Re: Permission problem of PPDs in /etc/cups/ppd/ fixed
Hi Till,
This is my "other mail". Sorry for the delay.
Le vendredi, 28 août 2015, 12.15:39 Till Kamppeter a écrit :
> I got an answer to STR #4703 and the upstream code got appropriately
> fixed, but the intended behavior is not world-readable PPDs as it
> looked like but treating the PPDs in /etc/cups/ppd/ as any other
> configuration file of CUPS, getting permissions assigned as defined by
> the ConfigFilePerm variable in /etc/cups/cups-files.conf. Ownerships
> are root.lp.
If that's to stay, we should probably make sure all files under
/etc/cups/ppd/ have these ownerships in a postinst script.
> This means that world-readable PPD files are not standard in CUPS and
> any access to printer capabilities and any other information cocerning
> the printing environment have to be done via IPP requests to the CUPS
> daemon or via API functions of the CUPS library (which in turn send
> IPP requests to the CUPS daemon).
Well. This makes sense, and is at least consistent with upstream's
choices in recent years.
> Also locations of CUPS files are not necessarily always the same, as
> we got used to with standard desktop or server Linux. So the files
> should never get accessed directly. If a program fails on not
> world-readable PPDs, it has a bug.
Fair enough, and I think we should follow upstream there, although it's
always puzzling to have non-standard configuration files under /etc.
To recap, I think upstream's opinion on what the various file
permissions and ownerships should be are consistent with how CUPS works,
but it's inconsistent with FHS. We could consider moving some sub-
directories to /var/lib/cups, where FHS wants them.
> Now we need to decide about the further proceeding:
>
> 1. Leave ConfigFilePerm on its default of 640, meaning that all config
> files including the PPDs are not world-readable. Is there any
> security reason why config files of CUPS should not be
> world-readable?
For now, that's what 2.0.1-1 will do. :) But in this case, these files
should move to /lib.
> 2. Set ConfigFilePerm to 644, making all config files and PPD
> world-readable to work around bugs in programs which want to access
> PPDs and/or config files of CUPS directly
If these files are to stay in /etc, that's probably what we should be
doing. But in terms of security, I think some configuration files can
hold samba credentials, and should therefore not be world-readable.
> 3. Create a distro patch which allows world-readable PPDs but
> not-world-readable config files in CUPS.
>
> I would say to go with (2) if this does not bear any security risk,
> otherwise with (1). I think (3) would be too awkward.
Yeah, agreed.
Cheers,
OdyX
Reply to: