work.
+ * debian/patches/44_fixconfdirperms.dpatch:
+ - Put configuration files into group root instead of nobody to avoid
+ privilege escalation of nobody/nogroup and comply to Debian standards.
+ - Disable changing permissions of cupsd.conf conffile.
- -- Martin Pitt <mpitt at debian.org> Wed, 7 Dec 2005 14:32:32 +0100
+ -- Martin Pitt <mpitt at debian.org> Wed, 7 Dec 2005 14:44:33 +0100
cupsys (1.1.99.b1.r4841-1) experimental; urgency=low
Modified: cupsys/branches/cups-1.2/debian/patches/44_fixconfdirperms.dpatch
==============================================================================
--- cupsys/branches/cups-1.2/debian/patches/44_fixconfdirperms.dpatch (original)
+++ cupsys/branches/cups-1.2/debian/patches/44_fixconfdirperms.dpatch Wed Dec 7 13:55:33 2005
@@ -5,10 +5,65 @@
## DP: No description.
@DPATCH@
-diff -urNad cupsys-1.1.99.b1.r4748~/scheduler/conf.c cupsys-1.1.99.b1.r4748/scheduler/conf.c
---- cupsys-1.1.99.b1.r4748~/scheduler/conf.c 2005-10-01 00:34:49.000000000 +0000
-+++ cupsys-1.1.99.b1.r4748/scheduler/conf.c 2005-10-05 12:48:10.908681278 +0000
-@@ -614,7 +614,7 @@
+diff -urNad cupsys~/scheduler/conf.c cupsys/scheduler/conf.c
+--- cupsys~/scheduler/conf.c 2005-12-07 14:34:33.000000000 +0100
++++ cupsys/scheduler/conf.c 2005-12-07 14:43:37.000000000 +0100
+@@ -364,25 +364,13 @@
+ }
+
+ endpwent();
++ endgrent();
+
+ /*
+- * Find the default group (nobody)...
++ * Put configuration files into group 'root' to avoid privilege escalation of
++ * other users.
+ */
+-
+- group = getgrnam("nobody");
+- endgrent();
+-
+- if (group != NULL)
+- Group = group->gr_gid;
+- else
+- {
+- /*
+- * Use the (historical) NFS nobody group ID (-2 as a 16-bit twos-
+- * complement number...)
+- */
+-
+- Group = 65534;
+- }
++ Group = 0;
+
+ /*
+ * Numeric options...
+@@ -515,22 +503,10 @@
+
+ cupsdLogMessage(CUPSD_LOG_NOTICE,
+ "Group and SystemGroup cannot use the same groups!");
+- cupsdLogMessage(CUPSD_LOG_INFO, "Resetting Group to \"nobody\"...");
++ cupsdLogMessage(CUPSD_LOG_INFO, "Resetting Group to \"root\"...");
+
+- group = getgrnam("nobody");
+ endgrent();
+-
+- if (group != NULL)
+- Group = group->gr_gid;
+- else
+- {
+- /*
+- * Use the (historical) NFS nobody group ID (-2 as a 16-bit twos-
+- * complement number...)
+- */
+-
+- Group = 65534;
+- }
++ Group = 0;
+ }
+ }
+
+@@ -614,7 +590,7 @@
if (access(temp, 0))
mkdir(temp, 0755);
chown(temp, RunUser, Group);
@@ -17,7 +72,7 @@
chown(StateDir, RunUser, Group);
chmod(StateDir, 0775);
-@@ -629,13 +629,13 @@
+@@ -629,13 +605,13 @@
chmod(temp, 0510);
chown(ServerRoot, RunUser, Group);
@@ -33,3 +88,15 @@
snprintf(temp, sizeof(temp), "%s/ssl", ServerRoot);
if (access(temp, 0))
+@@ -643,9 +619,11 @@
+ chown(temp, RunUser, Group);
+ chmod(temp, 0700);
+
++ /* Never alter permissions of central conffile
+ snprintf(temp, sizeof(temp), "%s/cupsd.conf", ServerRoot);
+ chown(temp, RunUser, Group);
+ chmod(temp, ConfigFilePerm);
++ */
+
+ snprintf(temp, sizeof(temp), "%s/classes.conf", ServerRoot);
+ chown(temp, RunUser, Group);
More information about the Pkg-cups-devel
mailing list