Package: cups-daemon Version: 2.3~b4-2 Severity: wishlist Dear Maintainer,
Given that cupsd must run as root, we should restrict its capabilities as much as possible. Given that the cups-daemon package provides the systemd service, would it be possible to harden it by default? The following options worked for me in the [Service] section (but we may need more extensive testing): CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true PrivateTmp=true PrivateDevices=true MemoryDenyWriteExecute=true LockPersonality=true ReadWritePaths=/etc/cups /var/log/cups /var/run/cups /var/cache/cups /var/spool/cups Sincerely, Chiraag -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.16.5-chiraag (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.117 ii bc 1.07.1-2 ii libavahi-client3 0.7-4 ii libavahi-common3 0.7-4 ii libc6 2.27-3 ii libcups2 2.3~b4-2 ii libcupsmime1 2.3~b4-2 ii libdbus-1-3 1.13.4-1 ii libgssapi-krb5-2 1.16-2 ii libpam0g 1.1.8-3.7 ii libpaper1 1.1.24+nmu5 ii libsystemd0 238-4 ii lsb-base 9.20170808 ii procps 2:3.3.14-1+b1 ii ssl-cert 1.0.39 Versions of packages cups-daemon recommends: ii avahi-daemon 0.7-4 pn colord <none> ii cups-browsed 1.20.3-1+b1 Versions of packages cups-daemon suggests: ii cups 2.3~b4-2 ii cups-bsd 2.3~b4-2 ii cups-client 2.3~b4-2 ii cups-common 2.3~b4-2 ii cups-filters [foomatic-filters] 1.20.3-1+b1 ii cups-ppdc 2.3~b4-2 ii cups-server-common 2.3~b4-2 ii foomatic-db-compressed-ppds [foomatic-db] 20180306-1 ii ghostscript 9.22~dfsg-2.1 pn hplip <none> ii poppler-utils 0.64.0-1 ii printer-driver-cups-pdf [cups-pdf] 3.0.1-5 ii printer-driver-gutenprint 5.3.0~pre1-3 ii printer-driver-hpcups 3.18.4+repack0-2 pn smbclient <none> ii udev 238-4 -- Configuration Files: /etc/apparmor.d/usr.sbin.cupsd changed: /usr/sbin/cupsd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/authentication> #include <abstractions/dbus> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/perl> #include <abstractions/user-tmp> capability chown, capability fowner, capability fsetid, capability kill, capability net_bind_service, capability setgid, capability setuid, capability audit_write, capability wake_alarm, deny capability block_suspend, # noisy deny signal (send) set=("term") peer=unconfined, # nasty, but we limit file access pretty tightly, and cups chowns a # lot of files to 'lp' which it cannot read/write afterwards any # more capability dac_override, capability dac_read_search, # the bluetooth backend needs this network bluetooth, # the dnssd backend uses those network x25 seqpacket, network ax25 dgram, network netrom seqpacket, network rose dgram, network ipx dgram, network appletalk dgram, network econet dgram, network ash dgram, /{usr/,}bin/bash ixr, /{usr/,}bin/dash ixr, /{usr/,}bin/hostname ixr, /dev/lp* rw, deny /dev/tty rw, # silence noise /dev/ttyS* rw, /dev/ttyUSB* rw, /dev/usb/lp* rw, /dev/bus/usb/ r, /dev/bus/usb/** rw, /dev/parport* rw, /etc/cups/ rw, /etc/cups/** rw, /etc/cups/interfaces/* ixrw, /etc/foomatic/* r, /etc/gai.conf r, /etc/papersize r, /etc/pnm2ppa.conf r, /etc/printcap rwl, /etc/ssl/** r, @{PROC}/net/ r, @{PROC}/net/* r, @{PROC}/sys/dev/parport/** r, @{PROC}/*/net/ r, @{PROC}/*/net/** r, @{PROC}/*/auxv r, @{PROC}/sys/crypto/** r, /sys/** r, /usr/bin/* ixr, /usr/sbin/* ixr, /{usr/,}bin/* ixr, /{usr/,}sbin/* ixr, /usr/lib/** rm, # backends which come with CUPS can be confined /usr/lib/cups/backend/bluetooth ixr, /usr/lib/cups/backend/dnssd ixr, /usr/lib/cups/backend/http ixr, /usr/lib/cups/backend/ipp ixr, /usr/lib/cups/backend/lpd ixr, /usr/lib/cups/backend/parallel ixr, /usr/lib/cups/backend/serial ixr, /usr/lib/cups/backend/snmp ixr, /usr/lib/cups/backend/socket ixr, /usr/lib/cups/backend/usb ixr, # we treat cups-pdf specially, since it needs to write into /home # and thus needs extra paranoia /usr/lib/cups/backend/cups-pdf Px, # allow communicating with cups-pdf via Unix sockets unix peer=(label=/usr/lib/cups/backend/cups-pdf), # third party backends get no restrictions as they often need high # privileges and this is beyond our control /usr/lib/cups/backend/* Cx -> third_party, /usr/lib/cups/cgi-bin/* ixr, /usr/lib/cups/daemon/* ixr, /usr/lib/cups/monitor/* ixr, /usr/lib/cups/notifier/* ixr, # filters and drivers (PPD generators) are always run as non-root, # and there are a lot of third-party drivers which we cannot predict /usr/lib/cups/filter/** Cxr -> third_party, /usr/lib/cups/driver/* Cxr -> third_party, /usr/local/** rm, /usr/local/lib/cups/** rix, /usr/share/** r, /{,var/}run/** rm, /{,var/}run/avahi-daemon/socket rw, deny /{,var/}run/samba/ rw, /{,var/}run/samba/** rw, /var/cache/samba/*.tdb r, /var/{cache,lib}/samba/printing/printers.tdb r, /{,var/}run/cups/ rw, /{,var/}run/cups/** rw, /var/cache/cups/ rw, /var/cache/cups/** rwk, /var/log/cups/ rw, /var/log/cups/* rw, /var/spool/cups/ rw, /var/spool/cups/** rw, # third-party printer drivers; no known structure here /opt/** rix, # FIXME: no policy ATM for hplip and Brother drivers /usr/bin/hpijs Cx -> third_party, /usr/Brother/** Cx -> third_party, # Kerberos authentication /etc/krb5.conf r, deny /etc/krb5.conf w, /etc/krb5.keytab rk, /etc/cups/krb5.keytab rwk, /tmp/krb5cc* k, # likewise authentication /etc/likewise r, /etc/likewise/* r, # silence noise deny /etc/udev/udev.conf r, signal peer=/usr/sbin/cupsd//third_party, unix peer=(label=/usr/sbin/cupsd//third_party), profile third_party flags=(attach_disconnected) { # third party backends, filters, and drivers get relatively no restrictions # as they often need high privileges, are unpredictable or otherwise beyond # our control file, capability, audit deny capability mac_admin, network, dbus, signal, ptrace, unix, } # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.cupsd> } /usr/lib/cups/backend/cups-pdf flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/user-tmp> capability chown, capability fowner, capability fsetid, capability setgid, capability setuid, # unfortunate, but required for when $HOME is 700 capability dac_override, capability dac_read_search, # allow communicating with cupsd via Unix sockets unix peer=(label=/usr/sbin/cupsd), @{PROC}/*/auxv r, /{usr/,}bin/dash ixr, /{usr/,}bin/bash ixr, /{usr/,}bin/cp ixr, /etc/papersize r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, @{HOME}/PDF/ rw, @{HOME}/PDF/* rw, /usr/bin/gs ixr, /usr/lib/cups/backend/cups-pdf mr, /usr/lib/ghostscript/** mr, /usr/share/** r, /var/log/cups/cups-pdf*_log w, /var/spool/cups/** r, /var/spool/cups-pdf/** rw, } -- no debconf information