Too many files are owned by CUPS_USER

[michaelrsweet]

Version: 1.1.20rc1 CUPS.org User: jlovell

It seems that too many files end up being owned by the CUPS_USER. There are two classes of these:

*.conf: Although they are initially set up correctly in conf.c as "run_user" they change ownership to "User" when they are rewritten. Having them owned by "User" allows, in theory, any of the filters to change these (i.e. hijack them by changing the device URIs) or to snoop passwords from printers.conf.

spool files: Have these writable by "User" would allow any of the filters to change them. If they are owned by root (run_user) then only cupsd can change them.

The attached patch fixes these (a review of the other chown's may be in order as well). Note that in printers.c I also threw a few sprinklings of "static const".

Comments?

Thanks.

[michaelrsweet]

CUPS.org User: mike

Thanks, applied to CVS for 1.1.20.

[michaelrsweet]

"cups-perms.patch":

? cups-perms.patch

Index: classes.c

RCS file: /home/anoncvs/cups/scheduler/classes.c,v retrieving revision 1.52 diff -u -d -b -w -r1.52 classes.c --- classes.c 26 Apr 2003 17:09:55 -0000 1.52 +++ classes.c 12 Sep 2003 21:32:37 -0000 @@ -610,7 +610,7 @@

• Restrict access to the file... */
• fchown(cupsFileNumber(fp), User, Group);

• fchown(cupsFileNumber(fp), getuid(), Group); fchmod(cupsFileNumber(fp), ConfigFilePerm);

  /*

  Index: client.c

  RCS file: /home/anoncvs/cups/scheduler/client.c,v retrieving revision 1.172 diff -u -d -b -w -r1.172 client.c --- client.c 10 Sep 2003 02:49:13 -0000 1.172 +++ client.c 12 Sep 2003 21:32:38 -0000 @@ -1552,7 +1552,7 @@ SetStringf(&con->filename, "%s/%08x", RequestRoot, request_id ++); con->file = open(con->filename, O_WRONLY | O_CREAT | O_TRUNC, 0640); fchmod(con->file, 0640);

• fchown(con->file, User, Group);

• fchown(con->file, getuid(), Group);
  
     LogMessage(L_DEBUG2, "ReadClient() %d REQUEST %s=%d", con->http.fd,
           con->filename, con->file);

  @@ -1844,7 +1844,7 @@ SetStringf(&con->filename, "%s/%08x", RequestRoot, request_id ++); con->file = open(con->filename, O_WRONLY | O_CREAT | O_TRUNC, 0640); fchmod(con->file, 0640);

• fchown(con->file, User, Group);

• fchown(con->file, getuid(), Group);
  
   LogMessage(L_DEBUG2, "ReadClient() %d REQUEST %s=%d", con->http.fd,
         con->filename, con->file);

  Index: ipp.c

  RCS file: /home/anoncvs/cups/scheduler/ipp.c,v retrieving revision 1.218 diff -u -d -b -w -r1.218 ipp.c --- ipp.c 20 Jul 2003 12:42:34 -0000 1.218 +++ ipp.c 12 Sep 2003 21:32:40 -0000 @@ -2282,7 +2282,7 @@ }

  fchmod(cupsFileNumber(out), 0640);

• fchown(cupsFileNumber(out), User, Group);

• fchown(cupsFileNumber(out), getuid(), Group);

  if (con->language) {

  Index: job.c

  RCS file: /home/anoncvs/cups/scheduler/job.c,v retrieving revision 1.220 diff -u -d -b -w -r1.220 job.c --- job.c 10 Sep 2003 19:29:20 -0000 1.220 +++ job.c 12 Sep 2003 21:32:41 -0000 @@ -940,7 +940,7 @@ }

  fchmod(fd, 0600);

• fchown(fd, User, Group);

• fchown(fd, getuid(), Group);

  ippWriteFile(fd, job->attrs);

Index: log.c

RCS file: /home/anoncvs/cups/scheduler/log.c,v retrieving revision 1.36 diff -u -d -b -w -r1.36 log.c --- log.c 22 Aug 2003 22:01:24 -0000 1.36 +++ log.c 12 Sep 2003 21:32:42 -0000 @@ -525,7 +525,7 @@

 if (strncmp(filename, "/dev/", 5))
 {

• fchown(cupsFileNumber(*log), User, Group);

• fchown(cupsFileNumber(*log), getuid(), Group);

  fchmod(cupsFileNumber(*log), LogFilePerm); } } @@ -553,7 +553,7 @@

  if (strncmp(filename, "/dev/", 5)) {

• fchown(cupsFileNumber(*log), User, Group);

• fchown(cupsFileNumber(*log), getuid(), Group);

  fchmod(cupsFileNumber(*log), LogFilePerm); } }

  Index: printers.c

  RCS file: /home/anoncvs/cups/scheduler/printers.c,v retrieving revision 1.153 diff -u -d -b -w -r1.153 printers.c --- printers.c 6 Aug 2003 18:05:23 -0000 1.153 +++ printers.c 12 Sep 2003 21:32:43 -0000 @@ -843,7 +843,7 @@

  • Restrict access to the file... */
• fchown(cupsFileNumber(fp), User, Group);

• fchown(cupsFileNumber(fp), getuid(), Group); fchmod(cupsFileNumber(fp), ConfigFilePerm);

  / @@ -957,27 +957,27 @@ ppd_attr_t ppdattr; / PPD attribute _/ ipp_attribute_t attr; / Attribute data / ipp_valuet *val; / Attribute value */

• int nups[] = /* number-up-supported values */
• static const int nups[] = /* number-up-supported values */ { 1, 2, 4, 6, 9, 16 };
• ipp_orient_t orients[4] = /* orientation-requested-supported values */
• static const ipp_orient_t orients[4] = /* orientation-requested-supported values */ { IPP_PORTRAIT, IPP_LANDSCAPE, IPP_REVERSE_LANDSCAPE, IPP_REVERSE_PORTRAIT };
• const char sides[3] = / sides-supported values */
• static const char * const sides[3] = /* sides-supported values */ {
• "one-sided",
• "two-sided-long-edge",
• "two-sided-short-edge"
• "one",
• "two-long-edge",
• "two-short-edge" };
• const char versions[] = / ipp-versions-supported values */
• static const char * const versions[] = /* ipp-versions-supported values */ { "1.0", "1.1" };
• ipp_op_t ops[] = /* operations-supported values */
• static const ipp_op_t ops[] = /* operations-supported values */ { IPP_PRINT_JOB, IPP_VALIDATE_JOB, @@ -1008,7 +1008,7 @@ CUPS_GET_PPDS, IPP_RESTART_JOB };
• const char charsets[] = / charset-supported values */
• static const char * const charsets[] = /* charset-supported values */ { "us-ascii", "iso-8859-1", @@ -1038,7 +1038,7 @@ "koi8-r", "koi8-u", };
• const char *compressions[] =
• static const char * const compressions[] = {

  ifdef HAVE_LIBZ

    "none",

  @@ -1049,7 +1049,7 @@ }; int num_finishings; ipp_finish_t finishings[5];

• const char *multiple_document_handling[] =
• static const char * const multiple_document_handling[] = { "separate-documents-uncollated-copies", "separate-documents-collated-copies"