Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
Control: tags -1 +wontfix -moreinfo
Hi Marco,
Le mercredi, 6 mars 2013 17.37:12, Marco Gaiarin a écrit :
> > As far as I can tell, all chained configurations that go through cups are
> > working correctly, so that's definitely a minor issue for standard use
> > cases.
>
> Ok for 'jasmine', but 'beh' is a rather ''standard'' backend, that i
> use extensively for some ''broken'' printers or print servers... very
> useful if you don't want to be called on saturday morning at home...
Is 'beh' not working correctly when used as printer backend?
> gaio@eraldo:~$ ls -la /usr/lib/cups/backend/ipp
> -rwxr--r-- 3 root root 43328 15 gen 04.08 /usr/lib/cups/backend/ipp
>
> 744 root.root? It really brake the CUPS security model to have it
> root.lp, 754 (or 750)?
>
> Probably i don't know CUPS (and indeed it is true ;), but i don't
> understood why the 'lp' group have to not execute the backend... while
> for example the 'socket' backend:
>
> gaio@eraldo:~$ ls -la /usr/lib/cups/backend/socket
> -r-xr-xr-x 2 root root 29988 15 gen 04.08 /usr/lib/cups/backend/socket
>
> it is even executable by everyone?
Quoting Till on that one:
> 13:59 < tkamppeter> OdyX, about Debian bug 702227, CUPS backends with 750
> root.root permissions/ownerships are run as root by CUPS, these backends
> have to run as root as they need access to resources where only root has
> access (files, network resources). Opening up the permissions so that "lp"
> can run the backends makes the backends stop working. What alwyas works
> would be setting the wrapper backends 750 root.root, but this can lead to
> some non-root backends being run as root.
> (…) but seems to me that simply backend permission is a mess... ;-)))
I can't disagree with that.
As far as I can read that bug:
i) running backends not as root will likely break some working behaviours;
ii) apparently a non-standard backend, not even in Debian doesn't work in that
situation.
So, as I would rather not try to fix something not broken for most standard
Debian uses, and as I haven't been convinced that fixing that is an
improvement over the current situation, I'm hereby tagging this bug as
wontfix.
Cheers,
OdyX
Reply to: