Control: reassign -1 cups-daemon Hi,
Martin-Éric Racine: > ke 18. syysk. 2019 klo 12.11 intrigeri ([email protected]) kirjoitti: >> Thinking about it a bit more, I'm wondering if a less drastic approach >> would be acceptable: >> >> D. Allow cups-pdf to write anywhere under /home/* >> >> This still (somewhat) protects users against security issues in >> cups-pdf. This gets rid of AppArmor denials, as long as the user >> does not customize the "Out" setting to make it point to some place >> that's elsewhere than under ${HOME}. > This was considered a number of times at Ubuntu, back when it adopted > AppArmor. While allowing anything under ${HOME} makes perfect sense > to me (and would be a good enough compromise between security and > configurability), there's always random people who configure an > unusual output path e.g. /tmp/${USER} or somehow prefer upstream's > default at /var/spool/cups-pdf/${USER}, and who immediately file a bug > report when that doesn't work instead of checking README.Debian for > possible instructions regarding AppArmor. Right, I can totally see this happen. Like in many other places, here we need to draw the line somewhere between providing better UX for rare corner cases, and improving Debian's security for the vast majority of our users. It's sometimes tough. Wrt. the upstream default path: note that the AppArmor profile already allows writing there, so this should not be a problem :) > There's also systems where ${HOME} is, for some reason, a path other > than /home/${USER}. Absolutely. And then they'll have AppArmor issues for most desktop apps that come with an AppArmor profile, until someone points them to /etc/apparmor.d/tunables/home* (as I just did on a similar bug report earlier today). Chances are that they notice the problem elsewhere, and fix it somehow, before cups-pdf is involved, so at least this is unlikely to land on *your* plate. > At the very least, allowing anything inside /home/${USER} would > probably eliminate the vast majority of bug reports. Let's try it. Deal! Thanks for working constructively with me on this. I'm thus reassigning to cups-daemon, where the file that needs patching lives. I'll try my best to submit a patch or MR by the end of the month. And then I'll let the printing team decide if that's worth backporting to Buster via a stable update. Cheers, -- intrigeri
