Re: [blfs-support] Cups security issue - /etc/cups/cups-files.conf needed (Was: ... [BLFS Trac] #3754 ...)

Thu, 24 Jan 2013 11:10:59 -0800 

--- Em qui, 24/1/13, Armin K. escreveu:

> De: Armin K.
> Assunto: Re: [blfs-support] Cups security issue - /etc/cups/cups-files.conf 
> needed (Was: ... [BLFS Trac] #3754 ...)
> Para: "BLFS Support List"
> Data: Quinta-feira, 24 de Janeiro de 2013, 14:36
> On 01/24/2013 06:09 PM, Fernando de
> Oliveira wrote:
> >
> > Thank you, Armin.
> >
> > Sending to the list, so more people could reach using
> search tools
> > (well, when the servers are back running without 
> problems).
> >
> > Builds perfectly, and installs the new
> /etc/cups/cups-files.conf.
> >
> > I changed owner:
> > chown -v 0:0 /etc/cups/{snmp.conf,cups-files.conf}
> >
> > However, as before in the older page of the book,
> without the
> > cups-files.conf, when daemon is restarted, owner of
> cups-files.conf
> > changes back to "root lp":
> >
> > # chown -v 0:0 /etc/cups/cups-files.conf
> > changed ownership of "/etc/cups/cups-files.conf" from
> root:lp to 0:0
> > root [ /etc/cups ]# ls -l /etc/cups/cups-files.conf
> > -rw-r----- 1 root root 2892 Jan 24 13:19
> /etc/cups/cups-files.conf
> > root [ /etc/cups ]# /etc/rc.d/init.d/cups restart
> >    *  Stopping CUPS Printserver... 
>                
>                
>            
>    [  OK  ]
> >    *  Starting CUPS Printserver... 
>                
>                
>            
>    [  OK  ]
> > root [ /etc/cups ]# ls -l /etc/cups/cups-files.conf
> > -rw-r----- 1 root lp 2892 Jan 24 13:19
> /etc/cups/cups-files.conf
> >
> > I have
> >
> > root [ /etc/cups ]# ls -l
> /media/Ubuntu32/etc/cups/cups-files.conf
> > -rw-r--r-- 1 root root 2884 Dez  4 12:21
> /media/Ubuntu32/etc/cups/cups-files.conf
> >
> > but have no clue where or what to change for this to be
> persistent in
> > BLFS.
> >
> > []s,
> > Fernando
> >
> 
> I think this handles conffile perms on Debian and Ubuntu
> 
> http://patch-tracker.debian.org/patch/series/view/cups/1.6.1-1/confdirperms.patch
> 
> I don't think it should be important. It was lpadmin, not lp
> group who 
> introduced the problems.

Thanks again, Armin.

Applied just after cups-1.6.1-blfs-2.patch:

...
      patch -Np1 -i ../cups-1.6.1-blfs-2.patch           &&
      patch -Np1 -i ../cups-1.6.1-confdirperms.patch     &&
...

Just a small offset:
...
patching file scheduler/conf.c
Hunk #1 succeeded at 1115 (offset -2 lines).
...

Of course, it could be easily corrected to apply cleanly, if you wanted 
it in the book. Or could be replaced by an sed, I think.

Works perfectly. Restarted cupsd and still:

root [ /etc/cups ]# ls -l cups-files.conf{,.N}
-rw-r----- 1 root root 2892 Jan 24 13:19 cups-files.conf
-rw-r----- 1 root lp   2892 Jan 24 15:12 cups-files.conf.N

Notice that the new file would be again 0:lp owned.

Perhaps owned by 0:0 is more secure than 0:lp, I do not know, so, at 
the moment, prefer that.

Anyway, if by any chance you intend to include that change, remember 
that I have also added:

      chown -v 0:0 /etc/cups/{snmp.conf,cups-files.conf}*

to the post_install part, so if user replaces the current files using 
the new ones, ownership is correct (to my current preference).

[]s,
Fernando
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to