Red Hat Bugzilla – Bug 830630
Unable to create file in /tmp directory while using cups service when PrivateTmp = True
Last modified: 2012-07-18 08:36:55 EDT
Description of problem:
We are Unable to create file in /tmp directory while using cups service when PrivateTmp = True. In HPLIP we need to have an intermediate file or log file for debugging purpose, Please let us know how can we create files now because all the file creation command like fopen,open,mkstmp are failing if PrivateTmp = True
Version-Release number of selected component (if applicable): Fedora 17
Try to create a file in any of the custom cups filters like hpcups , hpcupsfax it will fail.
Steps to Reproduce:
1.Create custom filter or use hpcups.
2.Try to create file in /tmp directory in this filter.
3.Do a print or fax job which makes use of this filter.
4.The file creation will fail.
File creation will fail in /tmp
File creation should pass.
So is this SELinux related or is this a user process trying to reach a filter created on /tmp by a process started by cups?
(In reply to comment #1)
> So is this SELinux related or is this a user process trying to reach a
> filter created on /tmp by a process started by cups?
Hpcups is a child process created by cups daemon, it is similar to in-built cups filters ,pdftops,gstoraster,pstops etc.. hpcups,pstoraster,pdftops etc. are all separate executables. cups daemon invokes these executables while converting print or fax job data from one format to another.
But if they are run within the same namespace as cups they should work fine with private /tmp?
I am not able to reproduce the problem.
I used hpijs-3.12.6-1.fc17.x86_64 and an HP PSC 2210, configured with "HP PSC 2200 Series, hpcups 3.12.6".
Printing works fine normally.
To turn on debug saving of PCL output I added "hpLogLevel 2" to /etc/cups/cupsd.conf.
strace of the running hpcups process reveals that open(), chmod(), etc all work with no error on the file in /tmp.
Of course, as /tmp is in a private namespace, other process (such as the operator's shell) will not be able to read this file.
I suggest putting that file in $TMPDIR instead of /tmp (so that /var/spool/cups/tmp is used), or -- as this is for debugging purposes only -- changing PrivateTmp to false in cups.service when debugging.
(In reply to comment #3)
> But if they are run within the same namespace as cups they should work fine
> with private /tmp?
If there is any documentation on Private Tmp feature can you please share with me. I like to know more on this . Googling did not give me much information on this feature.
(In reply to comment #6)
Thank you for the links. They were helpful to understand the PrivateTmp feature.
I went through the source code of systemd-44 to understand the implementation of it for the system services.
As to my understanding systemd (system and service manager) starts several services on start up and it check in the daemon service file if the privateTmp attibute is true or false for that service. When PrivateTmp = true systemd will create "/tmp/systemd-namespace-XXXXX/private" directory for that daemon process (e.g cups)which is private for that process and user will not have access to look into the system services private directory.
Its a very good security feature to prevent user from breaching into the private data of the system services (e.g cups).
My doubt here is how will the system services (e.g cups, udev, ssh) will get know where to dump there private data. I explored the cups-1.5.3 source code and could see that cups always uses TMPDIR env variable which is set to always "/var/spool/cups/tmp" directory to dump its temporary data.
In that case cups is not making use of the "/tmp/systemd-namespace-XXXX/private" directory.
My question is how will the hpcups process ( which is invoked by cups) will know which one of the " systemd-namespace-XXXX/private " in /tmp is the private directory of the cups to dump the output files or log files ?
My apology if my understanding about private tmp is wrong.
I am just a learner and still exploring. I am looking for how i can leverage this feature for hpcups process invoked by cups when given a print job to cups.
Please help me with this regard to understand more.
Either location is fine. Using "PrivateTmp" avoids the problem of having applications that hard-code "/tmp/XXXXX" and create those files insecurely.
The permissions on /var/spool/cups/tmp are secure and prevent tmpdir-style denial of service and symlink attacks by local users. Additionally, files there may be retained for longer to allow for debugging output.
I recommend hplip uses $TMPDIR.