Bug#1107877: cups: /etc/apparmor.d/usr.sbin.cupsd block access to /etc/shells

Mon, 16 Jun 2025 06:57:12 -0700 

Package: cups
Version: 2.4.2-3+deb12u8
Severity: minor
X-Debbugs-Cc: picca...@truelite.it

Dear Maintainer,

if you enable:

auth    required    pam_shells.so

(like appending it to /etc/pam.d/common-auth) to disable login to users
without a valid shell, autentication done using the web interface at
localhost:631 stops to work, because /etc/shells is not included in
/etc/apparmor.d/usr.sbin.cupsd, so the server cannot read that file.

So you get in /var/log/cups/error_log:

E [16/Jun/2025:15:17:35 +0200] [Client 1] pam_authenticate() returned 3 (Error 
in service module)

and you get:

giu 16 15:17:33 think-06 cupsd[4207]: pam_shells(cups:auth): Error opening 
/etc/shells: Permission denied

in journalctl -u cups.

Just adding the line:

  /etc/shells r,

make it working again.

I don't think that making cups capable to read /etc/shells is a security 
problem. 

I tested this on bookworm, but the problem is present also in trixie with cups
2.4.10-3 

-- System Information:
Debian Release: 12.11
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (100, 'bookworm-fasttrack'), (100, 'bookworm-backports-staging')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-37-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client            2.4.2-3+deb12u8
ii  cups-common            2.4.2-3+deb12u8
ii  cups-core-drivers      2.4.2-3+deb12u8
ii  cups-daemon            2.4.2-3+deb12u8
ii  cups-filters           1.28.17-3+deb12u1
ii  cups-ppdc              2.4.2-3+deb12u8
ii  cups-server-common     2.4.2-3+deb12u8
ii  debconf [debconf-2.0]  1.5.82
ii  ghostscript            10.0.0~dfsg-11+deb12u7
ii  libavahi-client3       0.8-10+deb12u1
ii  libavahi-common3       0.8-10+deb12u1
ii  libc6                  2.36-9+deb12u10
ii  libcups2               2.4.2-3+deb12u8
ii  libgcc-s1              12.2.0-14+deb12u1
ii  libstdc++6             12.2.0-14+deb12u1
ii  libusb-1.0-0           2:1.0.26-1
ii  poppler-utils          22.12.0-2+deb12u1
ii  procps                 2:4.0.2-3

Versions of packages cups recommends:
ii  avahi-daemon  0.8-10+deb12u1
ii  colord        1.4.6-2.2

Versions of packages cups suggests:
pn  cups-bsd                                   <none>
pn  cups-pdf                                   <none>
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
ii  smbclient                                  2:4.17.12+dfsg-0+deb12u1
ii  udev                                       252.38-1~deb12u1

-- debconf information:
  cupsys/backend: lpd, socket, usb, snmp, dnssd
  cupsys/raw-print: true

Reply via email to