Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)

To: Marco Gaiarin <gaio@sv.lnf.it>, 702227@bugs.debian.org
Subject: Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
From: "Didier 'OdyX' Raboud" <odyx@debian.org>
Date: Sat, 9 Mar 2013 18:48:47 +0100
Message-id: <[🔎] 201303091848.48166.odyx@debian.org>
Reply-to: "Didier 'OdyX' Raboud" <odyx@debian.org>, 702227@bugs.debian.org
In-reply-to: <[🔎] 20130306163712.GS3500@sv.lnf.it>
References: <[🔎] 20130304101231.GD4190@sv.lnf.it> <[🔎] 201303041840.57319.odyx@debian.org> <[🔎] 20130306163712.GS3500@sv.lnf.it>

Control: tags -1 +wontfix -moreinfo

Hi Marco,

Le mercredi, 6 mars 2013 17.37:12, Marco Gaiarin a écrit :
> > As far as I can tell, all chained configurations that go through cups are
> > working correctly, so that's definitely a minor issue for standard use
> > cases.
> 
> Ok for 'jasmine', but 'beh' is a rather ''standard'' backend, that i
> use extensively for some ''broken'' printers or print servers... very
> useful if you don't want to be called on saturday morning at home...

Is 'beh' not working correctly when used as printer backend?

> 	gaio@eraldo:~$ ls -la /usr/lib/cups/backend/ipp
> 	-rwxr--r-- 3 root root 43328 15 gen 04.08 /usr/lib/cups/backend/ipp
> 
> 744 root.root? It really brake the CUPS security model to have it
> root.lp, 754 (or 750)?
> 
> Probably i don't know CUPS (and indeed it is true ;), but i don't
> understood why the 'lp' group have to not execute the backend... while
> for example the 'socket' backend:
> 
> 	gaio@eraldo:~$ ls -la /usr/lib/cups/backend/socket
> 	-r-xr-xr-x 2 root root 29988 15 gen 04.08 /usr/lib/cups/backend/socket
> 
> it is even executable by everyone?

Quoting Till on that one:
> 13:59 < tkamppeter> OdyX, about Debian bug 702227, CUPS backends with 750
> root.root permissions/ownerships are run as root by CUPS, these backends
> have to run as root as they need access to resources where only root has
> access (files, network resources). Opening up the permissions so that "lp"
> can run the backends makes the backends stop working. What alwyas works
> would be setting the wrapper backends 750 root.root, but this can lead to
> some non-root backends being run as root.

> (…) but seems to me that simply backend permission is a mess... ;-)))

I can't disagree with that.

As far as I can read that bug:
i) running backends not as root will likely break some working behaviours;
ii) apparently a non-standard backend, not even in Debian doesn't work in that 
situation.

So, as I would rather not try to fix something not broken for most standard 
Debian uses, and as I haven't been convinced that fixing that is an 
improvement over the current situation, I'm hereby tagging this bug as 
wontfix.

Cheers,

OdyX

Reply to:

Follow-Ups:
- Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
  - From: Marco Gaiarin <gaio@sv.lnf.it>

References:
- Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
  - From: Marco Gaiarin <gaio@sv.lnf.it>
- Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
  - From: "Didier 'OdyX' Raboud" <odyx@debian.org>
- Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
  - From: Marco Gaiarin <gaio@sv.lnf.it>

Prev by Date: cups_1.6.1-3_amd64.changes ACCEPTED into experimental
Next by Date: Processed: Re: Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
Previous by thread: Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
Next by thread: Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)
Index(es):
- Date
- Thread