[Pkg-cups-devel] r578 - in cupsys/branches/cups-1.2-ubuntu/debian: . local

Martin Pitt mpitt at alioth.debian.org
Tue Aug 21 05:45:46 UTC 2007 

Author: mpitt
Date: Tue Aug 21 05:45:45 2007
New Revision: 578

Log:
* debian/local/apparmor-profile: Allow dac_override for now; this is
  slightly nasty, but cups chowns a lot of files (e. g. in
  /var/spool/cups/tmp) to 'lp' and thus cannot read/write them any more
  afterwards. Since we confine file access pretty tightly, this should not
  be much of a problem. (LP: #133015)

Modified:
   cupsys/branches/cups-1.2-ubuntu/debian/changelog
   cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile

Modified: cupsys/branches/cups-1.2-ubuntu/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/changelog	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/changelog	Tue Aug 21 05:45:45 2007
@@ -1,8 +1,13 @@
 cupsys (1.3.0-3ubuntu1) UNRELEASED; urgency=low
 
   * Merge bugfixes from Debian.
+  * debian/local/apparmor-profile: Allow dac_override for now; this is
+    slightly nasty, but cups chowns a lot of files (e. g. in
+    /var/spool/cups/tmp) to 'lp' and thus cannot read/write them any more
+    afterwards. Since we confine file access pretty tightly, this should not
+    be much of a problem. (LP: #133015)
 
- -- Martin Pitt <martin.pitt at ubuntu.com>  Tue, 21 Aug 2007 07:30:37 +0200
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Tue, 21 Aug 2007 07:43:25 +0200
 
 cupsys (1.3.0-3) unstable; urgency=low
 

Modified: cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile	Tue Aug 21 05:45:45 2007
@@ -22,6 +22,11 @@
   capability setgid,
   capability setuid,
 
+  # nasty, but we limit file access pretty tightly, and cups chowns a
+  # lot of files to 'lp' which it cannot read/write afterwards any
+  # more
+  capability dac_override,
+
   /bin/bash ixr,
   /bin/dash ixr,
   /bin/hostname ixr,

More information about the Pkg-cups-devel mailing list