Date: Fri, 15 Dec 2000 07:54:21 +0100 From: Andreas Klemm <andreas@klemm.gtn.com> To: Garance A Drosihn <drosih@rpi.edu> Cc: Andreas Klemm <andreas@klemm.gtn.com>, Ilya Martynov <m_ilya@agava.com>, gad@FreeBSD.ORG, apsfilter-current@apsfilter.org, freebsd-stable@FreeBSD.ORG, Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Subject: Re: printer spooldirs wrong owner ?? (was Re: Fixes for apsfilter-current-09.12.2000 (printing via smbclient) ) Message-ID: <20001215075421.A13293@titan.klemm.gtn.com> In-Reply-To: <p04330101b65f00ad0074@[128.113.24.47]>; from drosih@rpi.edu on Thu, Dec 14, 2000 at 06:13:01PM -0500 References: <Pine.BSF.4.21.0012121733120.6551-100000@juil.domain> <Pine.BSF.4.21.0012131526120.32512-100000@juil.domain> <20001214080622.A11433@titan.klemm.gtn.com> <p04330101b65f00ad0074@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 14, 2000 at 06:13:01PM -0500, Garance A Drosihn wrote: > At 8:06 AM +0100 12/14/00, Andreas Klemm wrote: > >On Wed, Dec 13, 2000 at 03:35:51PM +0300, Ilya Martynov wrote: > > > P.S. I forgot about another problem I meet while setting up > > > printing. SETUP creates smbclient.conf that is not readble > > > by lpd. For me it was created as: > > > > >> -rw------- 1 root daemon 156 Dec 12 16:41 smbclient.conf > >> > >> to make printing work I had to chmod g+r on it. > > > >I think this is an inconsistency in FreeBSD ... > > > >The filterscript (forked by llpd) runs under permissions > >daemon.wheel, but the spooldirs in FreeBSD by default are > >created with permissions root.daemon. > > > >I think this could easily be fixed, if you would > > chown -R dameon.wheel /var/spool/lpd > >and during apsfilter SETUP you should take care that owner > >and group are now setup right to match daemon.wheel. > > > >[ Cc'd to freebsd-stable ] > > > >What do the lpd maintaining authorities in FreeBSD say ? > > I haven't thought about permissions enough to say I have a > strong opinion on it, but my gut-level feeling is that the > spool directories are created with the right owner+group > (ie, root+daemon). I inserted an echo "bla" > /tmp/xxxx into apsfilter (lineprinter input filter). The permissions of the resulting file were daemon.wheel and not root.daemon like the spooldirs have as default. When printing to a Windows remote printer using smbclient we need to store Windows logins and passwords into the smbclient.conf file. Therefore we wanted best protection for the file. So we let the file owned by root and only readable by root. Well, apsfilter is unable to read smbclient.conf, since lpd lets the if run under daemon UID ... So I thought, the permissions of the spooldirs are a bit misleading or maybe wrong. The question is, if lpd runs locally under UID "daemon". Why do the spooldirs not belong to the same UID ??? I had no idea in the past, how apsfilters SETUP script could check, under which permissions lpd runs, to create spooldirs with proper permissions. Therefore I use UID and GID of /var/spool/lpd, if present. And this UID and GID value is also used for the smbclient.conf file. Well, and this fails ... What irritates me a bit is, that ps -l tells me, that lpd runs with UID 0 = root. But in fact the :if: runs as daemon.wheel. So for me the confusion is now ... a) why is it not safe to choose UID and GID of spooldirs in the hope to get proper permissions for protecting files needed at runtime of input filters ? b) To followup a) are lpd's spooldirs wrong in lpd ? If not, why not ? Thanks for helping me improving apsfilter (or BSD) ! Best regards Andreas /// -- Andreas Klemm Powered by FreeBSD SMP Songs from our band >>64Bits<<............http://www.apsfilter.org/64bits.html My homepage................................ http://people.FreeBSD.ORG/~andreas Please note: Apsfilter got a NEW HOME................http://www.apsfilter.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001215075421.A13293>