Bug#992378: marked as done (/etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 27 Aug 2021 15:33:47 +0200
with message-id <3857765.gJaRSux1Jz@odyx.org>
and subject line Re: Bug#992378: /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used
has caused the Debian Bug report #992378,
regarding /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992378
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used
• From: Roger Lynn <roger@rilynn.me.uk>
• Date: Wed, 18 Aug 2021 00:30:00 +0100
• Message-id: <[🔎] 162924300034.30925.16399418544737982221.reportbug@castle.rilynn.me.uk>

Package: cups-daemon
Version: 2.3.3op2-3+deb11u1
Severity: normal
File: /etc/apparmor.d/usr.sbin.cupsd

Adding
  /etc/letsencrypt/archive/** r,
seems to fix this.

I only discovered what was causing the problem when I stumbled across
https://askubuntu.com/questions/1079957

Thanks,

Roger

-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages cups-daemon depends on:
ii  adduser                    3.118
ii  bc                         1.07.1-2+b2
ii  init-system-helpers        1.60
ii  libavahi-client3           0.8-5
ii  libavahi-common3           0.8-5
ii  libc6                      2.31-13
ii  libcups2                   2.3.3op2-3+deb11u1
ii  libdbus-1-3                1.12.20-2
ii  libelogind0 [libsystemd0]  246.9.1-1+debian1
ii  libgssapi-krb5-2           1.18.3-6
ii  libpam0g                   1.4.0-9
ii  libpaper1                  1.1.28+b1
ii  lsb-base                   11.1.0
ii  procps                     2:3.3.17-5
ii  ssl-cert                   1.1.0+nmu1

Versions of packages cups-daemon recommends:
pn  avahi-daemon  <none>
pn  colord        <none>
pn  cups-browsed  <none>
pn  ipp-usb       <none>

Versions of packages cups-daemon suggests:
ii  cups                                       2.3.3op2-3+deb11u1
ii  cups-bsd                                   2.3.3op2-3+deb11u1
ii  cups-client                                2.3.3op2-3+deb11u1
ii  cups-common                                2.3.3op2-3+deb11u1
ii  cups-filters                               1.28.7-1
pn  cups-pdf                                   <none>
ii  cups-ppdc                                  2.3.3op2-3+deb11u1
ii  cups-server-common                         2.3.3op2-3+deb11u1
ii  foomatic-db-compressed-ppds [foomatic-db]  20200820-1
ii  ghostscript                                9.53.3~dfsg-7
ii  poppler-utils                              20.09.0-3.1
pn  smbclient                                  <none>
ii  udev                                       247.3-6

-- Configuration Files:
/etc/cups/cups-files.conf changed:
CreateSelfSignedCerts no
SystemGroup lpadmin
LogFileGroup adm
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log


-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Roger Lynn <roger@rilynn.me.uk>, 992378-done@bugs.debian.org
• Subject: Re: Bug#992378: /etc/apparmor.d/usr.sbin.cupsd: Prevents Let's Encrypt certificates from being used
• From: Didier 'OdyX' Raboud <odyx@debian.org>
• Date: Fri, 27 Aug 2021 15:33:47 +0200
• Message-id: <3857765.gJaRSux1Jz@odyx.org>
• In-reply-to: <[🔎] 162924300034.30925.16399418544737982221.reportbug@castle.rilynn.me.uk>
• References: <[🔎] 162924300034.30925.16399418544737982221.reportbug@castle.rilynn.me.uk>

Control: tags -1 +wontfix

Hello Roger, and thanks for your bugreport.

Le mercredi, 18 août 2021, 01.30:00 h CEST Roger Lynn a écrit :
> Package: cups-daemon
> Version: 2.3.3op2-3+deb11u1
> Severity: normal
> File: /etc/apparmor.d/usr.sbin.cupsd
> 
> Adding
>   /etc/letsencrypt/archive/** r,
> seems to fix this.
> 
> I only discovered what was causing the problem when I stumbled across
> https://askubuntu.com/questions/1079957

Using Let's Encrypt is fine, allowed, and (apparently) working with CUPS, but 
as that's clearly not a default way of working for CUPS, I'd be _very_ 
reluctant to allow CUPS to access "all the Let's Encrypt certificates" on all 
systems it gets installed to. Furthermore, /etc/apparmor.d/usr.sbin.cupsd is a 
configuration file, freely modifiable by the local system administrator. In 
other words, imposing that a local system administrator needs to update that 
file to enable a specific type of certificates is reasonable.

I'll therefore close this bug as +wontfix.

That said, if you think a patch making the documentation clearer could be 
useful; feel free to reopen this bug and provide said patch.

Best regards,

    OdyX

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---