2014-06-20 20:50 GMT+09:00 Christian Boltz
Am Freitag, 20. Juni 2014 schrieb Ludwig Nussel:
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user? Better ask security to take a look.
Does it at least write to a "hardcoded" location (for example ~/cupspdf) in the user's home directory?
If yes, shipping it with an AppArmor profile would be a good idea. (If needed, I can help you to fine-tune the profile, however I'm too busy at the moment. I'll have more time in July - at least I hope so ;-)
Even if the output directory is user-configurable, having an AppArmor profile could help to avoid access to security-critical files - but of course a restriction like "only allow write access in ~/cupspdf" is much more secure.
By default, CUPS-PDF outputs to /var/spool/cups-pdf/.
mitsutoshi@linux-3br4:/var/spool/cups-pdf> LANG=C ls -la
total 16
drwxr-xr-x 4 root root 4096 Jun 15 15:15 .
drwxr-xr-x 15 root root 4096 Jun 15 15:09 ..
drwxr-x--x 2 root lp 4096 Jun 15 15:15 SPOOL
drwx------ 2 mitsutoshi users 4096 Jun 15 15:15 mitsutoshi
We can customize it in "/etc/cups/cups-pdf.conf".
Ubuntu customizes it to "{$HOME}/PDF".
Fedora customizes it to "{$DESKTOP}".
The openSUSE's "Printing/cups-pdf" uses default.
I think that "maintenance of the status quo" is desirable.
Because many users have already used "Printing/cups-pdf".
Thanks.
--
1xx