Hi Antoine, Antoine Jacoutot wrote on Mon, Apr 11, 2016 at 07:52:15AM +0200: > Ingo Schwarze wrote:
>> Changing which mode is checked won't help you because security(8) >> also complains that printcap(5) is a symlink rather than the expected >> regular file. So you would still et spammed. >> >> Antoine, is it normal that CUPS replaces /etc/printcap with a symlink? > Yes it is. In that case, i consider it stupid for security(8) to complain about it. It doesn't matter that i personally dislike CUPS. Lots and lots of people are forced to use it, and spamming them seems harmful to me. >> Any idea how to prevent people from getting spammed about that? >> If we had an idea, we could explain it in README-main, which is >> already quite good in many other respects. > Maybe we can relax the printcap check a bit? That would be the following patch. Sure, it allows some configurations that make no sense (for example, a regular executable file or a directory /etc/printcap). But avoiding false positives in perfectly sane configurations seems rather important to me, more important than catching each and every broken configuration (except those that are particularly dangerous), so i'd like to commit it. What do you think? In case somebody doesn't like the 0755: Can we somehow teach CUPS to do "chmod -h 0644 /etc/printcap" after installing its symlink? Yours, Ingo Index: special =================================================================== RCS file: /cvs/src/etc/mtree/special,v retrieving revision 1.117 diff -u -p -r1.117 special --- special 8 Mar 2016 00:16:47 -0000 1.117 +++ special 11 Apr 2016 23:40:36 -0000 @@ -73,7 +73,7 @@ ospfd.conf type=file mode=0600 uname=roo ospf6d.conf type=file mode=0600 uname=root gname=wheel optional passwd type=file mode=0644 uname=root gname=wheel pf.conf type=file mode=0600 uname=root gname=wheel optional -printcap type=file mode=0644 uname=root gname=wheel optional +printcap mode=0755 uname=root gname=wheel optional radiusd.conf type=file mode=0600 uname=root gname=wheel optional rc type=file mode=0644 uname=root gname=wheel rc.conf type=file mode=0644 uname=root gname=wheel
