Date: Fri, 12 Jan 2001 15:53:25 +0100 From: Andreas Klemm <andreas@apsfilter.org> To: Garance A Drosihn <drosih@rpi.edu> Cc: Andreas Klemm <andreas@klemm.gtn.com>, Ilya Martynov <m_ilya@agava.com>, gad@FreeBSD.ORG, apsfilter-current@apsfilter.org, freebsd-stable@FreeBSD.ORG, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, apsfilter-devel@apsfilter.org Subject: Re: printer spooldirs wrong owner ?? (was Re: Fixes for apsfilter-current-09.12.2000 (printing via smbclient) ) Message-ID: <20010112155325.A8649@titan.klemm.gtn.com> In-Reply-To: <p04330101b65f00ad0074@[128.113.24.47]>; from drosih@rpi.edu on Thu, Dec 14, 2000 at 06:13:01PM -0500 References: <Pine.BSF.4.21.0012121733120.6551-100000@juil.domain> <Pine.BSF.4.21.0012131526120.32512-100000@juil.domain> <20001214080622.A11433@titan.klemm.gtn.com> <p04330101b65f00ad0074@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 14, 2000 at 06:13:01PM -0500, Garance A Drosihn wrote: > At 8:06 AM +0100 12/14/00, Andreas Klemm wrote: > >On Wed, Dec 13, 2000 at 03:35:51PM +0300, Ilya Martynov wrote: > > > P.S. I forgot about another problem I meet while setting up > > > printing. SETUP creates smbclient.conf that is not readble > > > by lpd. For me it was created as: > > > > >> -rw------- 1 root daemon 156 Dec 12 16:41 smbclient.conf > >> > >> to make printing work I had to chmod g+r on it. > > > >I think this is an inconsistency in FreeBSD ... > > > >The filterscript (forked by llpd) runs under permissions > >daemon.wheel, but the spooldirs in FreeBSD by default are > >created with permissions root.daemon. > > > >I think this could easily be fixed, if you would > > chown -R dameon.wheel /var/spool/lpd > >and during apsfilter SETUP you should take care that owner > >and group are now setup right to match daemon.wheel. > > > >[ Cc'd to freebsd-stable ] > > > >What do the lpd maintaining authorities in FreeBSD say ? > > I haven't thought about permissions enough to say I have a > strong opinion on it, but my gut-level feeling is that the > spool directories are created with the right owner+group > (ie, root+daemon). > > What I don't understand here is what that has to do with > smbclient.conf. Well, the file contains passwords. So I have to protect it. I thought I could simply "clone" the permissions of the spool directory /var/spool/lpd. On the first glance it looked reasonable. drwxr-xr-x 3 root daemon 512 9 Jan 14:54 /var/spool/lpd So I choosed 600 root.daemon for the smbclient.conf file. But bad luck, the input filter runs with other permissions (other owner -> root) and therefore was unable to read the smbclient config file. When printing a job to a remote printer, you'll also notice, that files are created with owner root ... So, on remote printing you have owner root, whereas a local input filter runs with owner daemon. This confuses me somehow ... It would be fine, if the permissions of the spooldir would reflect owner and group under which lpd *always* runs, including scripts. This would make it easier to understand, what privileges are in use and for script writers it would be easier to choose the proper permissions. On the other hand I don't want you to do changes, that break compatibility in any way ... I'd really appreciate, if people, who know lpd code a little could tell me, if things have to be, as they are or if it would be useful, to have uniq permissions, no matter if we have to deal with remote print jobs or running input filters ... Andreas /// -- Andreas Klemm Apsfilter Homepage http://www.apsfilter.org Support over mailing-lists (only!) http://www.apsfilter.org/support Mailing-list archive http://www.apsfilter.org/Lists-Archives To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010112155325.A8649>