On Tue, Apr 12, 2016 at 01:53:58AM +0200, Ingo Schwarze wrote: > Hi Antoine, > > Antoine Jacoutot wrote on Mon, Apr 11, 2016 at 07:52:15AM +0200: > > Ingo Schwarze wrote: > > >> Changing which mode is checked won't help you because security(8) > >> also complains that printcap(5) is a symlink rather than the expected > >> regular file. So you would still et spammed. > >> > >> Antoine, is it normal that CUPS replaces /etc/printcap with a symlink? > > > Yes it is. > > In that case, i consider it stupid for security(8) to complain about it. > It doesn't matter that i personally dislike CUPS. Lots and lots of > people are forced to use it, and spamming them seems harmful to me. > > >> Any idea how to prevent people from getting spammed about that? > >> If we had an idea, we could explain it in README-main, which is > >> already quite good in many other respects. > > > Maybe we can relax the printcap check a bit? > > That would be the following patch. > > Sure, it allows some configurations that make no sense (for example, > a regular executable file or a directory /etc/printcap). But > avoiding false positives in perfectly sane configurations seems > rather important to me, more important than catching each and every > broken configuration (except those that are particularly dangerous), > so i'd like to commit it. What do you think? > > In case somebody doesn't like the 0755: Can we somehow teach CUPS > to do "chmod -h 0644 /etc/printcap" after installing its symlink?
Yes we can and I think it'd be preferable than having to use 0755. I'll do that in a few. The diff's OK for me otherwise. Thanks. > Index: special > =================================================================== > RCS file: /cvs/src/etc/mtree/special,v > retrieving revision 1.117 > diff -u -p -r1.117 special > --- special 8 Mar 2016 00:16:47 -0000 1.117 > +++ special 11 Apr 2016 23:40:36 -0000 > @@ -73,7 +73,7 @@ ospfd.conf type=file mode=0600 uname=roo > ospf6d.conf type=file mode=0600 uname=root gname=wheel optional > passwd type=file mode=0644 uname=root gname=wheel > pf.conf type=file mode=0600 uname=root gname=wheel optional > -printcap type=file mode=0644 uname=root gname=wheel optional > +printcap mode=0755 uname=root gname=wheel optional > radiusd.conf type=file mode=0600 uname=root gname=wheel optional > rc type=file mode=0644 uname=root gname=wheel > rc.conf type=file mode=0644 uname=root gname=wheel -- Antoine
