Your message dated Fri, 7 Mar 2008 22:02:19 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Closing
has caused the Debian Bug report #263796,
regarding please don't run cupsys as root
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
263796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263796
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: cupsys
Version: 1.1.20final+rc1-4
Severity: wishlist
Tags: patch
Hi!
cupsd currently runs as root, which is a big security hole and way
more than necessary.
I prepared an updated package which lets cupsd run as normal user
cupsys and under a few auxilliary groups (which are necessary). The
changelog entry is:
|cupsys (1.1.20final+rc1-4ubuntu1) unstable; urgency=low
|
| * added patch 33auxgroups: support running the cups server under auxilliary
| groups
| * added patch 34confRunAsUser: default cupsd.conf: add and enable RunAsUser
| * cupsys.postinst:
| - create an user 'cupsys' and put it into groups lp, shadow, and dialout
| - create /var/run/cups/ with owner cupsys (if it does not exist, it is
| created with owner root and cupsd cannot write into it any more)
| * cupsys.postrm: remove user cupsys
| * debian/rules: configure with --with-cups-user=cupsys
|
| -- Martin Pitt <[EMAIL PROTECTED]> Tue, 3 Aug 2004 18:17:59 +0200
You can get the interdiff against revision -4 from
http://bye-bye-root.no-name-yet.com/patches/cupsys.min-privileges.diff
This patch has been tested successfully by several people now.
Thanks for considering and have a nice day!
Martin
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7+skas-amd
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
Versions of packages cupsys depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.30 Debian configuration management sy
ii gs-esp 7.07.1-9 The Ghostscript PostScript interpr
ii libc6 2.3.2.ds1-14 GNU C Library: Shared libraries an
ii libcupsimage2 1.1.20final+rc1-4 Common UNIX Printing System(tm) -
ii libcupsys2-gnutls10 1.1.20final+rc1-4 Common UNIX Printing System(tm) -
ii libgnutls11 1.0.16-4 GNU TLS library - runtime library
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libpaper1 1.1.14-0.3 Library for handling paper charact
ii libslp1 1.0.11-7 OpenSLP libraries
ii zlib1g 1:1.2.1.1-5 compression library - runtime
-- debconf information:
cupsys/raw-print: true
cupsys/backend: ipp, lpd, parallel, socket, usb
--
Martin Pitt Debian GNU/Linux Developer
[EMAIL PROTECTED] [EMAIL PROTECTED]
http://www.piware.de http://www.debian.org
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Hi,
we have done this for a while in Ubuntu, but due to upstream's
absolute unwillingness to even discuss this we gave up maintaining
this patch. We now use an apparmor policy which is much easier to
maintain.
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
--- End Message ---
