[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
cupsys (1.2.3-1ubuntu2) edgy; urgency=low . * debian/patches/56_dirsvc.dpatch: Update patch so that a patch/unpatch cycle restores the source properly instead of breaking dirsvc.c in two different places. * debian/rules: Install 'lpd' backend suid root (root:lp 4754), so that cupsd can print to RFC compliant lpd servers (which require the source port to be 1024). Closes: LP#47773 ** Changed in: cupsys (Ubuntu) Status: In Progress = Fix Released -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
The easy and correct fix for edgy is indeed to install the backend suid root and drop privileges right after opening the port. ** Changed in: cupsys (Ubuntu) Assignee: (unassigned) = Martin Pitt Status: Confirmed = In Progress -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
I did another test and chmod u+s /usr/lib/cups/daemon/cups-lpd does allow one to print from a client running a rfc compliant lpr command I.e., a client that insists on connecting to a lpd server on reserved port below 1024 (we have one). I setup cups-lpd to be listening on my ubuntu box via inetd and tcp wrappers and it works. Back to the Original Subject of this Bug Report To address the problem of having an ubuntu client printing to an RFC compliant lpd server I have succeeded in doing this by doing chmod u+s /usr/lib/cups/backend-available/lpd, i.e., what did not work with earlier now works! Perhaps an update did it or did you guys do something? So I have some requests: Could you folks add a question(s) to debconf for this package that would allow people to turn setuid user bits on cups-lpd and the lpd backend (available) . By default it should not be on when the package installs but having the option to turn it on would solve the problem. Furthermore you could include some notes in the debconf warning people appropriately. And a README.Ubuntu.gz file. -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
Just to be clear printing from Ubuntu/Dapper to RFC compliant lpd server it suffice to chmod u+s /usr/lib/cups/backend-available/lpd. However having the ability to do chmod u+s /usr/lib/cups/daemon/cups-lpd is also convenient as it solves a slightly similar problem or should I say reverse issue. See previous note for details. -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
Ante Karamatić wrote: 'Mike knows that RunAsUser and helper functions for init scripts (i.e. start-stop-daemon) are two totally different things.' I'm sure he knows that. What he meant to say was that a start-stop daemon solution should then also use a port above 1024 (instead of 631). Hence his further hint saying You will also need to update the /etc/services file on every system that wants to print with the new port number for the IPP service Ante Karamatić also wrote: This is how most of the services work (i.e. postfix, vsftpd, bind, apache...). I don't see any reason why it shouldn't be done with CUPS too. It is obvious that you do not consider *all* the arguments that are in play when discussing this topic, and that you are merely repeating the same simple argument that *started* the discussion, long ago. If you are really interested in the complete picture, please read up the full discussions in the archives, and Mike's presentation on the Linux Desktop Printing Architect's Summit. -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
Oh, I forgot a very prominent and important service that does not comply with your principles for security, Ante: Samba. I just checked with the box of a friend who runs Dapper: it has the original Dapper packages of Samba, and all smbd and nmbd processes do run as root -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: [Bug 47773] Re: [Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
On Mon, 26 Jun 2006 15:04:28 - Walter Tautz [EMAIL PROTECTED] wrote: We aren't going to bring back RunAsUser. All of the Linux distros already provide helper functions for their init scripts to run as a different user, I suggest you look there if you really want to cripple your CUPS install. You will also need to update the /etc/services file on every system that wants to print with the new port number for the IPP service... This is a known problem. RunAsUser would be great to bring back (this is why Debian/Ubuntu patches CUPS). Mike knows that RunAsUser and helper functions for init scripts (i.e. start-stop-daemon) are two totally different things. stat-stop-daemon starts CUPS as non-root user and CUPS is unable to bind on TCP/631. RunAsUser allowed to start CUPS as root and bind on TCP/631, and then drop privileges to non-root user. This is how most of the services work (i.e. postfix, vsftpd, bind, apache...). I don't see any reason why it shouldn't be done with CUPS too. If argument is needed - sendmail. Sendmail acts just like CUPS; runs everything as root. Sendmail is now kicked out of OpenBSD and is loosing it's user base every day. There is no perfect hole-free software. First line of defense is to assume one day that service will have a remotly exploitable hole. It's muche better if attacker gains non-root privileges with which he can only mess up printing queues. 5. LPD printing support. Me: Number 5 is relevant to this bug report. Yes, I think everybody knows that. I can say this won't be fixed for Dapper, but maybe we work something out for Edgy. Did you try setuid lpd backend (chmod +s /usr/lib/cups/backend-available/lpd)? -- Ante Karamatic | 0xD3BDA225 | 0x0A4A0161 [EMAIL PROTECTED] | [EMAIL PROTECTED] | ivoks.blogspot.com Tomorrow is my day off, so please stay off the powder! -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: [Bug 47773] Re: [Bug 47773] Re: [Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
Ante Karamatić wrote: On Mon, 26 Jun 2006 15:04:28 - Walter Tautz [EMAIL PROTECTED] wrote: We aren't going to bring back RunAsUser. All of the Linux distros already provide helper functions for their init scripts to run as a different user, I suggest you look there if you really want to cripple your CUPS install. You will also need to update the /etc/services file on every system that wants to print with the new port number for the IPP service... This is a known problem. RunAsUser would be great to bring back (this is why Debian/Ubuntu patches CUPS). Mike knows that RunAsUser and helper functions for init scripts (i.e. start-stop-daemon) are two totally different things. stat-stop-daemon starts CUPS as non-root user and CUPS is unable to bind on TCP/631. RunAsUser allowed to start CUPS as root and bind on TCP/631, and then drop privileges to non-root user. This is how most of the services work (i.e. postfix, vsftpd, bind, apache...). I don't see any reason why it shouldn't be done with CUPS too. If argument is needed - sendmail. Sendmail acts just like CUPS; runs everything as root. Sendmail is now kicked out of OpenBSD and is loosing it's user base every day. There is no perfect hole-free software. First line of defense is to assume one day that service will have a remotly exploitable hole. It's muche better if attacker gains non-root privileges with which he can only mess up printing queues. 5. LPD printing support. Me: Number 5 is relevant to this bug report. Yes, I think everybody knows that. I can say this won't be fixed for Dapper, but maybe we work something out for Edgy. Did you try setuid lpd backend (chmod +s /usr/lib/cups/backend-available/lpd)? Yeah. It didn't work. In anycase I've compiled a version of cups that runs as root to get around my problem for the moment. Michael's perspective is he doesn't want to break the print system as opposed to the host that it's running on... a matter of perspective. I thought I'd give some insights on his thinking -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: [Bug 47773] Re: [Bug 47773] Re: [Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
Ante Karamatić wrote: On Mon, 26 Jun 2006 15:04:28 - Walter Tautz [EMAIL PROTECTED] wrote: We aren't going to bring back RunAsUser. All of the Linux distros already provide helper functions for their init scripts to run as a different user, I suggest you look there if you really want to cripple your CUPS install. You will also need to update the /etc/services file on every system that wants to print with the new port number for the IPP service... This is a known problem. RunAsUser would be great to bring back (this is why Debian/Ubuntu patches CUPS). Mike knows that RunAsUser and helper functions for init scripts (i.e. start-stop-daemon) are two totally different things. stat-stop-daemon starts CUPS as non-root user and CUPS is unable to bind on TCP/631. RunAsUser allowed to start CUPS as root and bind on TCP/631, and then drop privileges to non-root user. This is how most of the services work (i.e. postfix, vsftpd, bind, apache...). I don't see any reason why it shouldn't be done with CUPS too. If argument is needed - sendmail. Sendmail acts just like CUPS; runs everything as root. Sendmail is now kicked out of OpenBSD and is loosing it's user base every day. There is no perfect hole-free software. First line of defense is to assume one day that service will have a remotly exploitable hole. It's muche better if attacker gains non-root privileges with which he can only mess up printing queues. I'm hesitate to speak for Michael but have read him state that he is not averse to having well-thought out patches to allow for non-root running. How about helping him out directly? I'd try to do it myself but I'm not particularly experienced. It sounds like the maintainers of cups in debian/ubuntu are :-) 5. LPD printing support. Me: Number 5 is relevant to this bug report. Yes, I think everybody knows that. I can say this won't be fixed for Dapper, but maybe we work something out for Edgy. Did you try setuid lpd backend (chmod +s /usr/lib/cups/backend-available/lpd)? -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
It's between Rejected and Confirmed. For fixing this bug we should run cups as root or introduce setuid program. ** Changed in: cupsys (Ubuntu) Status: Needs Info = Confirmed -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
Kurt thank you for clearing this up. As for Ubuntu patching source, you can very easily check it and you'll see Ubuntu has less than 100 lines of diff regarding to Debian package (if you exclude fixes from CUPS CVS). Most of those lines are in cupsd.conf, not the source. I think buglist is not for discussing mine/yours/others contribution to CUPS/Ubuntu/whatever, so please let's leave this as a bug report. -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 47773] Re: dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root
So why is this bug still in status needs info? -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
