[Pkg-cups-devel] Bug#427559: cupsd "run as user" changes in 1.2.11-2 breaks existing installations (no printing)

Kurt Pfeifle kurt.pfeifle at infotec.com
Tue Jun 5 13:25:21 UTC 2007 

Martin Pitt wrote:
> tag 427559 confirmed
> retitle 427559 cupsys: make backend permissions behaviour compatible to upstream
> thanks
> 
> Hi Kurt,
> 
> Kurt Pfeifle [2007-06-04 23:19 +0200]:
>>  * you have changed cupsd to run as user cupsys, while upstream CUPS
>>    developers have dropped this again (and they gave very good reasons
>>    for that) when they released 1.2.0.
> 
> I had lots of conversations about this with upstream, and none of the
> reasons he gave justified running cups as root, but that's a different
> story.

Do you have a link to these conversations (if they were held in public,
not in private)?

>>  * in previous upstream versions when cupsd ran as an unprivileged user,
>>    it was possible to use "RunAsUser No" in cupsd.conf -- you have re-
>>    applied that old patch without keeping the user option to not follow
>>    your default.
> 
> Right, because upstream does not want to reintroduce it, so I don't
> want to make incompatible configuration file options.

You can't expect me to understand that logic without further explanations:

So it looks like it is OK for you...

  ...to make incompatible source code patches, incompatible binary builds,
     incompatible startup scripts resulting in an incompatible runtime
     behaviour of cupsd and backends --

but you frown on...

  ...adding a single new (old) configuration file option that would at
     least re-enable runtime behaviour compatibility with upstream?

>>  * you have removed the possibility to run individual backends as root
>>    (by simply giving them 0700 permissions and root ownership).
> 
> You can still do that, and it's done by default with lpd. The backends
> needs to be set to root:lp 4754.

Thanks. I did not know this [and this change is  (a) not documented,
(b) not compatible with upstream's behaviour,   (c) not compatible with
upstream's documentation]

I'll try it.

However, I suspect that this will not work with some of the customer's
backends since some of them are written as Shell scripts. You can't run
shell scripts setuid root.

> Most of your problems seem to come from incompatible behavior of
> backend permissions. I agree that we need to do something about it.
> 
> Documenting it would be one possibility, but I think it is even better
> to change our cups to become compatible with upstream again wrt.
> backend permissions. This could be done by a single suid root 'backend
> runner' instead of having lots of suid root backends.

Do you already have a timescale for this? If so, please keep in in the
loop. Feel free to mail me in private as soon as you have something that
I can help testing and evaluating.

BTW, upstream was never completely opposed to channges that would let the
scheduler run as non-root. They just deemed the solution they used back
then as not appropriate, and not adding any effective gain in security
(while keeping the software fully functional). They also said that they
did not yet come up with a good/better solution themselves, and that they
are open to evaluate patches and code anyone feels he could contribute.
So maybe your idea of a "backend runner" is one such contribution.

About the real value of such an addition (possible gain in security) I'd
rather like to see real security experts evaluate that. I'm not qualified
for a verdict here.

I'm only qualified for a verdict about having lost functionality, having
lost compatibility, and having lost successful printouts.

> Thanks,
> 
> Martin


Cheers,
Kurt

-- 
Kurt Pfeifle
System & Network Printing Consultant ---- Linux/Unix/Windows/Samba/CUPS
Fon/Fax: +49-711-4017-5677/-2303  ...........  Mobile: +49-172-715.7017
Infotec Deutschland GmbH  .....................  Hedelfinger Strasse 58
A RICOH Company  ...........................  D-70327 Stuttgart/Germany 
---
Infotec Deutschland GmbH
Hedelfingerstrasse 58
D-70327 Stuttgart
Telefon +49 711 4017-0, Fax +49 711 4017-5752
www.infotec.com
Geschaeftsfuehrer: Elmar Karl Josef Wanderer, Frank Grosch, Heinz-Josef Jansen
Sitz der Gesellschaft: Stuttgart, Handelsregister HRB Stuttgart 20398

Der Inhalt dieser E-Mail ist vertraulich und ist nur für den Empfänger bestimmt. Falls Sie nicht der angegebene Empfänger sind oder falls diese E-Mail irrtümlich an Sie adressiert wurde, verständigen Sie bitte den Absender sofort und löschen Sie die E-Mail sodann. Das unerlaubte Veröffentlichen, Kopieren sowie die unbefugte Übermittlung komplett oder in Teilen sind nicht gestattet.Private Ansichten und Meinungen sind, wenn nicht ausdrücklich erklärt, die des Autors und nicht die der Infotec Deutschland GmbH oder deren verantwortliche Direktoren und Angestellte. Eine Haftung für Schäden oder Verlust von Daten durch den Gebrauch dieser Email oder deren Anhänge wird ausgeschlossen.
Weitere Informationen erhalten Sie im Internet unter www.infotec.com oder in jeder Infotec Niederlassung.
This E-Mail is for the exclusive use of the recipient and may contain information which is confidential. Any disclosure, distribution or copying of this communication, in whole or in part, is not permitted. Any views or opinions presented are those of the author and (unless otherwise specifically stated) do not represent those of Infotec Deutschland GmbH or their directors or officers; none of whom are responsible for any reliance placed on the information contained herein. Although reasonable precautions have been taken to ensure that no viruses are present, all liability is excluded for any loss or damage arising from the use of this email or attachments.
For further information please see our website at www.infotec.com or refer to any Infotec office.

More information about the Pkg-cups-devel mailing list