Ubuntu
cupsys package

AppArmor rules for CUPS seems to be too restrictive

Bug #132969 reported by Alexander Nofftz
6
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
cupsys (Ubuntu)
Fix Released
Undecided
Martin Pitt

Bug Description

Binary package hint: cupsys

Seems that the AppArmor rules for CUPS are too restrictive:

$ tail /var/log/syslog
Aug 16 18:05:41 laotse kernel: [ 4350.136178] audit(1187280341.702:73): REJECTING x access to /usr/bin/env (sh(10382) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.343839] audit(1187280426.707:74): REJECTING x access to /usr/bin/printf (bash(10442) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.345857] audit(1187280426.707:75): REJECTING r access to /usr/bin/printf (bash(10442) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.348943] audit(1187280426.707:76): REJECTING x access to /bin/cat (bash(10443) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.350137] audit(1187280426.707:77): REJECTING r access to /bin/cat (bash(10443) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

After adding this lines to /etc/apparmor.d/usr.sbin.cupd everything works for me:

  /etc/papersize r,
  /usr/bin/printf ixr,
  /bin/cat ixr,
  /usr/bin/env ixr,
  /usr/bin/

Im using a Kyrocera FS-1010 (PostScript Laser Printer).

See original description
Alexander Nofftz (alexnofftz)
description: updated
Justin M. Wray (wray-justin)
Changed in apparmor:
status: New → Confirmed
Changed in cupsys:
status: New → Confirmed
Alexander Nofftz (alexnofftz)
description: updated
description: updated
Revision history for this message
Matt Zimmerman (mdz) wrote :

I see some errors as well, though I think it is perfectly reasonable to prevent cups from accessing these:

Aug 16 15:55:15 localhost kernel: [11674.312000] audit(1187276115.276:13): REJECTING access to capability 'dac_override' (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:15 localhost kernel: [11674.312000] audit(1187276115.276:14): REJECTING access to capability 'dac_read_search' (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:18 localhost kernel: [11676.852000] audit(1187276117.776:15): REJECTING w access to /etc/printcap (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:18 localhost kernel: [11677.248000] audit(1187276118.276:16): REJECTING w access to /dev/tty (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

Revision history for this message
Stefan Fleiter (stefan-fleiter) wrote :

I have the rejection which is triggered by having installed the package resolvconf:
Aug 17 22:59:50 localhost kernel: [ 1820.513089] audit(1187384389.891:25):
REJECTING r access to /var/run/resolvconf/resolv.conf (cupsd(13070) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Should this be allowed for all packages which may use DNS?

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 132969] Re: AppArmor rules for CUPS seems to be too restrictive

On Fri, Aug 17, 2007 at 11:27:12PM -0000, Stefan Fleiter wrote:
> I have the rejection which is triggered by having installed the package resolvconf:
> Aug 17 22:59:50 localhost kernel: [ 1820.513089] audit(1187384389.891:25):
> REJECTING r access to /var/run/resolvconf/resolv.conf (cupsd(13070) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
> Should this be allowed for all packages which may use DNS?
>
 This has already been reported and added to the nameservice abstractions.

--
Mathias

Revision history for this message
Martin Pitt (pitti) wrote :

The messages in Alexander's original post are already fixed in the latest cups. Keeping open for the /etc/printcap issue, cups should be able to write that.

Changed in apparmor:
status: Confirmed → Invalid
Changed in cupsys:
assignee: nobody → pitti
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

cupsys (1.3.0-3ubuntu1) gutsy; urgency=low

  * Merge bugfixes from Debian.
  * debian/local/apparmor-profile: Allow dac_override for now; this is
    slightly nasty, but cups chowns a lot of files (e. g. in
    /var/spool/cups/tmp) to 'lp' and thus cannot read/write them any more
    afterwards. Since we confine file access pretty tightly, this should not
    be much of a problem. (LP: #133015)
  * debian/local/apparmor-profile: cupsd should manage /etc/printcap.
    (LP: #132969)

cupsys (1.3.0-3) unstable; urgency=low

  [ Martin Pitt ]
  * debian/control: Allow 'ghostscript' as alternative dependency to gs-esp.
  * debian/cupsys.dirs: Create /usr/lib/cups/backend/ (regression from the big
    debian/rules cleanup). (closes: #438432)
  * debian/cupsys.preinst: Bump the version comparison for the file owner
    cleanup, since some log files were still left as owned by 'cupsys' until
    #437536 was fixed.
  * debian/cupsys-common.files: Do not install the .po files, cups does not
    use them at runtime. (closes: #438625)

  [ Till Kamppeter ]
  * debian/local/postscript.ppd: New generic PostScript PPD file for
    unknown PostScript printers added.

 -- Martin Pitt <email address hidden> Tue, 21 Aug 2007 07:48:34 +0200

Changed in cupsys:
status: In Progress → Fix Released
Revision history for this message
Bruce Cowan (bruce89-deactivatedaccount) wrote :

Administration through the web interface (http://localhost:631/) is no longer possible.

/var/log/messages has this line (as well as others):

Sep 18 23:39:01 Scooby-Doo kernel: [ 1014.585666] audit(1190155141.275:4): operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/lib/cups/cgi-bin/printers.cgi" pid=6989 profile="/usr/sbin/cupsd"

Changed in cupsys:
status: Fix Released → Confirmed
Revision history for this message
Stefan Fleiter (stefan-fleiter) wrote :

Verified fixed with cupsys 1.3.2-1ubuntu1.

Changed in cupsys:
status: Confirmed → Fix Released
Revision history for this message
Christian Kirbach (christian-kirbach-e) wrote :

fyi I just came across this problem - it does not look solved to me

[13091.864000] audit(1198502239.097:13): type=1503 operation="inode_permission" requested_mask="rw" denied_mask="rw" name="/dev/tty" pid=10801 profile="/usr/sbin/cupsd"

nazgul@dragonscale:~$ dpkg -l cupsys*
+++-=====================-=====================-==========================================================
ii cupsys 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - server
ii cupsys-bsd 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - BSD commands
ii cupsys-client 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - client programs (SysV)
ii cupsys-common 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - common files
ii cupsys-driver-gimppri 5.0.1-0ubuntu8 printer drivers for CUPS
un cupsys-driver-gimppri <keine> (keine Beschreibung vorhanden)
ii cupsys-driver-gutenpr 5.0.1-0ubuntu8 printer drivers for CUPS

Revision history for this message
Christian Kirbach (christian-kirbach-e) wrote :

purging /etc/cups/ did remedy - ignore last comment

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.