Bug#1107877: cups: /etc/apparmor.d/usr.sbin.cupsd block access to /etc/shells
Package: cups
Version: 2.4.2-3+deb12u8
Severity: minor
X-Debbugs-Cc: piccardi@truelite.it
Dear Maintainer,
if you enable:
auth required pam_shells.so
(like appending it to /etc/pam.d/common-auth) to disable login to users
without a valid shell, autentication done using the web interface at
localhost:631 stops to work, because /etc/shells is not included in
/etc/apparmor.d/usr.sbin.cupsd, so the server cannot read that file.
So you get in /var/log/cups/error_log:
E [16/Jun/2025:15:17:35 +0200] [Client 1] pam_authenticate() returned 3 (Error in service module)
and you get:
giu 16 15:17:33 think-06 cupsd[4207]: pam_shells(cups:auth): Error opening /etc/shells: Permission denied
in journalctl -u cups.
Just adding the line:
/etc/shells r,
make it working again.
I don't think that making cups capable to read /etc/shells is a security problem.
I tested this on bookworm, but the problem is present also in trixie with cups
2.4.10-3
-- System Information:
Debian Release: 12.11
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-37-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups depends on:
ii cups-client 2.4.2-3+deb12u8
ii cups-common 2.4.2-3+deb12u8
ii cups-core-drivers 2.4.2-3+deb12u8
ii cups-daemon 2.4.2-3+deb12u8
ii cups-filters 1.28.17-3+deb12u1
ii cups-ppdc 2.4.2-3+deb12u8
ii cups-server-common 2.4.2-3+deb12u8
ii debconf [debconf-2.0] 1.5.82
ii ghostscript 10.0.0~dfsg-11+deb12u7
ii libavahi-client3 0.8-10+deb12u1
ii libavahi-common3 0.8-10+deb12u1
ii libc6 2.36-9+deb12u10
ii libcups2 2.4.2-3+deb12u8
ii libgcc-s1 12.2.0-14+deb12u1
ii libstdc++6 12.2.0-14+deb12u1
ii libusb-1.0-0 2:1.0.26-1
ii poppler-utils 22.12.0-2+deb12u1
ii procps 2:4.0.2-3
Versions of packages cups recommends:
ii avahi-daemon 0.8-10+deb12u1
ii colord 1.4.6-2.2
Versions of packages cups suggests:
pn cups-bsd <none>
pn cups-pdf <none>
pn foomatic-db-compressed-ppds | foomatic-db <none>
ii smbclient 2:4.17.12+dfsg-0+deb12u1
ii udev 252.38-1~deb12u1
-- debconf information:
cupsys/backend: lpd, socket, usb, snmp, dnssd
cupsys/raw-print: true
Reply to: