Your message dated Fri, 7 Mar 2008 22:02:19 +0100 with message-id <20080307210219.GA18063@piware.de> and subject line Closing has caused the Debian Bug report #263796, regarding please don't run cupsys as root to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 263796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263796 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: please don't run cupsys as root
- From: Martin Pitt <martin@piware.de>
- Date: Thu, 5 Aug 2004 21:05:03 +0200
- Message-id: <20040805190452.GA2929@donald.intranet.fbn-dd.de>
Package: cupsys Version: 1.1.20final+rc1-4 Severity: wishlist Tags: patch Hi! cupsd currently runs as root, which is a big security hole and way more than necessary. I prepared an updated package which lets cupsd run as normal user cupsys and under a few auxilliary groups (which are necessary). The changelog entry is: |cupsys (1.1.20final+rc1-4ubuntu1) unstable; urgency=low | | * added patch 33auxgroups: support running the cups server under auxilliary | groups | * added patch 34confRunAsUser: default cupsd.conf: add and enable RunAsUser | * cupsys.postinst: | - create an user 'cupsys' and put it into groups lp, shadow, and dialout | - create /var/run/cups/ with owner cupsys (if it does not exist, it is | created with owner root and cupsd cannot write into it any more) | * cupsys.postrm: remove user cupsys | * debian/rules: configure with --with-cups-user=cupsys | | -- Martin Pitt <mpitt@debian.org> Tue, 3 Aug 2004 18:17:59 +0200 You can get the interdiff against revision -4 from http://bye-bye-root.no-name-yet.com/patches/cupsys.min-privileges.diff This patch has been tested successfully by several people now. Thanks for considering and have a nice day! Martin -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.7+skas-amd Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro Versions of packages cupsys depends on: ii adduser 3.59 Add and remove users and groups ii debconf 1.4.30 Debian configuration management sy ii gs-esp 7.07.1-9 The Ghostscript PostScript interpr ii libc6 2.3.2.ds1-14 GNU C Library: Shared libraries an ii libcupsimage2 1.1.20final+rc1-4 Common UNIX Printing System(tm) - ii libcupsys2-gnutls10 1.1.20final+rc1-4 Common UNIX Printing System(tm) - ii libgnutls11 1.0.16-4 GNU TLS library - runtime library ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libpaper1 1.1.14-0.3 Library for handling paper charact ii libslp1 1.0.11-7 OpenSLP libraries ii zlib1g 1:1.2.1.1-5 compression library - runtime -- debconf information: cupsys/raw-print: true cupsys/backend: ipp, lpd, parallel, socket, usb -- Martin Pitt Debian GNU/Linux Developer martin@piware.de mpitt@debian.org http://www.piware.de http://www.debian.orgAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 263796-done@bugs.debian.org
- Subject: Closing
- From: Martin Pitt <mpitt@debian.org>
- Date: Fri, 7 Mar 2008 22:02:19 +0100
- Message-id: <20080307210219.GA18063@piware.de>
Hi, we have done this for a while in Ubuntu, but due to upstream's absolute unwillingness to even discuss this we gave up maintaining this patch. We now use an apparmor policy which is much easier to maintain. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
--- End Message ---