Re: [gentoo-user] cups settup broken? - please help

[Alan McKinnon <alan.mckinnon@gmail.com>]

On 14/05/2013 12:00, Helmut Jarausch wrote:
> On 05/14/2013 11:55:23 AM, Yuri K. Shatroff wrote:
>> On 14.05.2013 13:42, Helmut Jarausch wrote:
>>> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote:
>>>> On 14.05.2013 13:05, Helmut Jarausch wrote:
>>>>> Hi,
>>>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>>>>>
>>>>> I see lots of strange error messages in /var/log/cups/error_log like
>>>>>
>>>>>
>>>>> Filter "pdftops" not found.
>>>>>
>>>>>   but there is a /usr/libexec/cups/filter/pdftops
>>>>>
>>>>>    and then
>>>>>
>>>>>
>>>>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops"
>>>>> not
>>>>> available: No such file or directory
>>>>>
>>>>> These paths look strange.
>>>>>
>>>>> Does any know what's going on here?
>>>>>
>>>>> Many thanks for a hint,
>>>>> Helmut.
>>>>
>>>> Hi Helmut,
>>>> I also had this problem after installing CUPS. There is a trouble with
>>>> permissions, AFAIR you need to check that /var/spool/cups is
>>>> accessible to your user: that is, ensure that you're in the lp group
>>>> and /var/spool/cups group is lp. I can not be sure that this dir was
>>>> the only one to check but it was the permissions which was the problem.
>>>
>>>
>>>
>>> Thanks Juri.
>>> What do you mean by 'accessible' - here I have only group execute
>>> permission, i.e.
>>>
>>> ls -ld /var/spool/cups  gives
>>> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups
>>
>> Accessible really means accessible, i.e. when you are able to chdir to
>> it and see its contents.
>> Apparently, the dir lacks "group read" permission, i.e. it should be
>> drwxr-x---
>> the `execute` bit alone doesn't allow one to access the directory.
>> That is probably a portage bug or sort of.
> 
> But then any user of group 'lp' on that machine can read what others
> have spooled for printing.
> Isn't this a security breach?

Not by itself, not really.

Read on a directory lets; you read the directory inode. In other words
"ls" will work.

To see other's spool files, you need at least read on each individual
file. As a parallel, this is what makes "cat" work.

So read on a dir is not by itself a security risk, unless you want to
prohibit people even seeing who else has spool files at all. Doing that
cannot be done with Unix permissions alone (and it's a real PITA
deploying a way to do it, which is why we usually don't)




-- 
Alan McKinnon
alan.mckinnon@gmail.com