Control: forwarded -1 https://github.com/apple/cups/pull/5528 Dear Chiraag, On 05/07/18 16:47, Chiraag Nataraj wrote: > Given that cupsd must run as root, we should restrict its > capabilities as much as possible. Given that the cups-daemon package > provides the systemd service, would it be possible to harden it by > default? The following options worked for me in the [Service] section > (but we may need more extensive testing): Thank you very much for your report, and the suggestions below. > CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID > ProtectSystem=strict > ProtectHome=true > ProtectKernelTunables=true > ProtectKernelModules=true > ProtectControlGroups=true > PrivateTmp=true > PrivateDevices=true > MemoryDenyWriteExecute=true > LockPersonality=true > ReadWritePaths=/etc/cups /var/log/cups /var/run/cups /var/cache/cups /var/spool/cups I created a merge/pull request [1], and set this as the upstream report as discussion is happening there. Could you please join the discussion? Upstream is reluctant to apply these changes, and wants distributions to carry them first. Do you know, what other distributions like Red Hat, Fedora, Arch or Ubuntu do? Additionally, I talked to the systemd developers, and they responded, that `CAP_DAC_OVERRIDE` renders quite a lot of restrictions mood [1]. > Bypass file read, write, and execute permission checks. (DAC is an > abbreviation of "discretionary access control".) Additionally, they said, that `ProtectSystem`, `ReadWritePaths` and `ProtectHome` are redundant. Could you please look more into it, and maybe post an updated list? Kind regards, Paul [1]: https://manpages.debian.org/stretch/manpages-de/capabilities.7.html
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature