Didier, On 2012-11-27, at 6:45 AM, Didier 'OdyX' Raboud <o...@debian.org> wrote: > ... > While it's a nice long-term solution for new cups installs, I'm afraid it's > not suitable as a security hotfix (so probably not targetted at Debian > testing > nor stable): the administrator has to handle the configuration files split un > himself. In addition to that, web-modified cupsd.conf is very likely to > hinder > the automatic configuration stanza's split.
A package update can lay down a new cups-files.conf, and it shouldn't be hard to do a short migration script that copies the dozen or so affected directives from cupsd.conf to the new cups-files.conf file. I guess it just depends on whether you want to close this particular hole and how you want to deal with it. CUPS 1.6.2 will ship with the split configuration files and a warning to error_log when the cupsd.conf file contains directives that should be moved. A simpler (but less complete) fix for CUPS 1.5.x and earlier would be to blacklist /etc and /dev for the logs - we wanted something more complete. > On the longer term (for Jessie), I think web-modifiable cupsd.conf (and > printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick > to this new cups configuration files handling. Back in the day when we were adapting CUPS to the FHS (1.0, 2.0? I don't remember) we decided not to use /var/lib because /etc is the place for editable configuration files and /var/lib is the place for files that are managed by software. printers.conf, classes.conf, and cupsd.conf *are* user-editable files (even if that isn't the typical case for classes.conf and printers.conf). *If* we move to a non-editable format in the future (likely for CUPS 2.0) we will definitely restructure things to put those files in /var/lib. I don't advise that you try to patch current CUPS to use /var/lib/cupsd for cupsd stuff and /etc/cups for everything else since the current code assumes that all CUPS configuration files are in one location. The patch will be very very messy and hard to maintain. __________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org