[Pkg-cups-devel] Bug#692791: Proposed patch now available...
Michael Sweet
msweet at apple.com
Tue Nov 27 13:00:07 UTC 2012
Didier,
On 2012-11-27, at 6:45 AM, Didier 'OdyX' Raboud <odyx at debian.org> wrote:
> ...
> While it's a nice long-term solution for new cups installs, I'm afraid it's
> not suitable as a security hotfix (so probably not targetted at Debian testing
> nor stable): the administrator has to handle the configuration files split un
> himself. In addition to that, web-modified cupsd.conf is very likely to hinder
> the automatic configuration stanza's split.
A package update can lay down a new cups-files.conf, and it shouldn't be hard to do a short migration script that copies the dozen or so affected directives from cupsd.conf to the new cups-files.conf file. I guess it just depends on whether you want to close this particular hole and how you want to deal with it.
CUPS 1.6.2 will ship with the split configuration files and a warning to error_log when the cupsd.conf file contains directives that should be moved.
A simpler (but less complete) fix for CUPS 1.5.x and earlier would be to blacklist /etc and /dev for the logs - we wanted something more complete.
> On the longer term (for Jessie), I think web-modifiable cupsd.conf (and
> printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick
> to this new cups configuration files handling.
Back in the day when we were adapting CUPS to the FHS (1.0, 2.0? I don't remember) we decided not to use /var/lib because /etc is the place for editable configuration files and /var/lib is the place for files that are managed by software. printers.conf, classes.conf, and cupsd.conf *are* user-editable files (even if that isn't the typical case for classes.conf and printers.conf). *If* we move to a non-editable format in the future (likely for CUPS 2.0) we will definitely restructure things to put those files in /var/lib.
I don't advise that you try to patch current CUPS to use /var/lib/cupsd for cupsd stuff and /etc/cups for everything else since the current code assumes that all CUPS configuration files are in one location. The patch will be very very messy and hard to maintain.
__________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
More information about the Pkg-cups-devel
mailing list