[Pkg-cups-devel] Bug#582441: /var/spool/cups-pdf/ANONYMOUS is inappropriately owned by nobody:nogroup

[Roger Leigh]

Package: cups-pdf
Version: 2.5.0-14
Severity: normal

% ls -ld /var/spool/cups-pdf/ANONYMOUS 
drwxrwxrwt 2 nobody nogroup 4096 Jan 27  2009 /var/spool/cups-pdf/ANONYMOUS

This directory is world-writable with the sticky-bit set, which allows
any user to create files and directories in this location.  However, the
ownership is not appropriate; compare with /tmp:

% ls -ld /tmp
drwxrwxrwt 13 root root 300 May 20 20:20 /tmp

The ownership by nobody:nogroup gives processes run under this
UID and/or GID additional privileges to delete content under this
location.  Given that they are intended to be a restricted-privilege
user/group, this is not appropriate.  Ownership by root:root is
perfectly acceptable here (if you're creating files in here owned
by nobody:nogroup that will still work fine).


Regards,
Roger

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (550, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cups-pdf depends on:
ii  cups                        1.4.3-1      Common UNIX Printing System(tm) - 
ii  cups-client                 1.4.3-1      Common UNIX Printing System(tm) - 
ii  ghostscript                 8.71~dfsg2-3 The GPL Ghostscript PostScript/PDF
ii  libc6                       2.10.2-8     Embedded GNU C Library: Shared lib
ii  libpaper-utils              1.1.24       library for handling paper charact

cups-pdf recommends no packages.

Versions of packages cups-pdf suggests:
pn  system-config-printer-gnome | <none>     (no description available)

-- no debconf information