[Pkg-cups-devel] r432 - in cupsys/branches/cups-1.2-ubuntu/debian: . patches

Martin Pitt mpitt at alioth.debian.org
Wed Feb 7 17:49:32 CET 2007 

Author: mpitt
Date: Wed Feb  7 17:49:31 2007
New Revision: 432

Modified:
   cupsys/branches/cups-1.2-ubuntu/debian/changelog
   cupsys/branches/cups-1.2-ubuntu/debian/patches/09_runasuser.dpatch
Log:
* debian/patches/09_runasuser.dpatch: Drop root privileges of cups-polld
  after creating the socket. This allows cupsd to kill polld on shutdown,
  and has the nice side effect of improving security. Closes: LP#30965

Modified: cupsys/branches/cups-1.2-ubuntu/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/changelog	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/changelog	Wed Feb  7 17:49:31 2007
@@ -1,9 +1,12 @@
-cupsys (1.2.7-4ubuntu2) feisty; urgency=low
+cupsys (1.2.7-4ubuntu2) UNRELEASED; urgency=low
 
   * debian/local/enable_sharing: Fix regex to find both 127.0.0.1 and
     'localhost' to fix enabling sharing the second time. Closes: LP#75903
+  * debian/patches/09_runasuser.dpatch: Drop root privileges of cups-polld
+    after creating the socket. This allows cupsd to kill polld on shutdown,
+    and has the nice side effect of improving security. Closes: LP#30965
 
- -- Martin Pitt <martin.pitt at ubuntu.com>  Wed,  7 Feb 2007 13:15:45 +0100
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Wed,  7 Feb 2007 17:48:28 +0100
 
 cupsys (1.2.7-4ubuntu1) feisty; urgency=low
 

Modified: cupsys/branches/cups-1.2-ubuntu/debian/patches/09_runasuser.dpatch
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/patches/09_runasuser.dpatch	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/patches/09_runasuser.dpatch	Wed Feb  7 17:49:31 2007
@@ -5,10 +5,10 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad cups-1.2~/config-scripts/cups-defaults.m4 cups-1.2/config-scripts/cups-defaults.m4
---- cups-1.2~/config-scripts/cups-defaults.m4	2006-04-25 12:17:52.000000000 +0200
-+++ cups-1.2/config-scripts/cups-defaults.m4	2006-04-25 12:18:56.000000000 +0200
-@@ -218,6 +218,17 @@
+diff -urNad cups-1.2-ubuntu~/config-scripts/cups-defaults.m4 cups-1.2-ubuntu/config-scripts/cups-defaults.m4
+--- cups-1.2-ubuntu~/config-scripts/cups-defaults.m4	2006-11-16 14:34:44.000000000 +0100
++++ cups-1.2-ubuntu/config-scripts/cups-defaults.m4	2007-02-07 17:47:54.000000000 +0100
+@@ -220,6 +220,17 @@
  AC_DEFINE_UNQUOTED(CUPS_DEFAULT_GROUP, "$CUPS_GROUP")
  AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SYSTEM_GROUPS, "$CUPS_SYSTEM_GROUPS")
  
@@ -24,11 +24,11 @@
 +AC_SUBST(CUPS_DROP_PRIVILEGES)
 +
  dnl Default printcap file...
- AC_ARG_WITH(printcap, [  --with-printcap     set default printcap file],
+ AC_ARG_WITH(printcap, [  --with-printcap         set default printcap file],
  	default_printcap="$withval",
-diff -urNad cups-1.2~/config.h.in cups-1.2/config.h.in
---- cups-1.2~/config.h.in	2006-04-25 12:17:52.000000000 +0200
-+++ cups-1.2/config.h.in	2006-04-25 12:18:56.000000000 +0200
+diff -urNad cups-1.2-ubuntu~/config.h.in cups-1.2-ubuntu/config.h.in
+--- cups-1.2-ubuntu~/config.h.in	2006-11-02 21:01:54.000000000 +0100
++++ cups-1.2-ubuntu/config.h.in	2007-02-07 17:47:54.000000000 +0100
 @@ -41,6 +41,11 @@
  #define CUPS_DEFAULT_GROUP	"sys"
  #define CUPS_DEFAULT_SYSTEM_GROUPS	"sys root system"
@@ -41,9 +41,9 @@
  
  /*
   * Default file permissions...
-diff -urNad cups-1.2~/scheduler/cert.c cups-1.2/scheduler/cert.c
---- cups-1.2~/scheduler/cert.c	2006-04-25 12:17:52.000000000 +0200
-+++ cups-1.2/scheduler/cert.c	2006-04-25 12:18:56.000000000 +0200
+diff -urNad cups-1.2-ubuntu~/scheduler/cert.c cups-1.2-ubuntu/scheduler/cert.c
+--- cups-1.2-ubuntu~/scheduler/cert.c	2006-04-07 16:39:46.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/cert.c	2007-02-07 17:47:54.000000000 +0100
 @@ -116,7 +116,7 @@
      * Root certificate...
      */
@@ -53,10 +53,10 @@
      fchown(fd, RunUser, SystemGroupIDs[0]);
  
      cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d",
-diff -urNad cups-1.2~/scheduler/conf.c cups-1.2/scheduler/conf.c
---- cups-1.2~/scheduler/conf.c	2006-04-25 12:17:52.000000000 +0200
-+++ cups-1.2/scheduler/conf.c	2006-04-25 12:18:56.000000000 +0200
-@@ -460,7 +460,11 @@
+diff -urNad cups-1.2-ubuntu~/scheduler/conf.c cups-1.2-ubuntu/scheduler/conf.c
+--- cups-1.2-ubuntu~/scheduler/conf.c	2007-02-07 17:47:53.000000000 +0100
++++ cups-1.2-ubuntu/scheduler/conf.c	2007-02-07 17:47:54.000000000 +0100
+@@ -465,7 +465,11 @@
    if (!status)
      return (0);
  
@@ -67,11 +67,44 @@
 +#endif
  
   /*
-   * Use the default system group if none was supplied in cupsd.conf...
-diff -urNad cups-1.2~/scheduler/main.c cups-1.2/scheduler/main.c
---- cups-1.2~/scheduler/main.c	2006-04-25 12:17:52.000000000 +0200
-+++ cups-1.2/scheduler/main.c	2006-04-25 12:19:17.000000000 +0200
-@@ -56,6 +56,9 @@
+   * See if the ServerName is an IP address...
+diff -urNad cups-1.2-ubuntu~/scheduler/cups-polld.c cups-1.2-ubuntu/scheduler/cups-polld.c
+--- cups-1.2-ubuntu~/scheduler/cups-polld.c	2006-08-23 22:55:33.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/cups-polld.c	2007-02-07 17:48:04.000000000 +0100
+@@ -34,6 +34,9 @@
+  * Include necessary headers...
+  */
+ 
++#include "config.h"
++#include <pwd.h>
++
+ #include <cups/http-private.h>
+ #include <cups/cups.h>
+ #include <stdlib.h>
+@@ -150,6 +153,19 @@
+   }
+ 
+  /*
++  * Drop our privileges to the cupsd scheduler user
++  */
++#if CUPS_DROP_PRIVILEGES == 1
++  struct passwd * pwd = getpwnam(CUPS_DEFAULT_USER);
++  if (!pwd) {
++    fprintf(stderr, "ERROR: could not get passwd data for user " CUPS_DEFAULT_USER "\n");
++    exit(1);
++  }
++  setgid(pwd->pw_gid);
++  setuid(pwd->pw_uid);
++#endif
++
++ /*
+   * Loop forever, asking for available printers and classes...
+   */
+ 
+diff -urNad cups-1.2-ubuntu~/scheduler/main.c cups-1.2-ubuntu/scheduler/main.c
+--- cups-1.2-ubuntu~/scheduler/main.c	2006-11-14 17:35:27.000000000 +0100
++++ cups-1.2-ubuntu/scheduler/main.c	2007-02-07 17:47:54.000000000 +0100
+@@ -58,6 +58,9 @@
  #include <sys/resource.h>
  #include <syslog.h>
  #include <grp.h>
@@ -81,7 +114,7 @@
  
  #ifdef HAVE_LAUNCH_H
  #  include <launch.h>
-@@ -515,6 +518,20 @@
+@@ -536,6 +539,20 @@
    cupsdStartSystemMonitor();
  #endif /* __APPLE__ */
  
@@ -102,7 +135,7 @@
   /*
    * Start any pending print jobs...
    */
-@@ -998,7 +1015,7 @@
+@@ -1037,7 +1054,7 @@
      */
  
      if ((current_time - RootCertTime) >= RootCertDuration && RootCertDuration &&
@@ -113,7 +146,7 @@
        * Update the root certificate...
 diff -urNad cups-1.2-ubuntu~/scheduler/process.c cups-1.2-ubuntu/scheduler/process.c
 --- cups-1.2-ubuntu~/scheduler/process.c	2006-04-06 22:32:07.000000000 +0200
-+++ cups-1.2-ubuntu/scheduler/process.c	2006-04-24 19:16:09.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/process.c	2007-02-07 17:47:54.000000000 +0100
 @@ -245,15 +245,6 @@
        if (setuid(User))
          exit(errno);

More information about the Pkg-cups-devel mailing list