Hello Martin-Éric,
Le vendredi, 25 décembre 2020, 12.58:39 h CET Martin-Éric Racine a écrit :
> I've been maintaining CUPS-PDF ever since it entered Debian.
>
> Recently, Lintian has been giving all sorts of hints about enabling
> hardening. Bug reports at Debian and at derivatives suggest that some
> of the hardening options might cause CUP-PDF to fail at writing files
> to the expected destination.
>
> I was this wondering what sort of hardening options (if any) are used
> for buiilding other CUPS printer drivers that require compiling?
In terms of compilation hardening, this is what's used in CUPS:
https://sources.debian.org/src/cups/2.3.3op1-4/debian/rules/#L7
# Enabling PIE globally doesn't work, but ./configure already enables PIE
# where necessary.
export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
(The comment is quite old, and I haven't re-tried enabling PIE recently).
In terms of runtime hardening, CUPS ships with an apparmor profile
https://sources.debian.org/src/cups/2.3.3op1-4/debian/local/apparmor-profile/
I think this is the one potentially limiting the possibility for CUPS to write
CUPS-PDF files at the correct places; see lines 99 and from 176 on.
I hope that answers your questions.
Best regards, and a happy new year,
OdyXAttachment:
signature.asc
Description: This is a digitally signed message part.