Bug 974462
| Summary: | Fedora19:beta:cups with FileDevice=yes is not working | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | IBM Bug Proxy <bugproxy> | ||||
| Component: | cups | Assignee: | Tim Waugh <twaugh> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 19 | CC: | jkachuck, jpopelka, twaugh, wgomerin | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | ppc64 | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-06-14 10:16:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
IBM Bug Proxy
2013-06-14 08:44:33 UTC
Created attachment 761153 [details]
error_log
The CUPS scheduler, and its filters and backends, runs with the systemd setting 'PrivateTmp=yes' for more robust defense against temporary file vulnerabilities.
$ systemctl show cups.service | grep PrivateTmp
PrivateTmp=yes
From the systemd.exec(5) man page:
PrivateTmp=
Takes a boolean argument. If true sets up a new file system
namespace for the executed processes and mounts private /tmp and
/var/tmp directories inside it, that are not shared by processes
outside of the namespace. This is useful to secure access to
temporary files of the process, but makes sharing between processes
via /tmp or /var/tmp impossible. All temporary data created by
service will be removed after service is stopped. Defaults to
false.
If you need to have cupsd write to /tmp and be able to read that from other processes, set PrivateTmp=no for cups.service. For more information on how to achieve this, see:
http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
------- Comment From sanpatr1.com 2013-06-14 15:00 EDT------- (In reply to comment #6) > The CUPS scheduler, and its filters and backends, runs with the systemd > setting 'PrivateTmp=yes' for more robust defense against temporary file > vulnerabilities. > > $ systemctl show cups.service | grep PrivateTmp > PrivateTmp=yes > > From the systemd.exec(5) man page: > PrivateTmp= > Takes a boolean argument. If true sets up a new file system > namespace for the executed processes and mounts private /tmp and > /var/tmp directories inside it, that are not shared by processes > outside of the namespace. This is useful to secure access to > temporary files of the process, but makes sharing between processes > via /tmp or /var/tmp impossible. All temporary data created by > service will be removed after service is stopped. Defaults to > false. > > If you need to have cupsd write to /tmp and be able to read that from other > processes, set PrivateTmp=no for cups.service. For more information on how > to achieve this, see: > http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file. > 2F_add_a_custom_unit_file.3F Thanks very much, the solution works. In this case if you can mention about PrivateTmp=yes setting for systemd setting of cups in the documentation page http://fedoraproject.org/wiki/Features/CUPS1.6, then this would be well and good. As this is completely new and nice feature, so user should aware of this as a security feature and get the confidence how secured the cups is. |