gnu: cups: Don't enforce root ownership on supplementary files.

Printers managed by CUPS might require supplementary files to function, such as color profiles or filters. CUPS checks permissions on such files to prevent the execution of unsafe code. One of the conditions-that the files are owned by root-must be short-circuited on Guix, because this condition cannot be met on a system with an unprivileged daemon (where store files are owned by `guix-daemon`). * gnu/packages/patches/cups-relax-root-ownership-check.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/cups.scm (cups)[source]: Include it. Change-Id: I77f67f996d057a34bd018ab97cda54577060b0c3 Signed-off-by: John Kehayias <john@guixotic.coop>
2025-10-02 02:15:12 +00:00 · 2025-07-01 16:28:47 +02:00 · 2025-07-01 16:28:47 +02:00 · f86dfb91c6
commit f86dfb91c6
parent b0511641fd
3 changed files with 37 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1136,6 +1136,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/csvkit-set-locale-for-tests.patch			\
  %D%/packages/patches/ctranslate2-local-build.patch		\
  %D%/packages/patches/cube-nocheck.patch			\
  %D%/packages/patches/cups-relax-root-ownership-check.patch		\
  %D%/packages/patches/cura-engine-gcc-14.patch			\
  %D%/packages/patches/curl-CVE-2024-8096.patch			\
  %D%/packages/patches/curl-use-ssl-cert-env.patch		\
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@ -332,7 +332,8 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
       ;; Avoid NAME confusion: these are the complete CUPS sources.
       (file-name (git-file-name "cups" version))
       (sha256
-        (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2"))))
+        (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2"))
       (patches (search-patches "cups-relax-root-ownership-check.patch"))))
    (build-system gnu-build-system)
    (arguments
     (list #:configure-flags
--- a/gnu/packages/patches/cups-relax-root-ownership-check.patch
+++ b/gnu/packages/patches/cups-relax-root-ownership-check.patch
@ -0,0 +1,34 @@
 From 943e44dafa192b54fadcbb24f5f87d62a22c9f84 Mon Sep 17 00:00:00 2001
 From: Sergey Trofimov <sarg@sarg.org.ru>
 Date: Wed, 17 Sep 2025 12:09:34 +0200
 Subject: [PATCH] Exempt files in /gnu/store from root ownership check.
 ---
 cups/file.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/cups/file.c b/cups/file.c
 index 95054f3c8..9822619d4 100644
 --- a/cups/file.c
 +++ b/cups/file.c
@@ -159,7 +159,8 @@ _cupsFileCheck(
   * 4. Must not be writable by others
   */
 -  if (fileinfo.st_uid ||		/* 1. Must be owned by root */
 +  int in_gnu_store = !strncmp(filename, "/gnu/store/", 11);
 +  if ((fileinfo.st_uid && !in_gnu_store) ||		/* 1. Must be owned by root or be in /gnu/store */
       (fileinfo.st_mode & S_IWGRP)  ||	/* 2. Must not be writable by group */
       (fileinfo.st_mode & S_ISUID) ||	/* 3. Must not be setuid */
       (fileinfo.st_mode & S_IWOTH))	/* 4. Must not be writable by others */
@@ -198,7 +199,7 @@ _cupsFileCheck(
     goto finishup;
   }
 -  if (fileinfo.st_uid ||		/* 1. Must be owned by root */
 +  if ((fileinfo.st_uid && !in_gnu_store) ||		/* 1. Must be owned by root or be in /gnu/store */
       (fileinfo.st_mode & S_IWGRP) ||	/* 2. Must not be writable by group */
       (fileinfo.st_mode & S_ISUID) ||	/* 3. Must not be setuid */
       (fileinfo.st_mode & S_IWOTH))	/* 4. Must not be writable by others */
 -- 
 2.51.0