* Drop our derooting changes. It still has some regressions, and with
upstream not even acknowledging the need for improving cupsys' security we
will sit on this forever. (LP: #119289, LP: #129634)
- Drop derooting related patches:
06_disable_backend_setuid.dpatch
10_external_pam_helper.dpatch
09_runasuser.dpatch
09_runasuser_autoconf.dpatch
- debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
permission juggling.
- debian/rules:
+ Drop --with-cups-user and --enable-privilege-dropping configure
options.
+ Do not modify the upstream default backend permissions.
- debian/cupsys.init.d: Do not touch log file permissions any more.
- debian/cupsys.files: Drop cups-check-pam-auth.
- debian/NEWS: Drop description of derooting changes.
- debian/control: Drop adduser dependency.
* debian/patches/44_fixconfdirperms.dpatch: Do not create
/var/run/cups/certs as lp:lpadmin, but as root:lpadmin, so that cupsd
does not need CAP_DAC_OVERRIDE. This will make it possible to create a
sensible AppArmor profile.
* debian/cupsys.preinst: Fix file permissions on upgrades (owner cupsys ->
root).
* Add debian/local/apparmor-profile: AppArmor profile for cupsys, to replace
the former derooting patches. This uses complain mode for now, until we
got some more testing. Install it to /etc/apparmor.d/usr.sbin.cupsd in
debian/rules and reload apparmor in debian/cupsys.postinst on configure.
-- Martin Pitt <email address hidden> Thu, 02 Aug 2007 14:06:05 +0200
cupsys (1.2.12-1ubuntu2) gutsy; urgency=low
* Drop our derooting changes. It still has some regressions, and with disable_ backend_ setuid. dpatch external_ pam_helper. dpatch runasuser. dpatch runasuser_ autoconf. dpatch cupsys{ ,-client} .postinst: Drop the 'cupsys' user setup and file privilege- dropping configure cupsys. init.d: Do not touch log file permissions any more. cupsys. files: Drop cups-check- pam-auth. patches/ 44_fixconfdirpe rms.dpatch: Do not create run/cups/ certs as lp:lpadmin, but as root:lpadmin, so that cupsd cupsys. preinst: Fix file permissions on upgrades (owner cupsys -> local/apparmor- profile: AppArmor profile for cupsys, to replace d/usr.sbin. cupsd in cupsys. postinst on configure.
upstream not even acknowledging the need for improving cupsys' security we
will sit on this forever. (LP: #119289, LP: #129634)
- Drop derooting related patches:
06_
10_
09_
09_
- debian/
permission juggling.
- debian/rules:
+ Drop --with-cups-user and --enable-
options.
+ Do not modify the upstream default backend permissions.
- debian/
- debian/
- debian/NEWS: Drop description of derooting changes.
- debian/control: Drop adduser dependency.
* debian/
/var/
does not need CAP_DAC_OVERRIDE. This will make it possible to create a
sensible AppArmor profile.
* debian/
root).
* Add debian/
the former derooting patches. This uses complain mode for now, until we
got some more testing. Install it to /etc/apparmor.
debian/rules and reload apparmor in debian/
-- Martin Pitt <email address hidden> Thu, 02 Aug 2007 14:06:05 +0200