[Bug 704154] New: /var/log/cups too much permissions?
https://bugzilla.novell.com/show_bug.cgi?id=704154 https://bugzilla.novell.com/show_bug.cgi?id=704154#c0 Summary: /var/log/cups too much permissions? Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Printing AssignedTo: jsmeix@novell.com ReportedBy: meissner@novell.com QAContact: jsmeix@novell.com CC: security-team@suse.de Found By: Development Blocker: --- ls -la /var/log/cups/ insgesamt 356 drwxr-xr-x 2 lp lp 4096 15. Jun 22:13 . drwxr-xr-x 19 root root 12288 6. Jul 16:04 .. -rw-r--r-- 1 root lp 6052 30. Apr 2007 access_log -rw-r--r-- 1 root lp 330731 6. Apr 2010 error_log -rw-r--r-- 1 lp lp 60 16. Mai 2006 page_log The world readability could probably be removed, as the logs might contain sensitive data and are not useful for normal users. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704154
https://bugzilla.novell.com/show_bug.cgi?id=704154#c1
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=704154
https://bugzilla.novell.com/show_bug.cgi?id=704154#c2
--- Comment #2 from Johannes Meixner
Does anyone know if the ConfigFilePerm works only on cupsd.conf?
It is used for cupsd.conf, config files uploaded via HTTP PUT requests, the remote.cache file, the subscriptions.conf file, and the job.cache file. We don't currently use it for the classes.conf or printers.conf files because of potential security issues (exposed passwords mainly). ---------------------------------------------------------------------- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704154
https://bugzilla.novell.com/show_bug.cgi?id=704154#c3
Johannes Meixner
Hello,
the CUPS 1.4.6 "configure --help" reads: ----------------------------------------------------------------------- --with-config-file-perm set default ConfigFilePerm value, default=0640 --with-log-file-perm set default LogFilePerm value, default=0644 -----------------------------------------------------------------------
I wonder whether world-readable log files might be insecure as the logs might contain sensitive data and in general the logs are probably not useful for normal users.
The default log level is "warning" in recent versions of CUPS. Thus, almost nothing gets logged unless there are issues, and then it is incredibly annoying when you can't look at the log as an ordinary user (I've had to work around various Linux distro choices WRT Apache log permissions, for example) or for automated log processing programs that need access but won't run with the "right" group. ============================================================================ This means: The defaults (i.e. LogLevel 'warn' plus LogFilePerm 0644) are sufficiently secure. If an admin changes the LogLevel in cupsd.conf, he could add a "LogFilePerm 0640" entry to make log file access more secure if needed in his particular environment. The problem described is not a bug and according to https://bugzilla.novell.com/page.cgi?id=fields.html#status I close this bug report as invalid. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=704154
https://bugzilla.novell.com/show_bug.cgi?id=704154#c4
--- Comment #4 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=704154
https://bugzilla.novell.com/show_bug.cgi?id=704154#c5
Michael Meeks
https://bugzilla.novell.com/show_bug.cgi?id=704154
https://bugzilla.novell.com/show_bug.cgi?id=704154#c6
--- Comment #6 from Johannes Meixner
participants (1)
-
bugzilla_noreply@novell.com