From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 7316F1381F3 for ; Tue, 14 May 2013 10:05:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 69D51E0986; Tue, 14 May 2013 10:05:48 +0000 (UTC) Received: from mail-bk0-f52.google.com (mail-bk0-f52.google.com [209.85.214.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 12967E0974 for ; Tue, 14 May 2013 10:05:46 +0000 (UTC) Received: by mail-bk0-f52.google.com with SMTP id mz1so190165bkb.11 for ; Tue, 14 May 2013 03:05:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=X0JKZ1cbuwlADS4Lr+7SmFow301TIxZl0EQL3gj/p+E=; b=keHhJNZ8GSvbKahB5Qb5FQcLCxeP/XN02PG7cEvTEqIk+2NXAmvm9YxvggVn1ruU79 rZvoAkRmZFMPyzIC7xNEnPSbwTbWvRj/Q4wmLC64vIe8uX2hPAZ4iCOW8ZGKf92wGjq7 HnkDJAfoPL8Vi0ApQPoda+20ZB3bLHFV1KhmjTfaOSv15EVLdjj4laUMwHZ8DLjhOIwy yfzkjZ5TTFnpuc2YOfbqS8cuR8GyhhNz5eRFn+NDCxtSSCgYGgi5Uch2ZPseLzU2YjdM rjDWTFmJr2mKRLyceYM5iYOVa2yQaolA9zvhAmGb3UV1TrKiM+XCMtbqgXSH2GLCFg/m DDsw== X-Received: by 10.205.18.194 with SMTP id qh2mr7427484bkb.36.1368525945481; Tue, 14 May 2013 03:05:45 -0700 (PDT) Received: from [172.20.0.41] (196-210-126-126.dynamic.isadsl.co.za. [196.210.126.126]) by mx.google.com with ESMTPSA id 2sm3362926bki.19.2013.05.14.03.05.43 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 14 May 2013 03:05:44 -0700 (PDT) Message-ID: <51920C63.2010907@gmail.com> Date: Tue, 14 May 2013 12:05:23 +0200 From: Alan McKinnon User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130413 Thunderbird/17.0.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] cups settup broken? - please help References: <1368522316.32490.0@numa-i> <519200B1.9000601@yandex.ru> <1368524526.3130.0@numa-i> <51920A0B.9080108@yandex.ru> <1368525635.3130.1@numa-i> In-Reply-To: <1368525635.3130.1@numa-i> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 8d049c52-9a77-4ec9-ae5d-f7b6b74b17ad X-Archives-Hash: 3add92a88a322adbdcce7e704b77aa29 On 14/05/2013 12:00, Helmut Jarausch wrote: > On 05/14/2013 11:55:23 AM, Yuri K. Shatroff wrote: >> On 14.05.2013 13:42, Helmut Jarausch wrote: >>> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote: >>>> On 14.05.2013 13:05, Helmut Jarausch wrote: >>>>> Hi, >>>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34 >>>>> >>>>> I see lots of strange error messages in /var/log/cups/error_log like >>>>> >>>>> >>>>> Filter "pdftops" not found. >>>>> >>>>> but there is a /usr/libexec/cups/filter/pdftops >>>>> >>>>> and then >>>>> >>>>> >>>>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" >>>>> not >>>>> available: No such file or directory >>>>> >>>>> These paths look strange. >>>>> >>>>> Does any know what's going on here? >>>>> >>>>> Many thanks for a hint, >>>>> Helmut. >>>> >>>> Hi Helmut, >>>> I also had this problem after installing CUPS. There is a trouble with >>>> permissions, AFAIR you need to check that /var/spool/cups is >>>> accessible to your user: that is, ensure that you're in the lp group >>>> and /var/spool/cups group is lp. I can not be sure that this dir was >>>> the only one to check but it was the permissions which was the problem. >>> >>> >>> >>> Thanks Juri. >>> What do you mean by 'accessible' - here I have only group execute >>> permission, i.e. >>> >>> ls -ld /var/spool/cups gives >>> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups >> >> Accessible really means accessible, i.e. when you are able to chdir to >> it and see its contents. >> Apparently, the dir lacks "group read" permission, i.e. it should be >> drwxr-x--- >> the `execute` bit alone doesn't allow one to access the directory. >> That is probably a portage bug or sort of. > > But then any user of group 'lp' on that machine can read what others > have spooled for printing. > Isn't this a security breach? Not by itself, not really. Read on a directory lets; you read the directory inode. In other words "ls" will work. To see other's spool files, you need at least read on each individual file. As a parallel, this is what makes "cat" work. So read on a dir is not by itself a security risk, unless you want to prohibit people even seeing who else has spool files at all. Doing that cannot be done with Unix permissions alone (and it's a real PITA deploying a way to do it, which is why we usually don't) -- Alan McKinnon alan.mckinnon@gmail.com