Hi Till, This is my "other mail". Sorry for the delay.
Le vendredi, 28 août 2015, 12.15:39 Till Kamppeter a écrit : > I got an answer to STR #4703 and the upstream code got appropriately > fixed, but the intended behavior is not world-readable PPDs as it > looked like but treating the PPDs in /etc/cups/ppd/ as any other > configuration file of CUPS, getting permissions assigned as defined by > the ConfigFilePerm variable in /etc/cups/cups-files.conf. Ownerships > are root.lp. If that's to stay, we should probably make sure all files under /etc/cups/ppd/ have these ownerships in a postinst script. > This means that world-readable PPD files are not standard in CUPS and > any access to printer capabilities and any other information cocerning > the printing environment have to be done via IPP requests to the CUPS > daemon or via API functions of the CUPS library (which in turn send > IPP requests to the CUPS daemon). Well. This makes sense, and is at least consistent with upstream's choices in recent years. > Also locations of CUPS files are not necessarily always the same, as > we got used to with standard desktop or server Linux. So the files > should never get accessed directly. If a program fails on not > world-readable PPDs, it has a bug. Fair enough, and I think we should follow upstream there, although it's always puzzling to have non-standard configuration files under /etc. To recap, I think upstream's opinion on what the various file permissions and ownerships should be are consistent with how CUPS works, but it's inconsistent with FHS. We could consider moving some sub- directories to /var/lib/cups, where FHS wants them. > Now we need to decide about the further proceeding: > > 1. Leave ConfigFilePerm on its default of 640, meaning that all config > files including the PPDs are not world-readable. Is there any > security reason why config files of CUPS should not be > world-readable? For now, that's what 2.0.1-1 will do. :) But in this case, these files should move to /lib. > 2. Set ConfigFilePerm to 644, making all config files and PPD > world-readable to work around bugs in programs which want to access > PPDs and/or config files of CUPS directly If these files are to stay in /etc, that's probably what we should be doing. But in terms of security, I think some configuration files can hold samba credentials, and should therefore not be world-readable. > 3. Create a distro patch which allows world-readable PPDs but > not-world-readable config files in CUPS. > > I would say to go with (2) if this does not bear any security risk, > otherwise with (1). I think (3) would be too awkward. Yeah, agreed. Cheers, OdyX
