On 14/05/2013 12:00, Helmut Jarausch wrote: > On 05/14/2013 11:55:23 AM, Yuri K. Shatroff wrote: >> On 14.05.2013 13:42, Helmut Jarausch wrote: >>> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote: >>>> On 14.05.2013 13:05, Helmut Jarausch wrote: >>>>> Hi, >>>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34 >>>>> >>>>> I see lots of strange error messages in /var/log/cups/error_log like >>>>> >>>>> >>>>> Filter "pdftops" not found. >>>>> >>>>> but there is a /usr/libexec/cups/filter/pdftops >>>>> >>>>> and then >>>>> >>>>> >>>>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" >>>>> not >>>>> available: No such file or directory >>>>> >>>>> These paths look strange. >>>>> >>>>> Does any know what's going on here? >>>>> >>>>> Many thanks for a hint, >>>>> Helmut. >>>> >>>> Hi Helmut, >>>> I also had this problem after installing CUPS. There is a trouble with >>>> permissions, AFAIR you need to check that /var/spool/cups is >>>> accessible to your user: that is, ensure that you're in the lp group >>>> and /var/spool/cups group is lp. I can not be sure that this dir was >>>> the only one to check but it was the permissions which was the problem. >>> >>> >>> >>> Thanks Juri. >>> What do you mean by 'accessible' - here I have only group execute >>> permission, i.e. >>> >>> ls -ld /var/spool/cups gives >>> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups >> >> Accessible really means accessible, i.e. when you are able to chdir to >> it and see its contents. >> Apparently, the dir lacks "group read" permission, i.e. it should be >> drwxr-x--- >> the `execute` bit alone doesn't allow one to access the directory. >> That is probably a portage bug or sort of. > > But then any user of group 'lp' on that machine can read what others > have spooled for printing. > Isn't this a security breach?
Not by itself, not really. Read on a directory lets; you read the directory inode. In other words "ls" will work. To see other's spool files, you need at least read on each individual file. As a parallel, this is what makes "cat" work. So read on a dir is not by itself a security risk, unless you want to prohibit people even seeing who else has spool files at all. Doing that cannot be done with Unix permissions alone (and it's a real PITA deploying a way to do it, which is why we usually don't) -- Alan McKinnon alan.mckin...@gmail.com