[Pkg-samba-maint] smbspool vs smbspool_krb5_wrapper
Michael Tokarev
mjt at tls.msk.ru
Tue Apr 5 09:26:32 BST 2022
Hi!
For a very long time, apparently, we ship smbspool
backend for cups in samba package in a wrong way.
source3/client/smbspool_krb5_wrapper.c reads:
/*
* This is a helper binary to execute smbspool.
*
* It needs to be installed or symlinked as:
* /usr/lib/cups/backend/smb
*
* The permissions of the binary need to be set to 0700 so that it is executed
* as root. The binary switches to the user which is passed via the environment
* variable AUTH_UID, so we can access the kerberos ticket.
*/
And we have:
/usr/lib/cups/backend/smb => /usr/bin/smbspool
Is it okay for smbspool to be run as root to start
with ? Or does cups run things as different user
when it has wider than 0700 file permissions?
Should it be
usr/lib/cups/backend/smb =>
usr/libexec/samba/smbspool_krb5_wrapper
instead?
(This is how the move to libexec "affects" cups: it doesn't).
But overall, does it really matter? What this wrapper is
supposed to do, what _is_ this $AUTH_UID thing, when we
are run from cups? Is it a local user who submitted a
print job, and the backend runs under this local user?
How about remote print jobs?
Just guessing here. Can cups people answer some of that?
Thanks!
/mjt
More information about the Pkg-samba-maint
mailing list