Ubuntu
chromium-browser package

chromium installs cupsd snap

Bug #2017447 reported by themusicgod1
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Opinion
Undecided
Unassigned

Bug Description

at some point, chromium has installed cupsd : cupsd isn't listed as installed in aptitude but it *is* listed under snap list

if i wanted cups installed and printer support i would have installed it myself this shouldn't be installing itself through the backdoor via autoupdate

there also doesn't seem to be anywhere in settings to turn it off

Version 112.0.5615.49 (Official Build) snap (64-bit)
(updated via snap refresh)
ubuntu: 20.04 LTS

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Uname: Linux 6.0.7-gnulibre-squashfix x86_64
ApportVersion: 2.20.11-0ubuntu27.26
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Sun Apr 23 13:58:18 2023
InstallationDate: Installed on 2017-04-18 (2196 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
Snap: chromium 112.0.5615.49 (latest/stable)
SnapSource: ubuntu/+source/chromium-browser
UpgradeStatus: Upgraded to focal on 2020-04-25 (1093 days ago)
mtime.conffile..etc.apport.crashdb.conf: 2020-06-07T21:16:26.397404

Revision history for this message
themusicgod1 (themusicgod1) wrote :
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

> there also doesn't seem to be anywhere in settings to turn it off

If you don't like it you can snap remove cups?

Changed in chromium-browser (Ubuntu):
status: New → Opinion
Revision history for this message
Birgit Edel (biredel) wrote (last edit ):

dupe LP: #1996803
Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1792006

Reproducible, plausibly dangerous, and not mentioned in the "install" section of the man page.

Sure, if one knows that canonical-published snaps can trigger installation of 3rd-party-published snaps despite specifically disabling the system-wide "APT::Install-Recommends" setting, one can act accordingly.

But how would users even learn that snap, when solely instructed to install a non-privileged browser, also decides to enable a privileged network daemon? One that certainly has a high risk of exposing additional RCE bugs, the threat level of which in the snap scenario is however not obvious from documentation like https://ubuntu.com/security/cves?q=&package=cups

Revision history for this message
themusicgod1 (themusicgod1) wrote :

Given Birgit Edel's comment this i'm flipping it back to "New".

Changed in chromium-browser (Ubuntu):
status: Opinion → New
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

You raise very valid concerns.

However, at this point in time a maintainer of the snap can choose either to not install the Cups snap and have half of its users frustrated that printing does not work or to install the snap with no questions asked and frustrate a tiny fraction of that number. So as for Chromium, who we ought to frustrate is a opinion matter.

A better dependency handling system or a prompt (to whether or not install Cups) would fit us here, but needs to be requested to Snapd.

> canonical-published snaps can trigger installation of 3rd-party-published snaps

The snap at hand is published by Open Printing[1], which is led by Till Kamppeter, who is also in Canonical. I underline that lest a less informed reader thinks that we just on a whim install whatever random third party snap.

> despite specifically disabling the system-wide "APT::Install-Recommends" setting

Yes, it would be nice if there were a way to honour this or a similar setting in Snapd too, unfortunately there is not one.

[1] https://openprinting.github.io/about-us/

Changed in chromium-browser (Ubuntu):
status: New → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.