From 1a4baddc0b6af2b6abfc8b51c10042dac0d40765 Mon Sep 17 00:00:00 2001 From: Sergey Trofimov Date: Tue, 1 Jul 2025 16:28:47 +0200 Subject: [PATCH] gnu: cups: Don't enforce root ownership on supplementary files. Printers managed by CUPS might require supplementary files to function, such as color profiles or filters. CUPS checks permissions on such files to prevent the execution of unsafe code. One of the conditions-that the files are owned by root-must be short-circuited on Guix, because this condition cannot be met on a system with an unprivileged daemon (where store files are owned by `guix-daemon`). * gnu/packages/patches/cups-relax-root-ownership-check.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/cups.scm (cups)[source]: Include it. Change-Id: I77f67f996d057a34bd018ab97cda54577060b0c3 Signed-off-by: John Kehayias --- gnu/local.mk | 1 + gnu/packages/cups.scm | 3 +- .../cups-relax-root-ownership-check.patch | 34 +++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/cups-relax-root-ownership-check.patch diff --git a/gnu/local.mk b/gnu/local.mk index 2f0acc8257f..5300d3fbcbf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1136,6 +1136,7 @@ dist_patch_DATA = \ %D%/packages/patches/csvkit-set-locale-for-tests.patch \ %D%/packages/patches/ctranslate2-local-build.patch \ %D%/packages/patches/cube-nocheck.patch \ + %D%/packages/patches/cups-relax-root-ownership-check.patch \ %D%/packages/patches/cura-engine-gcc-14.patch \ %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index 7f9cedd2f24..5bed0580316 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -332,7 +332,8 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.") ;; Avoid NAME confusion: these are the complete CUPS sources. (file-name (git-file-name "cups" version)) (sha256 - (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2")))) + (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2")) + (patches (search-patches "cups-relax-root-ownership-check.patch")))) (build-system gnu-build-system) (arguments (list #:configure-flags diff --git a/gnu/packages/patches/cups-relax-root-ownership-check.patch b/gnu/packages/patches/cups-relax-root-ownership-check.patch new file mode 100644 index 00000000000..f24461153d8 --- /dev/null +++ b/gnu/packages/patches/cups-relax-root-ownership-check.patch @@ -0,0 +1,34 @@ +From 943e44dafa192b54fadcbb24f5f87d62a22c9f84 Mon Sep 17 00:00:00 2001 +From: Sergey Trofimov +Date: Wed, 17 Sep 2025 12:09:34 +0200 +Subject: [PATCH] Exempt files in /gnu/store from root ownership check. + +--- + cups/file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cups/file.c b/cups/file.c +index 95054f3c8..9822619d4 100644 +--- a/cups/file.c ++++ b/cups/file.c +@@ -159,7 +159,8 @@ _cupsFileCheck( + * 4. Must not be writable by others + */ + +- if (fileinfo.st_uid || /* 1. Must be owned by root */ ++ int in_gnu_store = !strncmp(filename, "/gnu/store/", 11); ++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by root or be in /gnu/store */ + (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by group */ + (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */ + (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */ +@@ -198,7 +199,7 @@ _cupsFileCheck( + goto finishup; + } + +- if (fileinfo.st_uid || /* 1. Must be owned by root */ ++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by root or be in /gnu/store */ + (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by group */ + (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */ + (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */ +-- +2.51.0