Re: Permission problem of PPDs in /etc/cups/ppd/ fixed

To: debian-printing@lists.debian.org
Subject: Re: Permission problem of PPDs in /etc/cups/ppd/ fixed
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Thu, 03 Sep 2015 21:56:10 +0200
Message-id: <[🔎] 9506015.WcgORsUYvR@odyx.org>
In-reply-to: <55E07B1B.2090606@gmail.com>
References: <55E04E26.1000902@gmail.com> <55E07B1B.2090606@gmail.com>

Hi Till,

This is my "other mail". Sorry for the delay.

Le vendredi, 28 août 2015, 12.15:39 Till Kamppeter a écrit :
> I got an answer to STR #4703 and the upstream code got appropriately
> fixed, but the intended behavior is not world-readable PPDs as it
> looked like but treating the PPDs in /etc/cups/ppd/ as any other
> configuration file of CUPS, getting permissions assigned as defined by
> the ConfigFilePerm variable in /etc/cups/cups-files.conf. Ownerships
> are root.lp.

If that's to stay, we should probably make sure all files under 
/etc/cups/ppd/ have these ownerships in a postinst script.

> This means that world-readable PPD files are not standard in CUPS and
> any access to printer capabilities and any other information cocerning
> the printing environment have to be done via IPP requests to the CUPS
> daemon or via API functions of the CUPS library (which in turn send
> IPP requests to the CUPS daemon).

Well. This makes sense, and is at least consistent with upstream's 
choices in recent years.

> Also locations of CUPS files are not necessarily always the same, as
> we got used to with standard desktop or server Linux. So the files
> should never get accessed directly. If a program fails on not
> world-readable PPDs, it has a bug.

Fair enough, and I think we should follow upstream there, although it's 
always puzzling to have non-standard configuration files under /etc.

To recap, I think upstream's opinion on what the various file 
permissions and ownerships should be are consistent with how CUPS works, 
but it's inconsistent with FHS. We could consider moving some sub-
directories to /var/lib/cups, where FHS wants them.

> Now we need to decide about the further proceeding:
> 
> 1. Leave ConfigFilePerm on its default of 640, meaning that all config
> files including the PPDs are not world-readable. Is there any
> security reason why config files of CUPS should not be
> world-readable?

For now, that's what 2.0.1-1 will do. :) But in this case, these files 
should move to /lib.

> 2. Set ConfigFilePerm to 644, making all config files and PPD
> world-readable to work around bugs in programs which want to access
> PPDs and/or config files of CUPS directly

If these files are to stay in /etc, that's probably what we should be 
doing. But in terms of security, I think some configuration files can 
hold samba credentials, and should therefore not be world-readable.

> 3. Create a distro patch which allows world-readable PPDs but
> not-world-readable config files in CUPS.
> 
> I would say to go with (2) if this does not bear any security risk,
> otherwise with (1). I think (3) would be too awkward.

Yeah, agreed.

Cheers,
OdyX

Reply to:

Follow-Ups:
- Re: Permission problem of PPDs in /etc/cups/ppd/ fixed
  - From: Till Kamppeter <till.kamppeter@gmail.com>

Prev by Date: Re: CUPS 2.1.0
Next by Date: Re: Permission problem of PPDs in /etc/cups/ppd/ fixed
Previous by thread: cups_2.1.0-1_source.changes ACCEPTED into experimental
Next by thread: Re: Permission problem of PPDs in /etc/cups/ppd/ fixed
Index(es):
- Date
- Thread