On Thu, Sep 14, 2006 at 08:04:02AM +0000, Joachim Breitner wrote: > I'm reading your bugreport > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=372270 right now, as it > will probably hit me when etch releases (for now I'm using a backport of > samba on sarge, and thus have CUPS 1.1, which does not seem to have the > problem).
Indeed. CUPS 1.2 changed this behavious, and didn't deign to document such a significant change in the changelog. (Or at least I couldn't find it) > You write that > "The problem is of course that making smbspool 0700 in the .deb means it > can't be used by non-priviliged users, which is pretty much everyone > except those trying to use the kinda-hacky kerberos support in smbspool." > Why is that so? Is the binary meant to be run by another program but > CUPS? If not, it should still work fine even with out kerberos, only > that smbspool will run as root, not as lp, which should not be a problem > (unless security wise)? > If there actually is a different use for smbspool, then why not install > two copies, one with the regular permissions in /usr/bin/smbspool, and > one with 700 in /usr/lib/cups/backends/smb > Or am I missing something? I don't personally know off hand of any non-CUPS users of smbspool, but I dunno if that means there aren't any... It also breaks non-root CUPS should anyone attempt to set it up. Presumably lprng and lpr-bash would use it, and lpr-bash particularly runs as a user, not root. (Although it doesn't appear to be in Debian, so becomes helpfully irrelevant) I think the main sticking point is that some large marjority of the use-cases don't need to be root, so making it 700 and hence making CUPS run it as root and non-root users unable to run it at all seems bad. Of course, if CUPs ran the backend as the user who submitted the printjob, this problem (as well as the priviege problem cups-pdf hits) would just disappear into the ether... ^_^ -- ----------------------------------------------------------- Paul "TBBle" Hampson, B.Sc, LPI, MCSE On-hiatus Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 License: http://creativecommons.org/licenses/by/2.1/au/ -----------------------------------------------------------
pgpEfRudVfsR8.pgp
Description: PGP signature
