Bug#1094328: cups: should use systemd security features

Mon, 27 Jan 2025 00:51:15 -0800 

Package: cups
Version: 2.4.2-3+deb12u8
Severity: normal


I have tested the following settings and they significantly reduce the
potential for damage to the system and allows all the normal operations in my
tests.

Please change the default configuration to include at least some of these.

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_AUDIT_WRITE CAP_CHOWN 
CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_LOCK 
CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_RAWIO 
CAP_SYS_RESOURCE CAP_SYS_TTY_CONFIG
ProtectSystem=true
PrivateTmp=true
MemoryDenyWriteExecute=true
RestrictSUIDSGID=false
NoNewPrivileges=false
ProtectHostname=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=false
PrivateDevices=false
RestrictNamespaces=true
ProtectClock=true
RestrictAddressFamilies=AF_PACKET AF_INET AF_INET6 AF_UNIX AF_NETLINK

LockPersonality=true
ProtectKernelModules=true
RestrictRealtime=true
ProtectSystem=true

-- System Information:
Debian Release: 12.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-27-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages cups depends on:
ii  cups-client            2.4.2-3+deb12u8
ii  cups-common            2.4.2-3+deb12u8
ii  cups-core-drivers      2.4.2-3+deb12u8
ii  cups-daemon            2.4.2-3+deb12u8
ii  cups-filters           1.28.17-3+deb12u1
ii  cups-ppdc              2.4.2-3+deb12u8
ii  cups-server-common     2.4.2-3+deb12u8
ii  debconf [debconf-2.0]  1.5.82
ii  ghostscript            10.0.0~dfsg-11+deb12u6
ii  libavahi-client3       0.8-10+deb12u1
ii  libavahi-common3       0.8-10+deb12u1
ii  libc6                  2.36-9+deb12u9
ii  libcups2               2.4.2-3+deb12u8
ii  libgcc-s1              12.2.0-14
ii  libstdc++6             12.2.0-14
ii  libusb-1.0-0           2:1.0.26-1
ii  poppler-utils          22.12.0-2+b1
ii  procps                 2:4.0.2-3

Versions of packages cups recommends:
pn  avahi-daemon  <none>
ii  colord        1.4.6-2.2

Versions of packages cups suggests:
ii  cups-bsd                                   2.4.2-3+deb12u8
pn  cups-pdf                                   <none>
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
ii  smbclient                                  2:4.17.12+dfsg-0+deb12u1
ii  udev                                       252.33-1~deb12u1

-- Configuration Files:
/etc/default/cups changed [not included]

-- debconf-show failed

Reply via email to