Hello Martin-Éric, Le vendredi, 25 décembre 2020, 12.58:39 h CET Martin-Éric Racine a écrit : > I've been maintaining CUPS-PDF ever since it entered Debian. > > Recently, Lintian has been giving all sorts of hints about enabling > hardening. Bug reports at Debian and at derivatives suggest that some > of the hardening options might cause CUP-PDF to fail at writing files > to the expected destination. > > I was this wondering what sort of hardening options (if any) are used > for buiilding other CUPS printer drivers that require compiling?
In terms of compilation hardening, this is what's used in CUPS: https://sources.debian.org/src/cups/2.3.3op1-4/debian/rules/#L7 # Enabling PIE globally doesn't work, but ./configure already enables PIE # where necessary. export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie (The comment is quite old, and I haven't re-tried enabling PIE recently). In terms of runtime hardening, CUPS ships with an apparmor profile https://sources.debian.org/src/cups/2.3.3op1-4/debian/local/apparmor-profile/ I think this is the one potentially limiting the possibility for CUPS to write CUPS-PDF files at the correct places; see lines 99 and from 176 on. I hope that answers your questions. Best regards, and a happy new year, OdyX
signature.asc
Description: This is a digitally signed message part.