On 2/20/07, Don Armstrong <[EMAIL PROTECTED]> wrote:
On Tue, 20 Feb 2007, Martin-Éric Racine wrote:
> Wake up, Steve. I maintain this package. You don't. Making this
> package a one-size-fits all is my call, not yours. Your opinion of
> Ubuntu is irrelevant.
It's fine to try to make this package one size fits all, but having
binaries which do not need to be setuid root setuid root is a bad
idea.
It currently doesn't need it, but this only applies to Debian itself.
Several Debian derivatives wisely chose to run CUPS as non-root, which
is where it's needed. The Debian package is also expected to run as
non-root soon.
Is there any reason why you cannot detect whether or not cupsys is
going to be run as root or non-root and chmod the binary
appropriately?
The risks inherent to setuid would exist regardless; patting ourselves
in the back because Debian can momentarily avoid the issue (but only
until it also produces a CUPS package running as non-root) and pushing
it into Debian derivatives' hands is not a solution. Here, we are at
least containing the risks by setting a precise combination of
user:group for the backend.
Secondly, has anyone actually audited cups-pdf to verify that it is
audited to run appropriately setuid 0?
Florian Zumbiehl did a fairly extensive code audit that resulted in
upstream rewriting his code to quickly drop privileges, rather than
run as root all the time.
Following Florian's audit and repeated 'lint' fixes by upstream, I
have become fairly confident in the CUPS-PDF code. However, I am
becoming less and less confident in CUPS itself; the 1.2.x series
produced by upstream keeps on bringing in new bugs and regressions
that repeatedly break something and fix it again, from one release to
the next. Given this,I think that it's no coincidence that Ubuntu and
other Debian derivatives run CUPS as non-root.
--
Martin-Éric Racine
http://q-funk.iki.fi
