On Mon, 26 Jun 2006 15:04:28 -0000 Walter Tautz <[EMAIL PROTECTED]> wrote:
> We aren't going to bring back RunAsUser. All of the Linux distros > already provide helper functions for their init scripts to run as > a different user, I suggest you look there if you really want to > cripple your CUPS install. You will also need to update the > /etc/services file on every system that wants to print with the > new port number for the IPP service... This is a known problem. RunAsUser would be great to bring back (this is why Debian/Ubuntu patches CUPS). Mike knows that RunAsUser and "helper functions for init scripts" (i.e. start-stop-daemon) are two totally different things. stat-stop-daemon starts CUPS as non-root user and CUPS is unable to bind on TCP/631. RunAsUser allowed to start CUPS as root and bind on TCP/631, and then drop privileges to non-root user. This is how most of the services work (i.e. postfix, vsftpd, bind, apache...). I don't see any reason why it shouldn't be done with CUPS too. If argument is needed - sendmail. Sendmail acts just like CUPS; runs everything as root. Sendmail is now kicked out of OpenBSD and is loosing it's user base every day. There is no perfect "hole-free" software. First line of defense is to assume one day that service will have a remotly exploitable hole. It's muche better if attacker gains non-root privileges with which he can "only" mess up printing queues. > 5. LPD printing support. > Me: Number 5 is relevant to this bug report. Yes, I think everybody knows that. I can say this won't be "fixed" for Dapper, but maybe we work something out for Edgy. Did you try setuid lpd backend (chmod +s /usr/lib/cups/backend-available/lpd)? -- Ante Karamatic | 0xD3BDA225 | 0x0A4A0161 [EMAIL PROTECTED] | [EMAIL PROTECTED] | ivoks.blogspot.com "Tomorrow is my day off, so please stay off the powder!" -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
