Ubuntu
cupsys package

REJECTING access to capability 'dac_override' (cupsd(6348) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

Bug #131952 reported by Michael R. Head
4
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
cupsys (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: cupsys

Unsure if this is a bad/OK thing, but I noticed this AppArmor generated line in syslog:
Aug 12 05:45:09 localhost kernel: [ 127.644000] audit(1186911909.517:9): REJECTING access to capability 'dac_override' (cupsd(6348) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

I don't know what dac_override is, or why cupsd would need it, and things _seem_ OK, but maybe the capability needs to be added anyway.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

If it needs to be added. It would be added to apparmor

Revision history for this message
Michael R. Head (burner) wrote :

Huh? cupsys comes packaged with its apparmor profile. The /etc/apparmor.d/usr.sbin.cupsd file is what needs to be updated, not the apparmor program.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

My mistake. Do any other programs do it this way?

Revision history for this message
Michael R. Head (burner) wrote :

Dunno, AppArmor is new in main. I think the Ubuntu cupsys packager wanted to be on of the first to try and deploy an AppArmor profile for a service in main.

There are some apparmor profile packages in the Universe, but I don't know how well those work.

Revision history for this message
Kees Cook (kees) wrote :

Correct, the profile is in cupsys, not apparmor (I'm closing the apparmor task)

Changed in apparmor:
status: New → Invalid
Revision history for this message
Martin Pitt (pitti) wrote :

Granting dac_override to cups would render the apparmor confinement largely irrelevant. It's an incredibly powerful capability, and cups should not have it. I did not see anything break because of it, so I won't change the profile for this. Did you?

Thank you for your report!

Changed in cupsys:
status: New → Invalid
Revision history for this message
Michael R. Head (burner) wrote :

Ah. No, I haven't noticed any particular problems. Why does it attempt to get this permission?

Revision history for this message
Bryan Quigley (bryanquigley) wrote : Re: [Bug 131952] Re: REJECTING access to capability 'dac_override' (cupsd(6348) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

If it really should not have this capability, perhaps the fact that it does
is a bug in cupsys?

Revision history for this message
Jesse Michael (jesse.michael) wrote :

Granting the dac_override capability in an AA profile doesn't give away permission to access things not listed explicitly in the profile.

It gives root the ability to read and write files that it does not have group or other permission to access (e.g. user foo has a file named /home/foo/bar.txt with permission bits 0600), but the files still need to be listed in the profile in order for the program to be allowed access.

Revision history for this message
Michael R. Head (burner) wrote :

Ah... then I think I have seen some problems, because cups was unable to open some of its log files. Unfortunately, my laptop's hard drive died this week, and I had to reinstall on a brand new drive and I don't have the logs to post which show this. I'm hoping to get a USB to 2.5" PATA connector so I can copy some of my data off it.

Revision history for this message
wlx (wangliangxu) wrote :

I have the same problem.
and which log file you mean?
in /var/log/cups/ directory, both access_log and error_log file are zero file.

Revision history for this message
Mathias Gug (mathiaz) wrote :

The logs in /var/log/cups are group owned by the group lp (or lpadmin). However cups runs as root:root. This is why it needs the dac_override capability to be able to access the log files (beside being allowed to access the log files).

Revision history for this message
Martin Pitt (pitti) wrote :

I fixed the /var/log/cups/ permission issue in the latest development version now, will upload soon.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.