[Pkg-cups-devel] r508 - in cupsys/trunk/debian: . patches
Martin Pitt
mpitt at alioth.debian.org
Thu Aug 2 12:45:13 UTC 2007
Author: mpitt
Date: Thu Aug 2 12:45:13 2007
New Revision: 508
Log:
[ Martin Pitt ]
* Drop the derooting changes. It still has some regressions, and with
upstream not even acknowledging the need for improving cupsys' security we
will sit on this forever. This will be replaced by an AppArmor/SELinux
profiles in the future.
- Drop derooting related patches:
06_disable_backend_setuid.dpatch
10_external_pam_helper.dpatch
09_runasuser.dpatch
09_runasuser_autoconf.dpatch
- debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
permission juggling.
- debian/rules:
+ Drop --with-cups-user configure option.
+ Do not modify the upstream default backend permissions.
- debian/cupsys.init.d: Do not touch log file permissions any more.
- debian/cupsys.files: Drop cups-check-pam-auth.
- debian/NEWS: Drop description of derooting changes.
- debian/control: Drop adduser dependency.
* debian/patches/44_fixconfdirperms.dpatch: Do not create
/var/run/cups/certs as lp:lpadmin, but as root:lpadmin, so that cupsd
does not need CAP_DAC_OVERRIDE. This will make it possible to create a
sensible AppArmor/SELinux profile.
* debian/cupsys.preinst: Fix file permissions on upgrades (owner cupsys ->
root).
Removed:
cupsys/trunk/debian/patches/06_disable_backend_setuid.dpatch
cupsys/trunk/debian/patches/09_runasuser.dpatch
cupsys/trunk/debian/patches/09_runasuser_autoconf.dpatch
cupsys/trunk/debian/patches/10_external_pam_helper.dpatch
Modified:
cupsys/trunk/debian/NEWS
cupsys/trunk/debian/changelog
cupsys/trunk/debian/control
cupsys/trunk/debian/cupsys-client.postinst
cupsys/trunk/debian/cupsys.files
cupsys/trunk/debian/cupsys.init.d
cupsys/trunk/debian/cupsys.postinst
cupsys/trunk/debian/cupsys.preinst
cupsys/trunk/debian/patches/00list
cupsys/trunk/debian/patches/44_fixconfdirperms.dpatch
cupsys/trunk/debian/rules
Modified: cupsys/trunk/debian/NEWS
==============================================================================
--- cupsys/trunk/debian/NEWS (original)
+++ cupsys/trunk/debian/NEWS Thu Aug 2 12:45:13 2007
@@ -1,20 +1,3 @@
-cupsys (1.2.11-1) unstable; urgency=low
-
- * The cupsd server process now runs as a system user 'cupsys' instead of
- root. This limits the potential impact of any vulnerability in cupsd or
- one of its callouts to the printing configuration and jobs instead of
- offering a wide open vector for root compromise. This change and the
- upgrade should be transparent, thus this does not require any
- configuration change.
- * The groups of the cupsys system user ensures that cupsd can open parallel
- and USB printer devices (lp), serial printers (dialout), and
- printer/scanner combinations (scanner). For out-of-the box usage of the
- Snakeoil SSL certificate it is also in the ssl-cert group.
- * This version breaks the current cups-pdf package. A new version of
- cups-pdf is prepared and will be uploaded soon.
-
- -- Martin Pitt <mpitt at debian.org> Mon, 14 May 2007 09:18:48 +0200
-
cupsys (1.2.1-3) unstable; urgency=low
* The USB backend no longer supports the usb:/dev/foo
Modified: cupsys/trunk/debian/changelog
==============================================================================
--- cupsys/trunk/debian/changelog (original)
+++ cupsys/trunk/debian/changelog Thu Aug 2 12:45:13 2007
@@ -15,6 +15,32 @@
** Well, is it time to separate cupsys and cupsys-bin? (#233339) **
+ [ Martin Pitt ]
+ * Drop the derooting changes. It still has some regressions, and with
+ upstream not even acknowledging the need for improving cupsys' security we
+ will sit on this forever. This will be replaced by an AppArmor/SELinux
+ profiles in the future.
+ - Drop derooting related patches:
+ 06_disable_backend_setuid.dpatch
+ 10_external_pam_helper.dpatch
+ 09_runasuser.dpatch
+ 09_runasuser_autoconf.dpatch
+ - debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
+ permission juggling.
+ - debian/rules:
+ + Drop --with-cups-user configure option.
+ + Do not modify the upstream default backend permissions.
+ - debian/cupsys.init.d: Do not touch log file permissions any more.
+ - debian/cupsys.files: Drop cups-check-pam-auth.
+ - debian/NEWS: Drop description of derooting changes.
+ - debian/control: Drop adduser dependency.
+ * debian/patches/44_fixconfdirperms.dpatch: Do not create
+ /var/run/cups/certs as lp:lpadmin, but as root:lpadmin, so that cupsd
+ does not need CAP_DAC_OVERRIDE. This will make it possible to create a
+ sensible AppArmor/SELinux profile.
+ * debian/cupsys.preinst: Fix file permissions on upgrades (owner cupsys ->
+ root).
+
-- Kenshi Muto <kmuto at debian.org> Sun, 15 Jul 2007 23:39:33 +0900
cupsys (1.2.12-1) unstable; urgency=low
Modified: cupsys/trunk/debian/control
==============================================================================
--- cupsys/trunk/debian/control (original)
+++ cupsys/trunk/debian/control Thu Aug 2 12:45:13 2007
@@ -51,7 +51,7 @@
Priority: optional
Section: net
Architecture: any
-Depends: ${shlibs:Depends}, adduser (>= 3.12), debconf (>= 1.2.9) | debconf-2.0, poppler-utils | xpdf-utils, perl-modules, procps, gs-esp, lsb-base (>= 3), cupsys-common
+Depends: ${shlibs:Depends}, debconf (>= 1.2.9) | debconf-2.0, poppler-utils | xpdf-utils, perl-modules, procps, gs-esp, lsb-base (>= 3), cupsys-common
Replaces: cupsys-pstoraster
Conflicts: cupsys-pstoraster (<< 2)
Recommends: cupsys-client, smbclient (>= 3.0.9), foomatic-filters
@@ -72,7 +72,7 @@
Priority: optional
Section: net
Architecture: any
-Depends: ${shlibs:Depends}, adduser, cupsys-common
+Depends: ${shlibs:Depends}, cupsys-common
Conflicts: lprng
Suggests: cupsys, kdeprint, gtklp, cupsys-pt, xpp, cupsys-bsd
Replaces: cupsys (<= 1.1.18-3)
Modified: cupsys/trunk/debian/cupsys-client.postinst
==============================================================================
--- cupsys/trunk/debian/cupsys-client.postinst (original)
+++ cupsys/trunk/debian/cupsys-client.postinst Thu Aug 2 12:45:13 2007
@@ -28,22 +28,7 @@
addgroup --system lpadmin
fi
- # Set up cupsys user.
- if [ -z "`getent passwd cupsys`" ]; then
- adduser --quiet --system --no-create-home --ingroup lpadmin cupsys
- fi
-
- # necessary for access to local parallel and usb printers
- adduser --quiet cupsys lp
- # necessary for access to local serial printers
- adduser --quiet cupsys dialout
- # necessary for access to printer/scanner combo devices
- if [ -z "`getent group scanner`" ]; then
- addgroup --system scanner
- fi
- adduser --quiet cupsys scanner
-
- chown cupsys:lpadmin /usr/bin/lppasswd
+ chown root:lpadmin /usr/bin/lppasswd
chmod u+s /usr/bin/lppasswd
;;
Modified: cupsys/trunk/debian/cupsys.files
==============================================================================
--- cupsys/trunk/debian/cupsys.files (original)
+++ cupsys/trunk/debian/cupsys.files Thu Aug 2 12:45:13 2007
@@ -9,7 +9,6 @@
usr/lib/cups/daemon/cups-polld
usr/lib/cups/daemon/cups-deviced
usr/lib/cups/daemon/cups-driverd
-usr/lib/cups/daemon/cups-check-pam-auth
usr/lib/cups/filter/gziptoany
usr/lib/cups/filter/hpgltops
usr/lib/cups/filter/imagetops
Modified: cupsys/trunk/debian/cupsys.init.d
==============================================================================
--- cupsys/trunk/debian/cupsys.init.d (original)
+++ cupsys/trunk/debian/cupsys.init.d Thu Aug 2 12:45:13 2007
@@ -39,20 +39,8 @@
fi
chown cupsys:lp `dirname "$PIDFILE"`
- # create the logs file since cupsd can't
- for l in access_log page_log error_log; do
- [ -e /var/log/cups/$l ] || touch /var/log/cups/$l
- chmod 640 /var/log/cups/$l
- chown cupsys:lpadmin /var/log/cups/$l
- done
-
start-stop-daemon --start --quiet --oknodo --pidfile "$PIDFILE" --exec $DAEMON
- # Correct the permissions after starting the CUPS daemon
- for l in access_log page_log error_log; do
- chmod 640 /var/log/cups/$l || true
- chown cupsys:lpadmin /var/log/cups/$l || true
- done
log_end_msg $?
;;
stop)
@@ -64,11 +52,6 @@
log_begin_msg "Restarting $DESC: $NAME"
if start-stop-daemon --stop --quiet --retry 5 --oknodo --pidfile $PIDFILE --name $NAME; then
start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec $DAEMON
- # Correct the permissions after starting the CUPS daemon
- for l in access_log page_log error_log; do
- chmod 640 /var/log/cups/$l || true
- chown cupsys:lpadmin /var/log/cups/$l || true
- done
fi
log_end_msg $?
;;
Modified: cupsys/trunk/debian/cupsys.postinst
==============================================================================
--- cupsys/trunk/debian/cupsys.postinst (original)
+++ cupsys/trunk/debian/cupsys.postinst Thu Aug 2 12:45:13 2007
@@ -45,20 +45,6 @@
deluser root lpadmin || true
fi
- # Set up cupsys user.
- if [ -z "`getent passwd cupsys`" ]; then
- adduser --quiet --system --no-create-home --ingroup lpadmin cupsys
- fi
- # necessary for access to local parallel and usb printers
- adduser --quiet cupsys lp
- # necessary for access to local serial printers
- adduser --quiet cupsys dialout
- # necessary for access to printer/scanner combo devices
- if [ -z "`getent group scanner`" ]; then
- addgroup --system scanner
- fi
- adduser --quiet cupsys scanner
-
if [ -d /etc/cups/certs ]; then
rm -rf /etc/cups/certs
fi
@@ -207,16 +193,6 @@
# /bin/echo "Browsing off" > /etc/cups/cups.d/browse.conf
#fi
- # permission configuration
- chown root:lp /etc/cups ; chmod 3755 /etc/cups
- chown cupsys:root /etc/cups/cupsd.conf ; chmod 644 /etc/cups/cupsd.conf
- chown -R cupsys:lp /etc/cups/ppd ; chmod 755 /etc/cups/ppd
- chown cupsys:shadow /usr/lib/cups/daemon/cups-check-pam-auth
- chmod 2754 /usr/lib/cups/daemon/cups-check-pam-auth
- if [ ! -d /var/run/cups/certs ]; then
- mkdir /var/run/cups/certs && chown cupsys:lpadmin /var/run/cups/certs \
- && chmod 511 /var/run/cups/certs
- fi
if [ -f /etc/cups/classes.conf ]; then
chown root:lp /etc/cups/classes.conf ; chmod 600 /etc/cups/classes.conf
fi
@@ -231,11 +207,6 @@
ln -s /opt/share/ppd /usr/share/ppd/2-third-party
fi
- # fix permissions for upgrades which might have written cache files as
- # root
- if [ -d /var/cache/cups ]; then
- chown -R cupsys:lp /var/cache/cups || true
- fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
Modified: cupsys/trunk/debian/cupsys.preinst
==============================================================================
--- cupsys/trunk/debian/cupsys.preinst (original)
+++ cupsys/trunk/debian/cupsys.preinst Thu Aug 2 12:45:13 2007
@@ -51,6 +51,11 @@
# Remove obsolete /etc/cups/certs
[ -L /etc/cups/certs ] && rm -f /etc/cups/certs || true
+
+ # fix 'cupsys' -> 'root' file owner mode transition
+ if dpkg --compare-versions "$2" lt-nl '1.2.12-2'; then
+ chown -R root /etc/cups /var/log/cups /var/run/cups /var/cache/cups /var/spool/cups
+ fi
;;
abort-upgrade)
Modified: cupsys/trunk/debian/patches/00list
==============================================================================
--- cupsys/trunk/debian/patches/00list (original)
+++ cupsys/trunk/debian/patches/00list Thu Aug 2 12:45:13 2007
@@ -1,11 +1,7 @@
02_configure.dpatch
04_freebsd.dpatch
#05_avoidunknowngroup.dpatch
-06_disable_backend_setuid.dpatch
07_removecvstag.dpatch
-09_runasuser.dpatch
-09_runasuser_autoconf.dpatch
-10_external_pam_helper.dpatch
11_pam.dpatch
12_quiesce_ipp_logging.dpatch
13_default_log_warn.dpatch
Modified: cupsys/trunk/debian/patches/44_fixconfdirperms.dpatch
==============================================================================
--- cupsys/trunk/debian/patches/44_fixconfdirperms.dpatch (original)
+++ cupsys/trunk/debian/patches/44_fixconfdirperms.dpatch Thu Aug 2 12:45:13 2007
@@ -5,9 +5,9 @@
## DP: No description.
@DPATCH@
-diff -urNad cupsys-1.2.3~/man/lppasswd.man cupsys-1.2.3/man/lppasswd.man
---- cupsys-1.2.3~/man/lppasswd.man 2006-03-20 15:29:09.000000000 +0000
-+++ cupsys-1.2.3/man/lppasswd.man 2006-08-31 13:10:46.000000000 +0000
+diff -urNad cups-1.2-ubuntu~/man/lppasswd.man cups-1.2-ubuntu/man/lppasswd.man
+--- cups-1.2-ubuntu~/man/lppasswd.man 2007-08-02 11:29:20.000000000 +0200
++++ cups-1.2-ubuntu/man/lppasswd.man 2007-08-02 12:41:34.000000000 +0200
@@ -59,6 +59,7 @@
that could grant super-user privileges to unprivileged users,
paranoid system administrators may wish to disable or change the
@@ -16,10 +16,10 @@
.SH SEE ALSO
\fIlp(1)\fR, \fIlpr(1)\fR,
.br
-diff -urNad cupsys-1.2.3~/scheduler/conf.c cupsys-1.2.3/scheduler/conf.c
---- cupsys-1.2.3~/scheduler/conf.c 2006-08-31 13:10:45.000000000 +0000
-+++ cupsys-1.2.3/scheduler/conf.c 2006-08-31 13:14:50.000000000 +0000
-@@ -548,22 +548,10 @@
+diff -urNad cups-1.2-ubuntu~/scheduler/conf.c cups-1.2-ubuntu/scheduler/conf.c
+--- cups-1.2-ubuntu~/scheduler/conf.c 2007-08-02 11:29:20.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/conf.c 2007-08-02 12:42:35.000000000 +0200
+@@ -544,22 +544,10 @@
cupsdLogMessage(CUPSD_LOG_NOTICE,
"Group and SystemGroup cannot use the same groups!");
@@ -44,7 +44,7 @@
}
}
-@@ -617,21 +605,10 @@
+@@ -613,21 +601,10 @@
if (ServerCertificate[0] != '/')
cupsdSetStringf(&ServerCertificate, "%s/%s", ServerRoot, ServerCertificate);
@@ -66,12 +66,14 @@
# endif /* HAVE_LIBSSL || HAVE_GNUTLS */
#endif /* HAVE_SSL */
-@@ -644,11 +621,13 @@
+@@ -638,13 +615,15 @@
+
+ if (check_permissions(CacheDir, NULL, 0775, RunUser, Group, 1, 1) < 0 ||
check_permissions(StateDir, NULL, 0755, RunUser, Group, 1, 1) < 0 ||
- check_permissions(StateDir, "certs", RunUser ? 0711 : 0511, User,
+- check_permissions(StateDir, "certs", RunUser ? 0711 : 0511, User,
++ check_permissions(StateDir, "certs", 0711, 0,
SystemGroupIDs[0], 1, 1) < 0 ||
-- check_permissions(ServerRoot, NULL, 0755, RunUser, Group, 1, 0) < 0 ||
-+ check_permissions(ServerRoot, NULL, 03755, RunUser, Group, 1, 0) < 0 ||
+ check_permissions(ServerRoot, NULL, 0755, RunUser, Group, 1, 0) < 0 ||
check_permissions(ServerRoot, "ppd", 0755, RunUser, Group, 1, 1) < 0 ||
check_permissions(ServerRoot, "ssl", 0700, RunUser, Group, 1, 0) < 0 ||
+ /* Never alter permissions of central conffile
Modified: cupsys/trunk/debian/rules
==============================================================================
--- cupsys/trunk/debian/rules (original)
+++ cupsys/trunk/debian/rules Thu Aug 2 12:45:13 2007
@@ -18,7 +18,7 @@
unpatch: deapply-dpatches
-DEB_CONFIGURE_EXTRA_FLAGS := --with-optim=$(DEB_OPTFLAGS) --libdir=/usr/lib --mandir=/usr/share/man --with-docdir=/usr/share/cups/doc-root --enable-slp --enable-libpaper --enable-ssl --enable-gnutls --disable-openssl --enable-threads --enable-static --enable-dbus --disable-pdftops --disable-launchd --with-cups-user=cupsys --with-cups-group=lp --with-system-groups=lpadmin
+DEB_CONFIGURE_EXTRA_FLAGS := --with-optim=$(DEB_OPTFLAGS) --libdir=/usr/lib --mandir=/usr/share/man --with-docdir=/usr/share/cups/doc-root --enable-slp --enable-libpaper --enable-ssl --enable-gnutls --disable-openssl --enable-threads --enable-static --enable-dbus --disable-pdftops --disable-launchd --with-cups-group=lp --with-system-groups=lpadmin
DEB_MAKE_INSTALL_TARGET := install BUILDROOT=$(DEB_DESTDIR)
DEB_INSTALL_CHANGELOGS_ALL := CHANGES.txt
DEB_DH_STRIP_ARGS := --dbg-package=cupsys-dbg
@@ -44,16 +44,6 @@
install -o root -g root -m 644 debian/cupsys.default debian/cupsys/etc/default/cupsys
install -m 755 debian/local/browsing_status debian/local/enable_browsing debian/local/sharing_status debian/local/enable_sharing $(DEB_DESTDIR)/../cupsys/usr/share/cups
- # install lpd backend suid root so that it can bind to port <
- # 1024 (required for RFC compliance)
- # disabled until we fix #427559 for good and flip
- # --enable-privilege-dropping back on
- #chown root:lp debian/cupsys/usr/lib/cups/backend-available/lpd
- #chmod 4754 debian/cupsys/usr/lib/cups/backend-available/lpd
-
- # upstream installs this as 0700 now which breaks as non-root
- chmod 755 debian/cupsys/usr/lib/cups/backend-available/ipp
-
# Install PPDs into /usr/share/ppd/cups-included/<Manufacturer>, see
# http://wiki.debian.org/PpdFileStructureSpecification
for i in $(DEB_DESTDIR)/../cupsys/usr/share/cups/model/*.ppd; do \
More information about the Pkg-cups-devel
mailing list