Bug 830630 - Unable to create file in /tmp directory while using cups service when PrivateTmp = True
Unable to create file in /tmp directory while using cups service when Private...
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
17
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-10 23:53 EDT by Goutam Kodu
Modified: 2012-07-18 08:36 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-22 07:24:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Goutam Kodu 2012-06-10 23:53:49 EDT
Description of problem: 

We are Unable to create file in /tmp directory while using cups service when PrivateTmp = True. In HPLIP we need to have an intermediate file or log file for debugging purpose, Please let us know how can we create files now because all the file creation command like fopen,open,mkstmp are failing if PrivateTmp = True

Version-Release number of selected component (if applicable): Fedora 17


How reproducible:

Try to create a file in any of the custom cups filters like hpcups , hpcupsfax it will fail. 


Steps to Reproduce:
1.Create custom filter or use hpcups.
2.Try to create file in /tmp directory in this filter.
3.Do a print or fax job which makes use of this filter.
4.The file creation will fail.
  
Actual results:

File creation will fail in /tmp


Expected results:

File creation should pass.


Additional info:
Comment 1 Daniel Walsh 2012-06-11 09:46:40 EDT
So is this SELinux related or is this a user process trying to reach a filter created on /tmp by a process started by cups?
Comment 2 Goutam Kodu 2012-06-12 00:04:49 EDT
(In reply to comment #1)
> So is this SELinux related or is this a user process trying to reach a
> filter created on /tmp by a process started by cups?

Hpcups is a child process created by cups daemon, it is similar to in-built cups filters ,pdftops,gstoraster,pstops etc.. hpcups,pstoraster,pdftops etc. are all separate executables. cups daemon invokes these executables while converting print or fax job data from one format to another.
Comment 3 Daniel Walsh 2012-06-13 17:38:17 EDT
But if they are run within the same namespace as cups they should work fine with private /tmp?
Comment 4 Tim Waugh 2012-06-22 07:24:24 EDT
I am not able to reproduce the problem.

I used hpijs-3.12.6-1.fc17.x86_64 and an HP PSC 2210, configured with "HP PSC 2200 Series, hpcups 3.12.6".

Printing works fine normally.

To turn on debug saving of PCL output I added "hpLogLevel 2" to /etc/cups/cupsd.conf.

strace of the running hpcups process reveals that open(), chmod(), etc all work with no error on the file in /tmp.

Of course, as /tmp is in a private namespace, other process (such as the operator's shell) will not be able to read this file.

I suggest putting that file in $TMPDIR instead of /tmp (so that /var/spool/cups/tmp is used), or -- as this is for debugging purposes only -- changing PrivateTmp to false in cups.service when debugging.
Comment 5 Goutam Kodu 2012-07-04 09:38:07 EDT
(In reply to comment #3)
> But if they are run within the same namespace as cups they should work fine
> with private /tmp?

Hi Daniel,

If there is any documentation on Private Tmp feature can you please share with me. I like to know more on this . Googling did not give me much information on this feature.

Regards,
Goutam
Comment 7 Goutam Kodu 2012-07-16 06:52:07 EDT

(In reply to comment #6)
> http://danwalsh.livejournal.com/51459.html
> https://fedoraproject.org/wiki/Features/ServicesPrivateTmp
> http://0pointer.de/blog/projects/security.html

Hi Daniel,

Thank you for the links. They were helpful to understand the PrivateTmp feature.
I went through the source code of systemd-44 to understand the implementation of it for the system services. 

As to my understanding systemd (system and service manager) starts several services on start up and it check in the daemon service file if the privateTmp attibute is true or false for that service. When PrivateTmp = true systemd will create "/tmp/systemd-namespace-XXXXX/private" directory for that daemon process (e.g cups)which is private for that process and user will not have access to look into the system services private directory. 

Its a very good security feature to prevent user from breaching into the private data of the system services (e.g cups).

My doubt here is how will the system services (e.g cups, udev, ssh) will get know where to dump there private data. I explored the cups-1.5.3 source code and could see that cups always uses TMPDIR env variable which is  set to always "/var/spool/cups/tmp" directory to dump its temporary data.

In that case cups is not making use of the "/tmp/systemd-namespace-XXXX/private" directory. 

My question is how will the hpcups process ( which is invoked by cups) will know which one of the " systemd-namespace-XXXX/private " in /tmp  is the private directory of the cups to dump the output files or log files ?

My apology if my understanding about private tmp is wrong.
I am just a learner and still exploring. I am looking for how i can leverage this feature for hpcups process invoked by cups when given a print job to cups.

Please help me with this regard to understand more.


Regards,
Goutam
Comment 8 Tim Waugh 2012-07-18 08:36:55 EDT
Either location is fine.  Using "PrivateTmp" avoids the problem of having applications that hard-code "/tmp/XXXXX" and create those files insecurely.

The permissions on /var/spool/cups/tmp are secure and prevent tmpdir-style denial of service and symlink attacks by local users. Additionally, files there may be retained for longer to allow for debugging output.

I recommend hplip uses $TMPDIR.

Note You need to log in before you can comment on or make changes to this bug.