[Pkg-cups-devel] r503 - in cupsys/branches/cups-1.2-ubuntu/debian: . patches
Martin Pitt
mpitt at alioth.debian.org
Thu Aug 2 11:50:40 UTC 2007
Author: mpitt
Date: Thu Aug 2 11:50:39 2007
New Revision: 503
Log:
* Drop our derooting changes. It still has some regressions, and with
upstream not even acknowledging the need for improving cupsys' security we
will sit on this forever. (LP: #119289, LP: #129634)
- Drop derooting related patches:
06_disable_backend_setuid.dpatch
10_external_pam_helper.dpatch
09_runasuser.dpatch
09_runasuser_autoconf.dpatch
- debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
permission juggling.
- debian/rules:
+ Drop --with-cups-user and --enable-privilege-dropping configure
options.
+ Do not modify the upstream default backend permissions.
- debian/cupsys.init.d: Do not touch log file permissions any more.
- debian/cupsys.files: Drop cups-check-pam-auth.
- debian/NEWS: Drop description of derooting changes.
- debian/control: Drop adduser dependency.
* debian/patches/44_fixconfdirperms.dpatch: Do not create
/var/run/cups/certs as lp:lpadmin, but as root:lpadmin, so that cupsd
does not need CAP_DAC_OVERRIDE. This will make it possible to create a
sensible AppArmor profile.
Removed:
cupsys/branches/cups-1.2-ubuntu/debian/patches/06_disable_backend_setuid.dpatch
cupsys/branches/cups-1.2-ubuntu/debian/patches/09_runasuser.dpatch
cupsys/branches/cups-1.2-ubuntu/debian/patches/09_runasuser_autoconf.dpatch
cupsys/branches/cups-1.2-ubuntu/debian/patches/10_external_pam_helper.dpatch
Modified:
cupsys/branches/cups-1.2-ubuntu/debian/NEWS
cupsys/branches/cups-1.2-ubuntu/debian/changelog
cupsys/branches/cups-1.2-ubuntu/debian/control
cupsys/branches/cups-1.2-ubuntu/debian/cupsys-client.postinst
cupsys/branches/cups-1.2-ubuntu/debian/cupsys.files
cupsys/branches/cups-1.2-ubuntu/debian/cupsys.init.d
cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst
cupsys/branches/cups-1.2-ubuntu/debian/patches/00list
cupsys/branches/cups-1.2-ubuntu/debian/patches/44_fixconfdirperms.dpatch
cupsys/branches/cups-1.2-ubuntu/debian/rules
Modified: cupsys/branches/cups-1.2-ubuntu/debian/NEWS
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/NEWS (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/NEWS Thu Aug 2 11:50:39 2007
@@ -1,20 +1,3 @@
-cupsys (1.2.11-1) unstable; urgency=low
-
- * The cupsd server process now runs as a system user 'cupsys' instead of
- root. This limits the potential impact of any vulnerability in cupsd or
- one of its callouts to the printing configuration and jobs instead of
- offering a wide open vector for root compromise. This change and the
- upgrade should be transparent, thus this does not require any
- configuration change.
- * The groups of the cupsys system user ensures that cupsd can open parallel
- and USB printer devices (lp), serial printers (dialout), and
- printer/scanner combinations (scanner). For out-of-the box usage of the
- Snakeoil SSL certificate it is also in the ssl-cert group.
- * This version breaks the current cups-pdf package. A new version of
- cups-pdf is prepared and will be uploaded soon.
-
- -- Martin Pitt <mpitt at debian.org> Mon, 14 May 2007 09:18:48 +0200
-
cupsys (1.2.1-3) unstable; urgency=low
* The USB backend no longer supports the usb:/dev/foo
Modified: cupsys/branches/cups-1.2-ubuntu/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/changelog (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/changelog Thu Aug 2 11:50:39 2007
@@ -1,3 +1,30 @@
+cupsys (1.2.12-1ubuntu2) UNRELEASED; urgency=low
+
+ * Drop our derooting changes. It still has some regressions, and with
+ upstream not even acknowledging the need for improving cupsys' security we
+ will sit on this forever. (LP: #119289, LP: #129634)
+ - Drop derooting related patches:
+ 06_disable_backend_setuid.dpatch
+ 10_external_pam_helper.dpatch
+ 09_runasuser.dpatch
+ 09_runasuser_autoconf.dpatch
+ - debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
+ permission juggling.
+ - debian/rules:
+ + Drop --with-cups-user and --enable-privilege-dropping configure
+ options.
+ + Do not modify the upstream default backend permissions.
+ - debian/cupsys.init.d: Do not touch log file permissions any more.
+ - debian/cupsys.files: Drop cups-check-pam-auth.
+ - debian/NEWS: Drop description of derooting changes.
+ - debian/control: Drop adduser dependency.
+ * debian/patches/44_fixconfdirperms.dpatch: Do not create
+ /var/run/cups/certs as lp:lpadmin, but as root:lpadmin, so that cupsd
+ does not need CAP_DAC_OVERRIDE. This will make it possible to create a
+ sensible AppArmor profile.
+
+ -- Martin Pitt <martin.pitt at ubuntu.com> Thu, 02 Aug 2007 13:41:16 +0200
+
cupsys (1.2.12-1ubuntu1) gutsy; urgency=low
* Merge to Debian's svn head to get upstream fixes.
Modified: cupsys/branches/cups-1.2-ubuntu/debian/control
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/control (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/control Thu Aug 2 11:50:39 2007
@@ -52,7 +52,7 @@
Priority: optional
Section: net
Architecture: any
-Depends: ${shlibs:Depends}, adduser (>= 3.12), debconf (>= 1.2.9) | debconf-2.0, poppler-utils | xpdf-utils, perl-modules, procps, gs-esp, lsb-base (>= 3), cupsys-common, ssl-cert (>= 1.0.11), sysv-rc (>= 2.86.ds1-14.1ubuntu2)
+Depends: ${shlibs:Depends}, debconf (>= 1.2.9) | debconf-2.0, poppler-utils | xpdf-utils, perl-modules, procps, gs-esp, lsb-base (>= 3), cupsys-common, ssl-cert (>= 1.0.11), sysv-rc (>= 2.86.ds1-14.1ubuntu2)
Replaces: cupsys-pstoraster
Conflicts: cupsys-pstoraster (<< 2)
Recommends: cupsys-client, smbclient (>= 3.0.9), foomatic-filters
@@ -73,7 +73,7 @@
Priority: optional
Section: net
Architecture: any
-Depends: ${shlibs:Depends}, adduser, cupsys-common
+Depends: ${shlibs:Depends}, cupsys-common
Conflicts: lprng
Suggests: cupsys, kdeprint, gtklp, cupsys-pt, xpp, cupsys-bsd
Replaces: cupsys (<= 1.1.18-3)
Modified: cupsys/branches/cups-1.2-ubuntu/debian/cupsys-client.postinst
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/cupsys-client.postinst (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/cupsys-client.postinst Thu Aug 2 11:50:39 2007
@@ -28,22 +28,7 @@
addgroup --system lpadmin
fi
- # Set up cupsys user.
- if [ -z "`getent passwd cupsys`" ]; then
- adduser --quiet --system --no-create-home --ingroup lpadmin cupsys
- fi
-
- # necessary for access to local parallel and usb printers
- adduser --quiet cupsys lp
- # necessary for access to local serial printers
- adduser --quiet cupsys dialout
- # necessary for access to printer/scanner combo devices
- if [ -z "`getent group scanner`" ]; then
- addgroup --system scanner
- fi
- adduser --quiet cupsys scanner
-
- chown cupsys:lpadmin /usr/bin/lppasswd
+ chown root:lpadmin /usr/bin/lppasswd
chmod u+s /usr/bin/lppasswd
;;
Modified: cupsys/branches/cups-1.2-ubuntu/debian/cupsys.files
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/cupsys.files (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/cupsys.files Thu Aug 2 11:50:39 2007
@@ -9,7 +9,6 @@
usr/lib/cups/daemon/cups-polld
usr/lib/cups/daemon/cups-deviced
usr/lib/cups/daemon/cups-driverd
-usr/lib/cups/daemon/cups-check-pam-auth
usr/lib/cups/filter/gziptoany
usr/lib/cups/filter/hpgltops
usr/lib/cups/filter/imagetops
Modified: cupsys/branches/cups-1.2-ubuntu/debian/cupsys.init.d
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/cupsys.init.d (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/cupsys.init.d Thu Aug 2 11:50:39 2007
@@ -39,20 +39,8 @@
fi
chown cupsys:lp `dirname "$PIDFILE"`
- # create the logs file since cupsd can't
- for l in access_log page_log error_log; do
- [ -e /var/log/cups/$l ] || touch /var/log/cups/$l
- chmod 640 /var/log/cups/$l
- chown cupsys:lpadmin /var/log/cups/$l
- done
-
start-stop-daemon --start --quiet --oknodo --pidfile "$PIDFILE" --exec $DAEMON
- # Correct the permissions after starting the CUPS daemon
- for l in access_log page_log error_log; do
- chmod 640 /var/log/cups/$l || true
- chown cupsys:lpadmin /var/log/cups/$l || true
- done
log_end_msg $?
;;
stop)
@@ -64,11 +52,6 @@
log_begin_msg "Restarting $DESC: $NAME"
if start-stop-daemon --stop --quiet --retry 5 --oknodo --pidfile $PIDFILE --name $NAME; then
start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec $DAEMON
- # Correct the permissions after starting the CUPS daemon
- for l in access_log page_log error_log; do
- chmod 640 /var/log/cups/$l || true
- chown cupsys:lpadmin /var/log/cups/$l || true
- done
fi
log_end_msg $?
;;
Modified: cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst Thu Aug 2 11:50:39 2007
@@ -45,20 +45,6 @@
deluser root lpadmin || true
fi
- # Set up cupsys user.
- if [ -z "`getent passwd cupsys`" ]; then
- adduser --quiet --system --no-create-home --ingroup lpadmin cupsys
- fi
- # necessary for access to local parallel and usb printers
- adduser --quiet cupsys lp
- # necessary for access to local serial printers
- adduser --quiet cupsys dialout
- # necessary for access to printer/scanner combo devices
- if [ -z "`getent group scanner`" ]; then
- addgroup --system scanner
- fi
- adduser --quiet cupsys scanner
-
if [ -d /etc/cups/certs ]; then
rm -rf /etc/cups/certs
fi
@@ -223,16 +209,6 @@
# /bin/echo "Browsing off" > /etc/cups/cups.d/browse.conf
#fi
- # permission configuration
- chown root:lp /etc/cups ; chmod 3755 /etc/cups
- chown cupsys:root /etc/cups/cupsd.conf ; chmod 644 /etc/cups/cupsd.conf
- chown -R cupsys:lp /etc/cups/ppd ; chmod 755 /etc/cups/ppd
- chown cupsys:shadow /usr/lib/cups/daemon/cups-check-pam-auth
- chmod 2754 /usr/lib/cups/daemon/cups-check-pam-auth
- if [ ! -d /var/run/cups/certs ]; then
- mkdir /var/run/cups/certs && chown cupsys:lpadmin /var/run/cups/certs \
- && chmod 511 /var/run/cups/certs
- fi
if [ -f /etc/cups/classes.conf ]; then
chown root:lp /etc/cups/classes.conf ; chmod 600 /etc/cups/classes.conf
fi
@@ -247,12 +223,6 @@
ln -s /opt/share/ppd /usr/share/ppd/2-third-party
fi
- # fix permissions for upgrades which might have written cache files as
- # root
- if [ -d /var/cache/cups ]; then
- chown -R cupsys:lp /var/cache/cups || true
- fi
-
# symlink snakeoil SSL certificate if present
if [ -e /etc/ssl/certs/ssl-cert-snakeoil.pem -a \
-e /etc/ssl/private/ssl-cert-snakeoil.key -a \
@@ -260,7 +230,6 @@
! -e /etc/cups/ssl/server.key ]; then
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/cups/ssl/server.crt
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/cups/ssl/server.key
- adduser cupsys ssl-cert
fi
# Remove shutdown and reboot links; this init script does not need them.
Modified: cupsys/branches/cups-1.2-ubuntu/debian/patches/00list
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/patches/00list (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/patches/00list Thu Aug 2 11:50:39 2007
@@ -1,11 +1,7 @@
02_configure.dpatch
04_freebsd.dpatch
#05_avoidunknowngroup.dpatch
-06_disable_backend_setuid.dpatch
07_removecvstag.dpatch
-09_runasuser.dpatch
-09_runasuser_autoconf.dpatch
-10_external_pam_helper.dpatch
11_pam.dpatch
12_quiesce_ipp_logging.dpatch
13_default_log_warn.dpatch
Modified: cupsys/branches/cups-1.2-ubuntu/debian/patches/44_fixconfdirperms.dpatch
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/patches/44_fixconfdirperms.dpatch (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/patches/44_fixconfdirperms.dpatch Thu Aug 2 11:50:39 2007
@@ -5,9 +5,9 @@
## DP: No description.
@DPATCH@
-diff -urNad cupsys-1.2.3~/man/lppasswd.man cupsys-1.2.3/man/lppasswd.man
---- cupsys-1.2.3~/man/lppasswd.man 2006-03-20 15:29:09.000000000 +0000
-+++ cupsys-1.2.3/man/lppasswd.man 2006-08-31 13:10:46.000000000 +0000
+diff -urNad cups-1.2-ubuntu~/man/lppasswd.man cups-1.2-ubuntu/man/lppasswd.man
+--- cups-1.2-ubuntu~/man/lppasswd.man 2007-08-02 11:29:20.000000000 +0200
++++ cups-1.2-ubuntu/man/lppasswd.man 2007-08-02 12:41:34.000000000 +0200
@@ -59,6 +59,7 @@
that could grant super-user privileges to unprivileged users,
paranoid system administrators may wish to disable or change the
@@ -16,10 +16,10 @@
.SH SEE ALSO
\fIlp(1)\fR, \fIlpr(1)\fR,
.br
-diff -urNad cupsys-1.2.3~/scheduler/conf.c cupsys-1.2.3/scheduler/conf.c
---- cupsys-1.2.3~/scheduler/conf.c 2006-08-31 13:10:45.000000000 +0000
-+++ cupsys-1.2.3/scheduler/conf.c 2006-08-31 13:14:50.000000000 +0000
-@@ -548,22 +548,10 @@
+diff -urNad cups-1.2-ubuntu~/scheduler/conf.c cups-1.2-ubuntu/scheduler/conf.c
+--- cups-1.2-ubuntu~/scheduler/conf.c 2007-08-02 11:29:20.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/conf.c 2007-08-02 12:42:35.000000000 +0200
+@@ -544,22 +544,10 @@
cupsdLogMessage(CUPSD_LOG_NOTICE,
"Group and SystemGroup cannot use the same groups!");
@@ -44,7 +44,7 @@
}
}
-@@ -617,21 +605,10 @@
+@@ -613,21 +601,10 @@
if (ServerCertificate[0] != '/')
cupsdSetStringf(&ServerCertificate, "%s/%s", ServerRoot, ServerCertificate);
@@ -66,12 +66,14 @@
# endif /* HAVE_LIBSSL || HAVE_GNUTLS */
#endif /* HAVE_SSL */
-@@ -644,11 +621,13 @@
+@@ -638,13 +615,15 @@
+
+ if (check_permissions(CacheDir, NULL, 0775, RunUser, Group, 1, 1) < 0 ||
check_permissions(StateDir, NULL, 0755, RunUser, Group, 1, 1) < 0 ||
- check_permissions(StateDir, "certs", RunUser ? 0711 : 0511, User,
+- check_permissions(StateDir, "certs", RunUser ? 0711 : 0511, User,
++ check_permissions(StateDir, "certs", 0711, 0,
SystemGroupIDs[0], 1, 1) < 0 ||
-- check_permissions(ServerRoot, NULL, 0755, RunUser, Group, 1, 0) < 0 ||
-+ check_permissions(ServerRoot, NULL, 03755, RunUser, Group, 1, 0) < 0 ||
+ check_permissions(ServerRoot, NULL, 0755, RunUser, Group, 1, 0) < 0 ||
check_permissions(ServerRoot, "ppd", 0755, RunUser, Group, 1, 1) < 0 ||
check_permissions(ServerRoot, "ssl", 0700, RunUser, Group, 1, 0) < 0 ||
+ /* Never alter permissions of central conffile
Modified: cupsys/branches/cups-1.2-ubuntu/debian/rules
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/rules (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/rules Thu Aug 2 11:50:39 2007
@@ -18,7 +18,7 @@
unpatch: deapply-dpatches
-DEB_CONFIGURE_EXTRA_FLAGS := --with-optim=$(DEB_OPTFLAGS) --libdir=/usr/lib --mandir=/usr/share/man --with-docdir=/usr/share/cups/doc-root --enable-slp --enable-libpaper --enable-ssl --enable-gnutls --disable-openssl --enable-threads --enable-static --enable-dbus --disable-pdftops --disable-launchd --with-cups-user=cupsys --with-cups-group=lp --with-system-groups=lpadmin --enable-privilege-dropping
+DEB_CONFIGURE_EXTRA_FLAGS := --with-optim=$(DEB_OPTFLAGS) --libdir=/usr/lib --mandir=/usr/share/man --with-docdir=/usr/share/cups/doc-root --enable-slp --enable-libpaper --enable-ssl --enable-gnutls --disable-openssl --enable-threads --enable-static --enable-dbus --disable-pdftops --disable-launchd --with-cups-group=lp --with-system-groups=lpadmin
DEB_MAKE_INSTALL_TARGET := install BUILDROOT=$(DEB_DESTDIR)
DEB_INSTALL_CHANGELOGS_ALL := CHANGES.txt
DEB_DH_INSTALLINIT_ARGS := -u'multiuser 19'
@@ -53,14 +53,6 @@
install -o root -g root -m 644 debian/cupsys.default debian/cupsys/etc/default/cupsys
install -m 755 debian/local/browsing_status debian/local/enable_browsing debian/local/sharing_status debian/local/enable_sharing $(DEB_DESTDIR)/../cupsys/usr/share/cups
- # install lpd backend suid root so that it can bind to port <
- # 1024 (required for RFC compliance)
- chown root:lp debian/cupsys/usr/lib/cups/backend-available/lpd
- chmod 4754 debian/cupsys/usr/lib/cups/backend-available/lpd
-
- # upstream installs this as 0700 now which breaks as non-root
- chmod 755 debian/cupsys/usr/lib/cups/backend-available/ipp
-
# Install PPDs into /usr/share/ppd/cups-included/<Manufacturer>, see
# http://wiki.debian.org/PpdFileStructureSpecification
for i in $(DEB_DESTDIR)/../cupsys/usr/share/cups/model/*.ppd; do \
More information about the Pkg-cups-devel
mailing list