--- Em qui, 24/1/13, Armin K. escreveu:
> De: Armin K.
> Assunto: Re: [blfs-support] Cups security issue - /etc/cups/cups-files.conf
> needed (Was: ... [BLFS Trac] #3754 ...)
> Para: "BLFS Support List"
> Data: Quinta-feira, 24 de Janeiro de 2013, 14:36
> On 01/24/2013 06:09 PM, Fernando de
> Oliveira wrote:
> >
> > Thank you, Armin.
> >
> > Sending to the list, so more people could reach using
> search tools
> > (well, when the servers are back running without
> problems).
> >
> > Builds perfectly, and installs the new
> /etc/cups/cups-files.conf.
> >
> > I changed owner:
> > chown -v 0:0 /etc/cups/{snmp.conf,cups-files.conf}
> >
> > However, as before in the older page of the book,
> without the
> > cups-files.conf, when daemon is restarted, owner of
> cups-files.conf
> > changes back to "root lp":
> >
> > # chown -v 0:0 /etc/cups/cups-files.conf
> > changed ownership of "/etc/cups/cups-files.conf" from
> root:lp to 0:0
> > root [ /etc/cups ]# ls -l /etc/cups/cups-files.conf
> > -rw-r----- 1 root root 2892 Jan 24 13:19
> /etc/cups/cups-files.conf
> > root [ /etc/cups ]# /etc/rc.d/init.d/cups restart
> > * Stopping CUPS Printserver...
>
>
>
> [ OK ]
> > * Starting CUPS Printserver...
>
>
>
> [ OK ]
> > root [ /etc/cups ]# ls -l /etc/cups/cups-files.conf
> > -rw-r----- 1 root lp 2892 Jan 24 13:19
> /etc/cups/cups-files.conf
> >
> > I have
> >
> > root [ /etc/cups ]# ls -l
> /media/Ubuntu32/etc/cups/cups-files.conf
> > -rw-r--r-- 1 root root 2884 Dez 4 12:21
> /media/Ubuntu32/etc/cups/cups-files.conf
> >
> > but have no clue where or what to change for this to be
> persistent in
> > BLFS.
> >
> > []s,
> > Fernando
> >
>
> I think this handles conffile perms on Debian and Ubuntu
>
> http://patch-tracker.debian.org/patch/series/view/cups/1.6.1-1/confdirperms.patch
>
> I don't think it should be important. It was lpadmin, not lp
> group who
> introduced the problems.
Thanks again, Armin.
Applied just after cups-1.6.1-blfs-2.patch:
...
patch -Np1 -i ../cups-1.6.1-blfs-2.patch &&
patch -Np1 -i ../cups-1.6.1-confdirperms.patch &&
...
Just a small offset:
...
patching file scheduler/conf.c
Hunk #1 succeeded at 1115 (offset -2 lines).
...
Of course, it could be easily corrected to apply cleanly, if you wanted
it in the book. Or could be replaced by an sed, I think.
Works perfectly. Restarted cupsd and still:
root [ /etc/cups ]# ls -l cups-files.conf{,.N}
-rw-r----- 1 root root 2892 Jan 24 13:19 cups-files.conf
-rw-r----- 1 root lp 2892 Jan 24 15:12 cups-files.conf.N
Notice that the new file would be again 0:lp owned.
Perhaps owned by 0:0 is more secure than 0:lp, I do not know, so, at
the moment, prefer that.
Anyway, if by any chance you intend to include that change, remember
that I have also added:
chown -v 0:0 /etc/cups/{snmp.conf,cups-files.conf}*
to the post_install part, so if user replaces the current files using
the new ones, ownership is correct (to my current preference).
[]s,
Fernando
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
