Your message dated Tue, 30 Aug 2011 10:47:17 +0000
with message-id <[email protected]>
and subject line Bug#623743: fixed in cups-pdf 2.5.1-4
has caused the Debian Bug report #623743,
regarding cups-pdf: does not properly set supplementary groups when dropping
privileges
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
623743: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623743
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cups-pdf
Version: 2.5.0-16
Severity: normal
Tags: upstream patch
When dropping privileges to the user who sent the print job cups-pdf
does only set euid and egid, but NOT the supplementary groups. Therefore
a common "print dump" directory only accessible by a "print" group will
only work when all printing users have a primary group of "print", but
NOT when it is only a supplementary group.
Patch is attached.
Greetings,
Christopher
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages cups-pdf depends on:
ii cups 1.4.4-7 Common UNIX Printing System(tm) -
ii cups-client 1.4.4-7 Common UNIX Printing System(tm) -
ii ghostscript 8.71~dfsg2-9 The GPL Ghostscript PostScript/PDF
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libpaper-utils 1.1.24 library for handling paper charact
cups-pdf recommends no packages.
Versions of packages cups-pdf suggests:
ii system-config-printer 1.2.3-3 graphical interface to configure t
-- Configuration Files:
/etc/cups/cups-pdf.conf changed [not included]
-- no debconf information
*** cups-pdf.c.diff
--- a/cups-pdf.c 2009-01-26 12:56:20.000000000 +0100
+++ b/cups-pdf.c 2011-04-22 18:12:41.000000000 +0200
@@ -521,6 +521,8 @@
int size;
mode_t mode;
struct passwd *passwd;
+ gid_t *groups;
+ int ngroups;
pid_t pid;
if (setuid(0)) {
@@ -550,7 +552,24 @@
return 5;
}
snprintf(user, size, "%s%s", conf.userprefix, argv[2]);
+
+ /* Get user passwd entry */
passwd=getpwnam(user);
+
+ /* Get user groups */
+ ngroups=32;
+ groups = malloc(ngroups * sizeof(gid_t));
+ size = getgrouplist(user, passwd->pw_gid, groups, &ngroups);
+ if (size == -1) {
+ free(groups);
+ groups = malloc(ngroups * sizeof(gid_t));
+ size = getgrouplist(user, passwd->pw_gid, groups, &ngroups);
+ }
+ else if (size < 0) {
+ log_event(CPERROR, "getgrouplist failed", NULL);
+ return 5;
+ }
+
if (passwd == NULL && conf.lowercase) {
log_event(CPDEBUG, "unknown user", user);
for (size=0;size<(int) strlen(argv[2]);size++)
@@ -711,6 +730,10 @@
log_event(CPERROR, "failed to set GID for current user", NULL);
else
log_event(CPDEBUG, "GID set for current user", NULL);
+ if (setgroups(ngroups, groups))
+ log_event(CPERROR, "failed to set supplementary groups for current
user", NULL);
+ else
+ log_event(CPDEBUG, "supplementary groups set for current user", NULL);
if (setuid(passwd->pw_uid))
log_event(CPERROR, "failed to set UID for current user",
passwd->pw_name);
else
--- End Message ---
--- Begin Message ---
Source: cups-pdf
Source-Version: 2.5.1-4
We believe that the bug you reported is fixed in the latest version of
cups-pdf, which is due to be installed in the Debian FTP archive:
cups-pdf_2.5.1-4.diff.gz
to main/c/cups-pdf/cups-pdf_2.5.1-4.diff.gz
cups-pdf_2.5.1-4.dsc
to main/c/cups-pdf/cups-pdf_2.5.1-4.dsc
cups-pdf_2.5.1-4_amd64.deb
to main/c/cups-pdf/cups-pdf_2.5.1-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin-Éric Racine <[email protected]> (supplier of updated cups-pdf
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 29 Aug 2011 21:16:05 +0300
Source: cups-pdf
Binary: cups-pdf
Architecture: source amd64
Version: 2.5.1-4
Distribution: unstable
Urgency: low
Maintainer: Debian CUPS Maintainers <[email protected]>
Changed-By: Martin-Éric Racine <[email protected]>
Description:
cups-pdf - PDF printer for CUPS
Closes: 623743
Changes:
cups-pdf (2.5.1-4) unstable; urgency=low
.
* Migrated CDBS patch management from simple-patchsys.mk to
patchsys-quilt.mk.
+ Adopted the short README.source from Quilt for Debian Maintainers as-is.
+ Added a Build-Depends on quilt.
* Added to [debian/patches]:
60_Debian_623743.patch "support supplementary groups" (Closes: #623743).
* Updated [debian/copyright] to reflect recent upstream contributions.
* Implemented automated PPD upgrading for CUPS (>= 1.5.0-3). Backports
will simply ignore this script; no Depends version required.
Checksums-Sha1:
59f0e9fb87776a1c37df63a492f9b5686e902f87 1726 cups-pdf_2.5.1-4.dsc
c89dc61ff36b51a73c141fcadeb66a2b85c160eb 11569 cups-pdf_2.5.1-4.diff.gz
350c2bd2031c2f2afef25712e88556639a06956b 48046 cups-pdf_2.5.1-4_amd64.deb
Checksums-Sha256:
902c5436c3d67062254015051f5844ececf355071bde28e97e231b71789dca0e 1726
cups-pdf_2.5.1-4.dsc
035905f2918bd32b6dc28da1e14ac6deb60e335eb0b9eaa8cb34c628da29f552 11569
cups-pdf_2.5.1-4.diff.gz
7f7dc675c265058e467ed10504d808e495704cc6b328acbab47f81b210e70ba2 48046
cups-pdf_2.5.1-4_amd64.deb
Files:
632ace4094a98ccd523a68845c921828 1726 graphics optional cups-pdf_2.5.1-4.dsc
b9a253fe95db7ced2739178ecf95b2d9 11569 graphics optional
cups-pdf_2.5.1-4.diff.gz
6f859f91811d3f3f80756d4711fde1d3 48046 graphics optional
cups-pdf_2.5.1-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJOXLwKAAoJEPmIJawmtHufGZkP/3MCWCuvIVbH6/RGaRAEPm2j
ZWXbgRofj0m8UfrnYlNxZS4jGvoh6PHycfOTzQ5EwehIXhbMk9GwKfnEJu5pCcfe
J0W1AioWQML9iTWPSAN/7NQxPsPWYlXhMdffyZLw6gW3AoZywj956nY4hDJaDmfH
je3XE5+CxXE2poqO7VArkqW7cpIb4JXWXav/AW6jhAxHw1AxfVacRmU4mc7AV0TD
/C8zwRE8HfHiQhDswvK4oF39+gWhw+evZKTfrpvSHfEyEIfdf/xZl1qA+9QykImi
DGtsKcIY1/BviZ1vrDks+axctTpRC+a/kJeKN8NjMtygPxYBoNGQDtd2cbx7ECeC
tgcfM7tfbJGK+Ix/vOCy498FPB0UZYwW6T5daattOBQNaZyDBddMe/5QESKQcGvc
tGJgck0wAmS7W07oxaoYsy93BjX4h/vL0ekTlDvbtCPPwQIlyYlCq+tThsQBtX/a
Bbk1RbjxufnJl0UzOE00hczdVpzeiOgXTLlVx0gx1i1hom9sbpK0vxyslIlUsj2I
fgwXHmEahAjoTWhKWZLUaPySVRNprXZqDDm2r9hkAk9lSsqi1U5UJcOmYJQyC0x9
dZIFUI0VqbdRqCrkFnDvm31b0y4CEEQAwWmoKcsNoR+dzfQjJwA4ms5USDsA5M4R
DT/hETNcCwYNlal3CYbJ
=Hd4N
-----END PGP SIGNATURE-----
--- End Message ---
