Bug#1107877: cups: /etc/apparmor.d/usr.sbin.cupsd block access to /etc/shells

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1107877: cups: /etc/apparmor.d/usr.sbin.cupsd block access to /etc/shells
From: Simone Piccardi <piccardi@truelite.it>
Date: Mon, 16 Jun 2025 15:54:48 +0200
Message-id: <[🔎] 175008208836.1254056.11243455127333717184.reportbug@monk>
Reply-to: Simone Piccardi <piccardi@truelite.it>, 1107877@bugs.debian.org

Package: cups
Version: 2.4.2-3+deb12u8
Severity: minor
X-Debbugs-Cc: piccardi@truelite.it

Dear Maintainer,

if you enable:

auth    required    pam_shells.so

(like appending it to /etc/pam.d/common-auth) to disable login to users
without a valid shell, autentication done using the web interface at
localhost:631 stops to work, because /etc/shells is not included in
/etc/apparmor.d/usr.sbin.cupsd, so the server cannot read that file.

So you get in /var/log/cups/error_log:

E [16/Jun/2025:15:17:35 +0200] [Client 1] pam_authenticate() returned 3 (Error in service module)

and you get:

giu 16 15:17:33 think-06 cupsd[4207]: pam_shells(cups:auth): Error opening /etc/shells: Permission denied

in journalctl -u cups.

Just adding the line:

  /etc/shells r,

make it working again.

I don't think that making cups capable to read /etc/shells is a security problem. 

I tested this on bookworm, but the problem is present also in trixie with cups
2.4.10-3 

-- System Information:
Debian Release: 12.11
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-37-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client            2.4.2-3+deb12u8
ii  cups-common            2.4.2-3+deb12u8
ii  cups-core-drivers      2.4.2-3+deb12u8
ii  cups-daemon            2.4.2-3+deb12u8
ii  cups-filters           1.28.17-3+deb12u1
ii  cups-ppdc              2.4.2-3+deb12u8
ii  cups-server-common     2.4.2-3+deb12u8
ii  debconf [debconf-2.0]  1.5.82
ii  ghostscript            10.0.0~dfsg-11+deb12u7
ii  libavahi-client3       0.8-10+deb12u1
ii  libavahi-common3       0.8-10+deb12u1
ii  libc6                  2.36-9+deb12u10
ii  libcups2               2.4.2-3+deb12u8
ii  libgcc-s1              12.2.0-14+deb12u1
ii  libstdc++6             12.2.0-14+deb12u1
ii  libusb-1.0-0           2:1.0.26-1
ii  poppler-utils          22.12.0-2+deb12u1
ii  procps                 2:4.0.2-3

Versions of packages cups recommends:
ii  avahi-daemon  0.8-10+deb12u1
ii  colord        1.4.6-2.2

Versions of packages cups suggests:
pn  cups-bsd                                   <none>
pn  cups-pdf                                   <none>
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
ii  smbclient                                  2:4.17.12+dfsg-0+deb12u1
ii  udev                                       252.38-1~deb12u1

-- debconf information:
  cupsys/backend: lpd, socket, usb, snmp, dnssd
  cupsys/raw-print: true

Reply to:

Prev by Date: Unable to locate printer "HOSTNAME.local", help with troubleshooting CUPS and mDNS once and for all
Next by Date: Processed: ippsample: ippserver and ippfind are non-functional
Previous by thread: Unable to locate printer "HOSTNAME.local", help with troubleshooting CUPS and mDNS once and for all
Next by thread: Processed: ippsample: ippserver and ippfind are non-functional
Index(es):
- Date
- Thread