> In the example, the print queue called `ricoh` uses the affected PPD options. > > If its values are not allowed, the following situation will happen: > > <pre> > $ lp -d ricoh /etc/fstab > $ journalctl -u cups -r > ... > Job stopped due to filter errors; please consult the syslog file for details. > ... > </pre> > > If CUPS debug logs are enabled, there is a specific message in the journal:
This sounds like a gotcha — are debug logs enabled by default? If not, the failure could be hard to figure out. > <pre> > $ journalctl -u cups -r > ... > Process is dying with \"ERROR: The value of the key > FoomaticRIPCommandLine is not among the allowed values - see > foomatic-rip man page for more instructions. > ... > </pre> > > User is expected to run `foomatic-hash`, to review the scan result in > `file_to_review`, and if the found values do not look malicious or the > user accepts them, to copy them into the directory > `/etc/foomatic/hashes.d`: > > <pre> > $ sudo foomatic-hash --ppd-paths /etc/cups/ppd file_to_review local_hashes > $ sudo cp local_hashes /etc/foomatic/hashes.h > $ lp -d ricoh /etc/fstab > (Print job succeeds) > </pre> Frankly, this doesn't sound like a process that we want users to go through at all. Our goal is to make Fedora usable be non-expert users. How is the average user supposed to figure out if the complicated command full of special characters is "safe"? Users are more likely to give up or blindly accept the command. What about an alternative approach: sandbox the command. One option would be use bubblewrap. The other option would be to use a transient systemd service with a dynamic user, limited read-only access to the file system and no ability to do privilege escalation, writing to files outside of temporary directories, or network communication. Either way, just severly limit what the command can do. This would have the additional benefit that the sandbox would also cover "benign" pipelines, e.g. when a crafted file that triggers undefined behaviour in the pipeline is used. Zbyszek -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
