[Pkg-cups-devel] Bug#582441: /var/spool/cups-pdf/ANONYMOUS is inappropriately owned by nobody:nogroup
Roger Leigh
rleigh at debian.org
Thu May 20 19:26:48 UTC 2010
Package: cups-pdf
Version: 2.5.0-14
Severity: normal
% ls -ld /var/spool/cups-pdf/ANONYMOUS
drwxrwxrwt 2 nobody nogroup 4096 Jan 27 2009 /var/spool/cups-pdf/ANONYMOUS
This directory is world-writable with the sticky-bit set, which allows
any user to create files and directories in this location. However, the
ownership is not appropriate; compare with /tmp:
% ls -ld /tmp
drwxrwxrwt 13 root root 300 May 20 20:20 /tmp
The ownership by nobody:nogroup gives processes run under this
UID and/or GID additional privileges to delete content under this
location. Given that they are intended to be a restricted-privilege
user/group, this is not appropriate. Ownership by root:root is
perfectly acceptable here (if you're creating files in here owned
by nobody:nogroup that will still work fine).
Regards,
Roger
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (550, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cups-pdf depends on:
ii cups 1.4.3-1 Common UNIX Printing System(tm) -
ii cups-client 1.4.3-1 Common UNIX Printing System(tm) -
ii ghostscript 8.71~dfsg2-3 The GPL Ghostscript PostScript/PDF
ii libc6 2.10.2-8 Embedded GNU C Library: Shared lib
ii libpaper-utils 1.1.24 library for handling paper charact
cups-pdf recommends no packages.
Versions of packages cups-pdf suggests:
pn system-config-printer-gnome | <none> (no description available)
-- no debconf information
More information about the Pkg-cups-devel
mailing list