[Pkg-cups-devel] Bug#401405: Further information and patch
Ulrich Eckhardt
doomster at knuut.de
Sat Dec 9 13:07:37 CET 2006
I've been browsing the sources a bit, and the primary case is a bit clearer
now. In backend/usb-unix.c, in open_device and list_devices is a loop that is
iterating over all possible USB printers and trying to match them against the
given URI. It always tries "/dev/usblp%d", "/dev/usb/lp%d"
and "/dev/usb/usblb%d" for any given index and the error handling here is
broken - it only reports the errno value of the last attempt to open a
printer, and since I don't have 16 printers that is always ENOENT. The fact
that it got an EACCESS while opening /dev/usb/lp0 is totally left out.
I think the algorithm to better diagnose errors goes like this:
1. If all open() calls set errno=ENOENT, signal that no printers were found.
This could also be done using stat(), no need to call open().
2. If any printers were present but could not be opened, the fact and the
reason should go into a logfile. If the search does not find the requested
printer, the fact that not all printers could be probed should be returned
and a hint to look into the logfile.
3. If you could probe them all, just return whether the requested printer was
found.
I'm not sure how this should be handled in the case of list_devices, either it
should simply print five question marks for the five fields it otherwise
fills with the URI and other data or an error message. I took the easy way
out using the error message.
I have attached the modified usb-unix.c. Changes/Notes:
- It now correctly gives me an access denied error in the webfrontend and
works as described above.
- When invoking the backend without arguments, it now either probes the
printer for its ID or gives an errormessage.
- I marked a bogus check for EBUSY.
- In the whole CUPS sourcecode I found cases where sprintf() was used
(potential buffer overflows) or snprintf() used wrong (snprintf() can leave
an unterminated string when the buffer is too small). I'd suggest using an
xsnprintf()-wrapper, similarly to xalloc() either formatting the string into
the supplied buffer or invoking exit() - the code isn't prepared to handle
that error anyway, so there's no way to continue. This last point would merit
a whole code audit.
- I find it also astonishing how many magic numbers are used, as if using a
buffer of size 255 or 1024 would magically make your code correct...
- All driver backends seem to take similar arguments, except one of
them. 'ipp' takes a variable number of files to print. In fact I wonder why
there is no central main() function for commandline handling etc that then
only calls the implementations from the particular backend. There's a lot of
code duplication going on.
- There's a weird mixture of tabs and spaces in the files. I only preserved
the two spaces indentation depth and didn't use any tabs, but I'd say it
would be worth running the whole code through an autoindenter.
- There is some code in cups-deviced.c that I don't understand. When invoking
the backend, it code first checks if either "group" or "others" have
read/write/execute permissions on the backend and if yes, it calls seteuid()
with the user ID of 'lp'. So, by just removing read and execute permissions
on the backend, we can make cupsd call it with root permissions (it then
fails without meaningful error when invoking foomatic-rip). I find this idea
flawed. Also, quote from the (default) configfile:
# Note: the server must be run initially as root to support the
# default IPP port of 631. It changes users whenever an external
# program is run...
IOW, this comment is simply a lie and keeping root privileges is a possible
security risk. Well, not that anyone sane would be running CUPS in a hostile
network anyway...
Okay, so much for that. Sorry for drifting of into ranting towards the end,
but I hope the info was at least helpful. Question on that: is there any
packaged version of 1.3 already? I would have preferred hacking on that one
and not on a released version...
Also, you (the maintainers) probably have a connection to the upstream CUPS
developers, could you ask them if they could enable bug-reporting without
creating yet another account to log into their website? I find this extremely
annoying...
so much for today, thank you all for your work
Uli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usb-unix.c
Type: text/x-csrc
Size: 13647 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20061209/77feb88c/usb-unix.c
More information about the Pkg-cups-devel
mailing list