On Fri, Feb 02, 2007 at 01:49:30PM +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine wrote: > On 2/2/07, Volker Christian Behr <[EMAIL PROTECTED]> wrote: > >Please check the permissions of the CUPS-PDF backend and GS - neither > >should be SUID 'root' under any circumstances. CUPS-PDF should even more > >be mode 700 executable by 'root' only. If this is not the case in the > >default installation it has to be fixed in the Debian package.
> Permissions were made 6755 to enable outputting documents to someone's > home directory (or a subdirectory). That's a piss-poor excuse for marking an unaudited binary as suid-root. And this: cups-pdf (2.4.1-3) unstable; urgency=low * Changed the backend permissions to 6755 for Ubuntu compatibility. -- Martin-Éric Racine <[EMAIL PROTECTED]> Fri, 29 Sep 2006 02:26:39 +0300 is an even *worse* excuse! On Fri, Feb 02, 2007 at 03:11:28PM +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine wrote: > On 2/2/07, Volker Christian Behr <[EMAIL PROTECTED]> wrote: > >On Fri, 2007-02-02 at 13:49 +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine > >wrote: > >> On 2/2/07, Volker Christian Behr <[EMAIL PROTECTED]> wrote: > >> > Please check the permissions of the CUPS-PDF backend and GS - neither > >> > should be SUID 'root' under any circumstances. CUPS-PDF should even > >more > >> > be mode 700 executable by 'root' only. If this is not the case in the > >> > default installation it has to be fixed in the Debian package. > >> Permissions were made 6755 to enable outputting documents to someone's > >> home directory (or a subdirectory). Unless I'm mistaken, 0700 would > >> not enable the same thing? > >Starting with version 1.2.0 CUPS will call any backend that is owned by > >'root' and set to mode 0700 with full root privileges which should > >enable CUPS-PDF to print to any destination. > >I know Ubuntu to have modified CUPS (e.g. the web-admin interface is > >disabled) but I cannot tell what other changes they did. > >I strongly reccommend making CUPS-PDF mode 0700 again since this is > >to-the-letter within the specifications of CUPS. > Ubuntu doesn't run CUPS as root, which is what prevents us from > outputting files to user directories with the backend as root:root > 0700. Debian does run CUPS as root. What Ubuntu does is irrelevant. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
