make backend invocation compatible to upstream
Bug #119289 reported by
Martin Pitt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cupsys (Debian) |
Fix Released
|
Unknown
|
|||
cupsys (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Binary package hint: cupsys
Cups backends need to be executed as root when installed with 0700 permissions, and as normal user cupsys when being world-executable, to get compatible with the upstream behaviour and unbreak third-party backends. See the Debian bug for details.
Changed in cupsys: | |
assignee: | nobody → pitti |
importance: | Undecided → High |
status: | Unconfirmed → In Progress |
Changed in cupsys: | |
status: | Unknown → Fix Released |
To post a comment you must log in.
cupsys (1.2.12-1ubuntu2) gutsy; urgency=low
* Drop our derooting changes. It still has some regressions, and with disable_ backend_ setuid. dpatch external_ pam_helper. dpatch runasuser. dpatch runasuser_ autoconf. dpatch cupsys{ ,-client} .postinst: Drop the 'cupsys' user setup and file privilege- dropping configure cupsys. init.d: Do not touch log file permissions any more. cupsys. files: Drop cups-check- pam-auth. patches/ 44_fixconfdirpe rms.dpatch: Do not create run/cups/ certs as lp:lpadmin, but as root:lpadmin, so that cupsd cupsys. preinst: Fix file permissions on upgrades (owner cupsys -> local/apparmor- profile: AppArmor profile for cupsys, to replace d/usr.sbin. cupsd in cupsys. postinst on configure.
upstream not even acknowledging the need for improving cupsys' security we
will sit on this forever. (LP: #119289, LP: #129634)
- Drop derooting related patches:
06_
10_
09_
09_
- debian/
permission juggling.
- debian/rules:
+ Drop --with-cups-user and --enable-
options.
+ Do not modify the upstream default backend permissions.
- debian/
- debian/
- debian/NEWS: Drop description of derooting changes.
- debian/control: Drop adduser dependency.
* debian/
/var/
does not need CAP_DAC_OVERRIDE. This will make it possible to create a
sensible AppArmor profile.
* debian/
root).
* Add debian/
the former derooting patches. This uses complain mode for now, until we
got some more testing. Install it to /etc/apparmor.
debian/rules and reload apparmor in debian/
-- Martin Pitt <email address hidden> Thu, 02 Aug 2007 14:06:05 +0200