debian/patches/rootbackends-worldreadable.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

From 5493a54038c68523dae7fecd0a761668c08d84de Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@debian.org>
Date: Tue, 9 Aug 2016 18:11:06 +0200
Subject: Install root backends world-readable.

This is needed:
 - to comply with Debian Policy
 - because it is both nonsensical to to not do so
 - it also breaks system checkers, bug reporting, etc

Bug: http://www.cups.org/str.php?L2935
Bug-Debian: http://bugs.debian.org/410171
Last-Update: 2015-02-10

Patch-Name: rootbackends-worldreadable.patch
---
 backend/Makefile         | 4 ++--
 scheduler/cups-deviced.c | 2 +-
 scheduler/job.c          | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/backend/Makefile b/backend/Makefile
index aeb33d846..cfea19178 100644
--- a/backend/Makefile
+++ b/backend/Makefile
@@ -19,7 +19,7 @@ include ../Makedefs
 # Object files...
 #
 
-# RBACKENDS are installed mode 0700 so cupsd will run them as root...
+# RBACKENDS are installed mode 0744 so cupsd will run them as root...
 #
 # UBACKENDS and ULBACKENDS are installed mode 0755 so cupsd will run them as
 # an unprivileged user...
@@ -124,7 +124,7 @@ install-exec:	$(INSTALLXPC)
 	echo Installing backends in $(SERVERBIN)/backend
 	$(INSTALL_DIR) -m 755 $(SERVERBIN)/backend
 	for file in $(RBACKENDS); do \
-		$(LIBTOOL) $(INSTALL_BIN) -m 700 $$file $(SERVERBIN)/backend; \
+		$(LIBTOOL) $(INSTALL_BIN) -m 744 $$file $(SERVERBIN)/backend; \
 	done
 	for file in $(UBACKENDS); do \
 		$(INSTALL_BIN) $$file $(SERVERBIN)/backend; \
diff --git a/scheduler/cups-deviced.c b/scheduler/cups-deviced.c
index 13efa54ff..9a1b8d3e1 100644
--- a/scheduler/cups-deviced.c
+++ b/scheduler/cups-deviced.c
@@ -268,7 +268,7 @@ main(int  argc,				/* I - Number of command-line args */
     * all others run as the unprivileged user...
     */
 
-    start_backend(dent->filename, !(dent->fileinfo.st_mode & (S_IWGRP | S_IRWXO)));
+    start_backend(dent->filename, !(dent->fileinfo.st_mode & (S_IWGRP | S_IWOTH | S_IXOTH)));
   }
 
   cupsDirClose(dir);
diff --git a/scheduler/job.c b/scheduler/job.c
index 86e75e65c..fb599bf8f 100644
--- a/scheduler/job.c
+++ b/scheduler/job.c
@@ -1250,7 +1250,7 @@ cupsdContinueJob(cupsd_job_t *job)	/* I - Job */
       else if (stat(command, &backinfo))
 	backroot = 0;
       else
-        backroot = !(backinfo.st_mode & (S_IWGRP | S_IRWXO));
+        backroot = !(backinfo.st_mode & (S_IWGRP | S_IWOTH | S_IXOTH));
 
       argv[0] = job->printer->sanitized_device_uri;