101573 – cups requires dbus

Bug 101573 - cups requires dbus

Summary: cups requires dbus

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux Beta
Classification:	Retired
Component:	cups
Sub Component:
Version:	beta1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-08-04 08:54 UTC by John Eckerdal
Modified:	2007-04-18 16:56 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2003-10-09 11:31:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description John Eckerdal 2003-08-04 08:54:10 UTC

From Bugzilla Helper:
User-Agent: Opera/7.11 (Windows NT 5.0; U)  [en]

Description of problem:
When I tried to install the new cups package I noticed that it requires dbus. Is 
there a specific reason for this?

Requiring dbus also means that cups will require XFree86-libs, which in turn 
will require XFree86-libs-data, XFree86-Mesa-libGL and fontconfig, since dbus 
requires XFree86 libs to be installed (and
XFree86-libs requires these RPM:s).
I do not wish to have X (or the X libraries) installed on a server in the 
future.

The dbus requirement is something Red Hat has decided to add since it is not 
present (as far as I can see) in the original cups distribution. The cupsd 
daemon is now linked agains dbus.

Has the dbus package been audited? cupsd runs as root, atleast it did in 
version 1.1.17...
Does the dbus libraries itself require X-libs or is it just the helper programs?

Version-Release number of selected component (if applicable):
cups-1.1.19-8-i386.rpm

How reproducible:
Always

Steps to Reproduce:
1. Download cups-1.1.19-8.i386.rpm
2. rpm -Uvh cups-1.1.19-8.i386.rpm
3.
    

Actual Results:  Requirements on cups-libs-1.1.19-8.i386.rpm and dbus where 
show.

Expected Results:  Only requirements for cups-libs-1.1.19-8.i386.rpm

Additional info:

Comment 1 Tim Waugh 2003-08-04 08:56:43 UTC

DBUS is used for helping the desktop print icon do its job.

hp: plans for auditing it?

Comment 2 Havoc Pennington 2003-08-04 14:27:45 UTC

dbus doesn't require xlib, but there are extra libs/tools in the dbus package
that do. I can split the dbus package apart.

cups will actually run without dbus, just won't send out the notifications. So 
one approach might be to just don't list that dependency and add the dep to 
desktop-printing instead.

dbus hasn't been audited yet but runs as a completely nonprivileged user (owns
no files on the filesystem, has no shell), only listens on local sockets, and 
is written in a paranoid/security-aware fashion. Still it is true that *if* 
the dbus daemon is running, and you crack dbus in a couple of different places,
you may be able to break into the cups daemon (if you already have 
a local account; dbus adds no remote risk that I'm aware of).

Comment 3 Tim Waugh 2003-08-04 14:39:57 UTC

The dependency is for the shared library libdbus-1.so.0; it's not something
listed in the spec file.

It might be a good thing to split out whatever requires libX11.so* from the dbus
binary RPM, to avoid cups requiring it transitively.

Comment 4 Tim Waugh 2003-10-09 11:31:35 UTC

This has been done now I think.

Note You need to log in before you can comment on or make changes to this bug.