Le mercredi, 28 novembre 2012 12.41:27, Michael Sweet a écrit : > Indeed, we can add additional directory checks to the "simple" fix, or for > purposes of the Debian packages just disable certain directives if they > should not be configured from their defaults.
Sure; sounds good. > WRT setting SystemGroup, that /is/ a valid configuration change that some > sites make; disabling that directive might break some sites, but at least > they can tweak their policy sections to grant printer admin rights as a > workaround? I feel it's not quite OK to let root delegate rights to a group (lpadmin in our case) that can then extend these rights to any other group (even one they are not part of). I'm not to say root shouldn't be allowed to grant SystemGroup rights to any group he wants through /etc/cups/cupsd.conf , but I'm really uncomfortable letting lpadmin users (whose primary right is the right to add printers as far as I understand it) do this through the webinterface. > Seems like maybe the simplest fix is to disable the problematic directives > (just use defaults); sites that need to change from the defaults can > install their own versions of the cups packages. Thoughts? DocumentRoot has to be fixed that way IMHO as the attack is immediate and I think it's a suitable fix for our stable releases. For SystemGroup, I think it's reasonably okay to leave that bug open for stable releases; the long-term fix (to push that to cups-files.conf) is okay in that regard. Any idea/patch on how you'd enforce default DocumentRoot (including making sure the tests still run? )? Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
