smbspool vs smbspool_krb5_wrapper

To: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>, Debian Printing Team <debian-printing@lists.debian.org>
Subject: smbspool vs smbspool_krb5_wrapper
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Tue, 5 Apr 2022 11:26:32 +0300
Message-id: <[🔎] 3ada0611-6b9e-fed0-38ab-e32499c262eb@msgid.tls.msk.ru>

Hi!

For a very long time, apparently, we ship smbspool
backend for cups in samba package in a wrong way.

source3/client/smbspool_krb5_wrapper.c reads:

/*
 * This is a helper binary to execute smbspool.
 *
 * It needs to be installed or symlinked as:
 *      /usr/lib/cups/backend/smb
 *
 * The permissions of the binary need to be set to 0700 so that it is executed
 * as root. The binary switches to the user which is passed via the environment
 * variable AUTH_UID, so we can access the kerberos ticket.
 */

And we have:
 /usr/lib/cups/backend/smb => /usr/bin/smbspool

Is it okay for smbspool to be run as root to start
with ? Or does cups run things as different user
when it has wider than 0700 file permissions?

Should it be

 usr/lib/cups/backend/smb =>
   usr/libexec/samba/smbspool_krb5_wrapper

instead?

(This is how the move to libexec "affects" cups: it doesn't).

But overall, does it really matter?  What this wrapper is
supposed to do, what _is_ this $AUTH_UID thing, when we
are run from cups? Is it a local user who submitted a
print job, and the backend runs under this local user?
How about remote print jobs?

Just guessing here. Can cups people answer some of that?

Thanks!

/mjt

Reply to:

Follow-Ups:
- Re: [Pkg-samba-maint] smbspool vs smbspool_krb5_wrapper
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: cups-filters 1.28.14 released!
Next by Date: Re: [Pkg-samba-maint] smbspool vs smbspool_krb5_wrapper
Previous by thread: cups-filters 1.28.14 released!
Next by thread: Re: [Pkg-samba-maint] smbspool vs smbspool_krb5_wrapper
Index(es):
- Date
- Thread