Dear All,
On my Gentoo system, /usr/sbin/cupsd has permissions
-r-x------
i.e. it can't be run (nor even read) as a normal user. Does anyone know why, please? Is it safe just to chmod the file then run it as a normal user?
(Background: my new printer, an Epson SX525WD, needs proprietary drivers - and I like to run proprietary software only as a special, low-privileged user.)
Thanks
On 12/09/2011 17:18, Dan wrote:
Dear All,
On my Gentoo system, /usr/sbin/cupsd has permissions
-r-x------
i.e. it can't be run (nor even read) as a normal user. Does anyone know why, please? Is it safe just to chmod the file then run it as a normal user?
Here's one of mine (only checked one):
# ls -al /usr/sbin/cupsd -rwxr-xr-x 1 root root 365592 Jul 27 2009 /usr/sbin/cupsd
Stock Gentoo, stock cupsd install...
Cheers, Laurie.
On 13/09/11 12:30, Laurie Brown wrote:
Here's one of mine (only checked one):
# ls -al /usr/sbin/cupsd -rwxr-xr-x 1 root root 365592 Jul 27 2009 /usr/sbin/cupsd
Stock Gentoo, stock cupsd install...
Ahh but cupsd should have needed a couple of security updates since Jul 2009 so maybe Dan is running a newer version than you, that when installed sets the daemon with tighter permissions.
On a side note you might want to consider upgrading cups at some point..from the top of my head there has been a rather nice privilege escalation flaw and one where a rogue IPP client can cause memory corruption in the cupsd process.
The second one would only be of concern if you were on a network shared with others. The first one could allow malicious code root access on your machine so affects you on or off a shared network.
Dan, It might take a bit more work than that as cupsd tries to open a couple of privileged ports (i.e <1024) and needs read/write access to bits of /dev to actually talk to local printers. But if the proprietary mess is just a cups filter or something you might be possible to run cupsd as root and fiddle with things so the filter blob or whatever runs as an lp user.
On 15/09/2011 22:58, Wayne Stallwood wrote:
On 13/09/11 12:30, Laurie Brown wrote:
Here's one of mine (only checked one):
# ls -al /usr/sbin/cupsd -rwxr-xr-x 1 root root 365592 Jul 27 2009 /usr/sbin/cupsd
Stock Gentoo, stock cupsd install...
Ahh but cupsd should have needed a couple of security updates since Jul 2009 so maybe Dan is running a newer version than you, that when installed sets the daemon with tighter permissions.
On a side note you might want to consider upgrading cups at some point..from the top of my head there has been a rather nice privilege escalation flaw and one where a rogue IPP client can cause memory corruption in the cupsd process.
The second one would only be of concern if you were on a network shared with others. The first one could allow malicious code root access on your machine so affects you on or off a shared network.
Fair points, but a) it isn't used, and was only installed as a default install, and b) I'm the only person who gets anywhere near the machine.
Cheers, Laurie.
On Thu, 15 Sep 2011, Wayne Stallwood wrote:
Dan, It might take a bit more work than that as cupsd tries to open a couple of privileged ports (i.e <1024) and needs read/write access to bits of /dev to actually talk to local printers. But if the proprietary mess is just a cups filter or something you might be possible to run cupsd as root and fiddle with things so the filter blob or whatever runs as an lp user.
It turns out that the printer (Epson SX525WD) works with the Epson Stylus SX510W driver in Gutenprint [*] - so I can throw away those proprietary blobs, and carry on running cupsd as root.
-
Dan -
Laurie Brown -
Wayne Stallwood