Debian Bug report logs - #411580
cups-pdf: 2.4.2-2 broke functionality

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cups-pdf: 2.4.2-2 broke functionality

Date: Mon, 19 Feb 2007 22:16:10 +0000

Package: cups-pdf
Version: 2.4.2-2
Severity: grave
Justification: renders package unusable


After updating to 2.4.2-2 it stopped producing outputs
(even to the root user).

Running 'chmod 700 /usr/lib/cups/backend/cups-pdf' (and
'chown root\: /usr/lib/cups/backend/cups-pdf' to make it
equal to other backends) did the trick.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages cups-pdf depends on:
ii  cupsys                   1.2.7-4         Common UNIX Printing System(tm) - 
ii  gs-esp                   8.15.3.dfsg.1-1 The Ghostscript PostScript interpr
ii  libc6                    2.3.6.ds1-11    GNU C Library: Shared libraries

cups-pdf recommends no packages.

-- no debconf information

Message #10 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Filipe R. Fonseca" <filiperf@isa.utl.pt>, 411580@bugs.debian.org, kmuto@debian.org, "Martin Pitt" <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 00:46:39 +0200

On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> Package: cups-pdf
> Version: 2.4.2-2
> Severity: grave
> Justification: renders package unusable
>
> After updating to 2.4.2-2 it stopped producing outputs
> (even to the root user).
>
> Running 'chmod 700 /usr/lib/cups/backend/cups-pdf' (and
> 'chown root\: /usr/lib/cups/backend/cups-pdf' to make it
> equal to other backends) did the trick.

0700 is not an acceptable permission; it breaks things on too many
Debian derivatives. However, making ownership root:root again is
acceptable to me.

Kenshi? Martin? Would 4754 root:root pose any security problem that
you can think of?

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #15 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

To: 411580@bugs.debian.org

Cc: Martin-Éric Racine <q-funk@iki.fi>, kmuto@debian.org, Martin Pitt <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Mon, 19 Feb 2007 23:09:56 +0000

Martin-Éric Racine wrote:
> On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
>> Package: cups-pdf
>> Version: 2.4.2-2
>> Severity: grave
>> Justification: renders package unusable
>>
>> After updating to 2.4.2-2 it stopped producing outputs
>> (even to the root user).
>>
>> Running 'chmod 700 /usr/lib/cups/backend/cups-pdf' (and
>> 'chown root\: /usr/lib/cups/backend/cups-pdf' to make it
>> equal to other backends) did the trick.
> 
> 0700 is not an acceptable permission; it breaks things on too many
> Debian derivatives. However, making ownership root:root again is
> acceptable to me.
> 
> Kenshi? Martin? Would 4754 root:root pose any security problem that
> you can think of?


4754 root:root does not work for me.

Regards,

Filipe

-- 
Filipe R. Fonseca <filiperf@isa.utl.pt>

Message #20 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

Cc: 411580@bugs.debian.org, kmuto@debian.org, "Martin Pitt" <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 01:20:27 +0200

On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> Martin-Éric Racine wrote:
> > On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> >> Package: cups-pdf
> >> Version: 2.4.2-2
> >> Severity: grave
> >> Justification: renders package unusable
> >>
> >> After updating to 2.4.2-2 it stopped producing outputs
> >> (even to the root user).
> >>
> >> Running 'chmod 700 /usr/lib/cups/backend/cups-pdf' (and
> >> 'chown root\: /usr/lib/cups/backend/cups-pdf' to make it
> >> equal to other backends) did the trick.
> >
> > 0700 is not an acceptable permission; it breaks things on too many
> > Debian derivatives. However, making ownership root:root again is
> > acceptable to me.
> >
> > Kenshi? Martin? Would 4754 root:root pose any security problem that
> > you can think of?
>
>
> 4754 root:root does not work for me.

Actually, 6754 is what we would need, but that probably is against
Policy. Then again, since 0700 works, I really don't see why 4754
doesn't, since they are both owned and executed by root.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #25 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

To: 411580@bugs.debian.org

Cc: Martin-Éric Racine <q-funk@iki.fi>, kmuto@debian.org, Martin Pitt <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Mon, 19 Feb 2007 23:34:58 +0000

Martin-Éric Racine wrote:
> On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
>> Martin-Éric Racine wrote:
>> > On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
>> >> Package: cups-pdf
>> >> Version: 2.4.2-2
>> >> Severity: grave
>> >> Justification: renders package unusable
>> >>
>> >> After updating to 2.4.2-2 it stopped producing outputs
>> >> (even to the root user).
>> >>
>> >> Running 'chmod 700 /usr/lib/cups/backend/cups-pdf' (and
>> >> 'chown root\: /usr/lib/cups/backend/cups-pdf' to make it
>> >> equal to other backends) did the trick.
>> >
>> > 0700 is not an acceptable permission; it breaks things on too many
>> > Debian derivatives. However, making ownership root:root again is
>> > acceptable to me.
>> >
>> > Kenshi? Martin? Would 4754 root:root pose any security problem that
>> > you can think of?
>>
>>
>> 4754 root:root does not work for me.
> 
> Actually, 6754 is what we would need, but that probably is against
> Policy. Then again, since 0700 works, I really don't see why 4754
> doesn't, since they are both owned and executed by root.
> 

As I said before, 4754 root:root does not work form me; relevant (I
guess) lines from /var/log/cups/error_log are:

I [19/Feb/2007:23:30:33 +0000] Adding start banner page "none" to job 75.
I [19/Feb/2007:23:30:33 +0000] Adding end banner page "none" to job 75.
I [19/Feb/2007:23:30:33 +0000] Job 75 queued on "PDF" by "filiperf".
I [19/Feb/2007:23:30:33 +0000] Started filter
/usr/lib/cups/filter/pstops (PID 7618) for job 75.
I [19/Feb/2007:23:30:33 +0000] Started backend
/usr/lib/cups/backend/cups-pdf (PID 7619) for job 75.
E [19/Feb/2007:23:30:33 +0000] PID 7619 (/usr/lib/cups/backend/cups-pdf)
stopped with status 22!
I [19/Feb/2007:23:30:33 +0000] Hint: Try setting the LogLevel to "debug"
to find out more.
I [19/Feb/2007:23:30:33 +0000] [Job 75] Backend returned status 22 (unknown)
I [19/Feb/2007:23:30:33 +0000] Saving printers.conf...

Regards,

Filipe

-- 
Filipe R. Fonseca <filiperf@isa.utl.pt>

Message #30 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

Cc: 411580@bugs.debian.org, kmuto@debian.org, "Martin Pitt" <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 01:44:24 +0200

On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> Martin-Éric Racine wrote:
> > On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> >> Martin-Éric Racine wrote:
> >> > On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> >> >> Package: cups-pdf
> >> >> Version: 2.4.2-2
> >> >> Severity: grave
> >> >> Justification: renders package unusable
> >> >>
> >> >> After updating to 2.4.2-2 it stopped producing outputs
> >> >> (even to the root user).
> >> >>
> >> >> Running 'chmod 700 /usr/lib/cups/backend/cups-pdf' (and
> >> >> 'chown root\: /usr/lib/cups/backend/cups-pdf' to make it
> >> >> equal to other backends) did the trick.
> >> >
> >> > 0700 is not an acceptable permission; it breaks things on too many
> >> > Debian derivatives. However, making ownership root:root again is
> >> > acceptable to me.
> >> >
> >> > Kenshi? Martin? Would 4754 root:root pose any security problem that
> >> > you can think of?
> >>
> >>
> >> 4754 root:root does not work for me.
> >
> > Actually, 6754 is what we would need, but that probably is against
> > Policy. Then again, since 0700 works, I really don't see why 4754
> > doesn't, since they are both owned and executed by root.
> >
>
> As I said before, 4754 root:root does not work form me; relevant (I
> guess) lines from /var/log/cups/error_log are:

Read again.  I said 6754, not 4754.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #35 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

To: 411580@bugs.debian.org

Cc: Martin-Éric Racine <q-funk@iki.fi>, kmuto@debian.org, Martin Pitt <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Mon, 19 Feb 2007 23:56:18 +0000

Martin-Éric Racine wrote:
>> >> 4754 root:root does not work for me.
>> >
>> > Actually, 6754 is what we would need, but that probably is against
>> > Policy. Then again, since 0700 works, I really don't see why 4754
>> > doesn't, since they are both owned and executed by root.
>> >
>>
>> As I said before, 4754 root:root does not work form me; relevant (I
>> guess) lines from /var/log/cups/error_log are:
> 
> Read again.  I said 6754, not 4754.
> 

I did read it; and also read that 6754 would probably be against Policy.
So, I tried to provide some additional info on 4754 root:root as that
was, it seemed to me, you did not understand what why it did not work.
Apologies if I was not clear enough.

Anyway, 6754 root:root has a similar output with me:

I [19/Feb/2007:23:47:08 +0000] Adding start banner page "none" to job 76.
I [19/Feb/2007:23:47:08 +0000] Adding end banner page "none" to job 76.
I [19/Feb/2007:23:47:08 +0000] Job 76 queued on "PDF" by "filiperf".
I [19/Feb/2007:23:47:08 +0000] Started filter
/usr/lib/cups/filter/pstops (PID 7866) for job 76.
I [19/Feb/2007:23:47:08 +0000] Started backend
/usr/lib/cups/backend/cups-pdf (PID 7867) for job 76.
E [19/Feb/2007:23:47:08 +0000] PID 7867 (/usr/lib/cups/backend/cups-pdf)
stopped with status 22!
I [19/Feb/2007:23:47:08 +0000] Hint: Try setting the LogLevel to "debug"
to find out more.
I [19/Feb/2007:23:47:08 +0000] [Job 76] Backend returned status 22 (unknown)
I [19/Feb/2007:23:47:08 +0000] Saving printers.conf...

Regards,

Filipe

-- 
Filipe R. Fonseca <filiperf@isa.utl.pt>

Message #40 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Filipe R. Fonseca" <filiperf@isa.utl.pt>

Cc: 411580@bugs.debian.org, kmuto@debian.org, "Martin Pitt" <mpitt@debian.org>, rleigh@debian.org

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 02:38:59 +0200

On 2/20/07, Filipe R. Fonseca <filiperf@isa.utl.pt> wrote:
> Martin-Éric Racine wrote:
> >> >> 4754 root:root does not work for me.

> Anyway, 6754 root:root has a similar output with me:

Looking at Policy 10.9, we have a choice between modes 2755, 4755,
2754, 4754 or 0755.  Ownership could be root:root or root:lp.

Have your pick among those combinations of modes and ownership. As an
added challenge, the selected mode and ownership combination must work
out of the box on Ubuntu and other popular Debian derivatives too.

I welcome comparative tests on Debian and Ubuntu so that we can
finally agree on a mode and ownership combination that remains safe
and that works for everyone.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #45 received at 411580@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: =?UTF-8?Q? Martin-=C3=89ric?= Racine <q-funk@iki.fi>, 411580@bugs.debian.org

Cc: "Filipe R. Fonseca" <filiperf@isa.utl.pt>, kmuto@debian.org, Martin Pitt <mpitt@debian.org>, rleigh@debian.org

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Mon, 19 Feb 2007 16:53:41 -0800

On Tue, Feb 20, 2007 at 02:38:59AM +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine wrote:
> Have your pick among those combinations of modes and ownership. As an
> added challenge, the selected mode and ownership combination must work
> out of the box on Ubuntu and other popular Debian derivatives too.

This is an arbitrary requirement that has no basis in Debian policy.  If
you're unwilling to maintain the *Debian* package in a manner such that it
works in *Debian*, you should expect that this package will be NMUed to use
the known-functional mode of 0700 with or without your consent.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #50 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: "Steve Langasek" <vorlon@debian.org>

Cc: 411580@bugs.debian.org, "Filipe R. Fonseca" <filiperf@isa.utl.pt>, kmuto@debian.org, "Martin Pitt" <mpitt@debian.org>, rleigh@debian.org, debian-devel@lists.debian.org

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 03:11:59 +0200

On 2/20/07, Steve Langasek <vorlon@debian.org> wrote:
> On Tue, Feb 20, 2007 at 02:38:59AM +0200, =?UTF-8?Q? Martin-=C3=89ric?= Racine wrote:
> > Have your pick among those combinations of modes and ownership. As an
> > added challenge, the selected mode and ownership combination must work
> > out of the box on Ubuntu and other popular Debian derivatives too.
>
> This is an arbitrary requirement that has no basis in Debian policy.  If
> you're unwilling to maintain the *Debian* package in a manner such that it
> works in *Debian*, you should expect that this package will be NMUed to use
> the known-functional mode of 0700 with or without your consent.

Wake up, Steve.  I maintain this package. You don't. Making this
package a one-size-fits all is my call, not yours. Your opinion of
Ubuntu is irrelevant.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #55 received at 411580-close@bugs.debian.org (full text, mbox, reply):

From: Martin-Éric Racine <q-funk@iki.fi>

To: 411580-close@bugs.debian.org

Subject: Bug#411580: fixed in cups-pdf 2.4.2-3

Date: Tue, 20 Feb 2007 01:32:02 +0000

Source: cups-pdf
Source-Version: 2.4.2-3

We believe that the bug you reported is fixed in the latest version of
cups-pdf, which is due to be installed in the Debian FTP archive:

cups-pdf_2.4.2-3.diff.gz
  to pool/main/c/cups-pdf/cups-pdf_2.4.2-3.diff.gz
cups-pdf_2.4.2-3.dsc
  to pool/main/c/cups-pdf/cups-pdf_2.4.2-3.dsc
cups-pdf_2.4.2-3_i386.deb
  to pool/main/c/cups-pdf/cups-pdf_2.4.2-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 411580@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin-Éric Racine <q-funk@iki.fi> (supplier of updated cups-pdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 20 Feb 2007 02:48:36 +0200
Source: cups-pdf
Binary: cups-pdf
Architecture: source i386
Version: 2.4.2-3
Distribution: unstable
Urgency: high
Maintainer: Martin-Éric Racine <q-funk@iki.fi>
Changed-By: Martin-Éric Racine <q-funk@iki.fi>
Description: 
 cups-pdf   - PDF printer for CUPS
Closes: 411580
Changes: 
 cups-pdf (2.4.2-3) unstable; urgency=high
 .
   * Reversed order of chmod and chown in postinst (Closes: #411580).
Files: 
 b9584c0a06e23b8ae5c546b22c628ec2 638 graphics optional cups-pdf_2.4.2-3.dsc
 5984c8412294884d13656cd95c63b7b9 6586 graphics optional cups-pdf_2.4.2-3.diff.gz
 61a9ddeb85e53200a17175a525dbb33f 40342 graphics optional cups-pdf_2.4.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkXaT0YACgkQQKW+7XLQPLFpTACguG8yk7+TwblYxBf6IbTkGaMq
ipMAoLgD0/oX/Awm/lCF31feSS33tMmk
=2gsc
-----END PGP SIGNATURE-----

Message #60 received at 411580@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: Martin-Éric Racine <q-funk@iki.fi>

Cc: 411580@bugs.debian.org

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Mon, 19 Feb 2007 18:03:48 -0800

On Tue, 20 Feb 2007, Martin-Éric Racine wrote:
> Wake up, Steve. I maintain this package. You don't. Making this
> package a one-size-fits all is my call, not yours. Your opinion of
> Ubuntu is irrelevant.

It's fine to try to make this package one size fits all, but having
binaries which do not need to be setuid root setuid root is a bad
idea.

Is there any reason why you cannot detect whether or not cupsys is
going to be run as root or non-root and chmod the binary
appropriately?

Secondly, has anyone actually audited cups-pdf to verify that it is
audited to run appropriately setuid 0?


Don Armstrong

-- 
If you have the slightest bit of intellectual integrity you cannot
support the government. -- anonymous

http://www.donarmstrong.com              http://rzlab.ucr.edu

Message #65 received at 411580@bugs.debian.org (full text, mbox, reply):

From: "Martin-Éric Racine" <q-funk@iki.fi>

To: 411580@bugs.debian.org

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 04:59:26 +0200

On 2/20/07, Don Armstrong <don@debian.org> wrote:
> On Tue, 20 Feb 2007, Martin-Éric Racine wrote:
> > Wake up, Steve. I maintain this package. You don't. Making this
> > package a one-size-fits all is my call, not yours. Your opinion of
> > Ubuntu is irrelevant.
>
> It's fine to try to make this package one size fits all, but having
> binaries which do not need to be setuid root setuid root is a bad
> idea.

It currently doesn't need it, but this only applies to Debian itself.
Several Debian derivatives wisely chose to run CUPS as non-root, which
is where it's needed. The Debian package is also expected to run as
non-root soon.

> Is there any reason why you cannot detect whether or not cupsys is
> going to be run as root or non-root and chmod the binary
> appropriately?

The risks inherent to setuid would exist regardless; patting ourselves
in the back because Debian can momentarily avoid the issue (but only
until it also produces a CUPS package running as non-root) and pushing
it into Debian derivatives' hands is not a solution. Here, we are at
least containing the risks by setting a precise combination of
user:group for the backend.

> Secondly, has anyone actually audited cups-pdf to verify that it is
> audited to run appropriately setuid 0?

Florian Zumbiehl did a fairly extensive code audit that resulted in
upstream rewriting his code to quickly drop privileges, rather than
run as root all the time.

Following Florian's audit and repeated 'lint' fixes by upstream, I
have become fairly confident in the CUPS-PDF code. However, I am
becoming less and less confident in CUPS itself; the 1.2.x series
produced by upstream keeps on bringing in new bugs and regressions
that repeatedly break something and fix it again, from one release to
the next. Given this,I think that it's no coincidence that Ubuntu and
other Debian derivatives run CUPS as non-root.

-- 
Martin-Éric Racine
http://q-funk.iki.fi

Message #70 received at 411580@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Martin-Éric Racine <q-funk@iki.fi>

Cc: "Filipe R. Fonseca" <filiperf@isa.utl.pt>, 411580@bugs.debian.org, kmuto@debian.org, Martin Pitt <mpitt@debian.org>

Subject: Re: Bug#411580: cups-pdf: 2.4.2-2 broke functionality

Date: Tue, 20 Feb 2007 08:39:26 +0100

[Message part 1 (text/plain, inline)]

Hi,

Martin-Éric Racine [2007-02-20  0:46 +0200]:
> 0700 is not an acceptable permission; it breaks things on too many
> Debian derivatives. However, making ownership root:root again is
> acceptable to me.
> 
> Kenshi? Martin? Would 4754 root:root pose any security problem that
> you can think of?

After seeing the trouble that this causes in Debian, I think we should
just ship Etch with 0700 and keep the tiny postinst delta in Ubuntu.

After Etch's release we should consider letting Debian's cups not run
as root as well, then we can drop the delta again.

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.