Ante Karamatić wrote:
> On Mon, 26 Jun 2006 15:04:28 -0000
> Walter Tautz <[EMAIL PROTECTED]> wrote:
>
>   
>> We aren't going to bring back RunAsUser.  All of the Linux distros
>> already provide helper functions for their init scripts to run as
>> a different user, I suggest you look there if you really want to
>> cripple your CUPS install.  You will also need to update the
>> /etc/services file on every system that wants to print with the
>> new port number for the IPP service...
>>     
>
> This is a known problem. RunAsUser would be great to bring back (this
> is why Debian/Ubuntu patches CUPS). Mike knows that RunAsUser and
> "helper functions for init scripts" (i.e. start-stop-daemon) are two
> totally different things. stat-stop-daemon starts CUPS as non-root user
> and CUPS is unable to bind on TCP/631. RunAsUser allowed to start CUPS
> as root and bind on TCP/631, and then drop privileges to non-root user.
> This is how most of the services work (i.e. postfix, vsftpd, bind,
> apache...). I don't see any reason why it shouldn't be done with CUPS
> too. If argument is needed - sendmail. Sendmail acts just like CUPS;
> runs everything as root. Sendmail is now kicked out of OpenBSD and is
> loosing it's user base every day. There is no perfect "hole-free"
> software. First line of defense is to assume one day that service will
> have a remotly exploitable hole. It's muche better if attacker gains
> non-root privileges with which he can "only" mess up printing queues.
>   
I'm hesitate to speak for Michael but have read him state
that he is not averse to having well-thought out patches
to allow for non-root running. How about helping him
out directly? I'd try to do it myself but I'm not
particularly experienced. It sounds like the maintainers
of cups in debian/ubuntu are :-)

>   
>>     5. LPD printing support.
>> Me: Number 5 is relevant to this bug report.
>>     
>
> Yes, I think everybody knows that. I can say this won't be "fixed" for
> Dapper, but maybe we work something out for Edgy.
>
> Did you try setuid lpd backend (chmod
> +s /usr/lib/cups/backend-available/lpd)?
>
>

-- 
dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as 
root
https://launchpad.net/bugs/47773

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to