Bug#940578: printer-driver-cups-pdf: cups pdf printer cannot create pdf file
Martin-Éric Racine:
> ke 18. syysk. 2019 klo 10.03 intrigeri (intrigeri@debian.org) kirjoitti:
>> C. Disable AppArmor confinement by default for the program that gets blocked
>>
>> If you choose this option, then this bug should be reassigned to
>> cups-daemon.
> This indeed is the best option.
Thanks for your feedback!
Thinking about it a bit more, I'm wondering if a less drastic approach
would be acceptable:
D. Allow cups-pdf to write anywhere under /home/*
This still (somewhat) protects users against security issues in
cups-pdf. This gets rid of AppArmor denials, as long as the user
does not customize the "Out" setting to make it point to some place
that's elsewhere than under ${HOME}.
I could try this to start with: all it takes is modifying 2 lines.
And if this still yields an unacceptable UX for users, or causes too
much BTS workload for you, then we can still do option C.
How does it sound?
Cheers,
--
intrigeri
Reply to: