Ante Karamatić wrote: > On Mon, 26 Jun 2006 15:04:28 -0000 > Walter Tautz <[EMAIL PROTECTED]> wrote: > > >> We aren't going to bring back RunAsUser. All of the Linux distros >> already provide helper functions for their init scripts to run as >> a different user, I suggest you look there if you really want to >> cripple your CUPS install. You will also need to update the >> /etc/services file on every system that wants to print with the >> new port number for the IPP service... >> > > This is a known problem. RunAsUser would be great to bring back (this > is why Debian/Ubuntu patches CUPS). Mike knows that RunAsUser and > "helper functions for init scripts" (i.e. start-stop-daemon) are two > totally different things. stat-stop-daemon starts CUPS as non-root user > and CUPS is unable to bind on TCP/631. RunAsUser allowed to start CUPS > as root and bind on TCP/631, and then drop privileges to non-root user. > This is how most of the services work (i.e. postfix, vsftpd, bind, > apache...). I don't see any reason why it shouldn't be done with CUPS > too. If argument is needed - sendmail. Sendmail acts just like CUPS; > runs everything as root. Sendmail is now kicked out of OpenBSD and is > loosing it's user base every day. There is no perfect "hole-free" > software. First line of defense is to assume one day that service will > have a remotly exploitable hole. It's muche better if attacker gains > non-root privileges with which he can "only" mess up printing queues. > I'm hesitate to speak for Michael but have read him state that he is not averse to having well-thought out patches to allow for non-root running. How about helping him out directly? I'd try to do it myself but I'm not particularly experienced. It sounds like the maintainers of cups in debian/ubuntu are :-)
> >> 5. LPD printing support. >> Me: Number 5 is relevant to this bug report. >> > > Yes, I think everybody knows that. I can say this won't be "fixed" for > Dapper, but maybe we work something out for Edgy. > > Did you try setuid lpd backend (chmod > +s /usr/lib/cups/backend-available/lpd)? > > -- dapper cupsys can not print to rfc compliant lpd server, i.e. can not run as root https://launchpad.net/bugs/47773 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
