From 04886f280e196553dccc650cbc1fde50b36c39c5 Mon Sep 17 00:00:00 2001 From: Sergey Trofimov Date: Tue, 1 Jul 2025 16:28:47 +0200 Subject: [PATCH] gnu: cups: Don't enforce root ownership on supplementary files. Printers managed by CUPS might require supplementary files to function, such as color profiles or filters. CUPS checks permissions on such files to prevent the execution of unsafe code. One of the conditions-that the files are owned by root-must be short-circuited on Guix, because this condition cannot be met on a system with an unprivileged daemon (where store files are owned by `guix-daemon`). * gnu/packages/patches/cups-relax-root-ownership-check.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/cups.scm (cups)[source]: Include it. Change-Id: I77f67f996d057a34bd018ab97cda54577060b0c3 Signed-off-by: John Kehayias --- gnu/local.mk | 1 + gnu/packages/cups.scm | 3 +- .../cups-relax-root-ownership-check.patch | 34 +++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/cups-relax-root-ownership-check.patch diff --git a/gnu/local.mk b/gnu/local.mk index e8b9d1b6c743ea1e4b633bf3803f555b7c9af551..415b8572d37da6840e3897016a00398bb56f4f36 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1140,6 +1140,7 @@ dist_patch_DATA = \ %D%/packages/patches/csvkit-set-locale-for-tests.patch \ %D%/packages/patches/ctranslate2-local-build.patch \ %D%/packages/patches/cube-nocheck.patch \ + %D%/packages/patches/cups-relax-root-ownership-check.patch \ %D%/packages/patches/cura-engine-gcc-14.patch \ %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index 7f9cedd2f246f5704a9d231fd0e68bfe092855c8..5bed058031668cd3f105f04e0f207393e6fde3e7 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -332,7 +332,8 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.") ;; Avoid NAME confusion: these are the complete CUPS sources. (file-name (git-file-name "cups" version)) (sha256 - (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2")))) + (base32 "1dk5salizxy1qm19gw93ffdd34hsn1cd4s57nwl7nfhwwirkiri2")) + (patches (search-patches "cups-relax-root-ownership-check.patch")))) (build-system gnu-build-system) (arguments (list #:configure-flags diff --git a/gnu/packages/patches/cups-relax-root-ownership-check.patch b/gnu/packages/patches/cups-relax-root-ownership-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..f24461153d876afc61a48834bb9046f139a9f923 --- /dev/null +++ b/gnu/packages/patches/cups-relax-root-ownership-check.patch @@ -0,0 +1,34 @@ +From 943e44dafa192b54fadcbb24f5f87d62a22c9f84 Mon Sep 17 00:00:00 2001 +From: Sergey Trofimov +Date: Wed, 17 Sep 2025 12:09:34 +0200 +Subject: [PATCH] Exempt files in /gnu/store from root ownership check. + +--- + cups/file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/cups/file.c b/cups/file.c +index 95054f3c8..9822619d4 100644 +--- a/cups/file.c ++++ b/cups/file.c +@@ -159,7 +159,8 @@ _cupsFileCheck( + * 4. Must not be writable by others + */ + +- if (fileinfo.st_uid || /* 1. Must be owned by root */ ++ int in_gnu_store = !strncmp(filename, "/gnu/store/", 11); ++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by root or be in /gnu/store */ + (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by group */ + (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */ + (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */ +@@ -198,7 +199,7 @@ _cupsFileCheck( + goto finishup; + } + +- if (fileinfo.st_uid || /* 1. Must be owned by root */ ++ if ((fileinfo.st_uid && !in_gnu_store) || /* 1. Must be owned by root or be in /gnu/store */ + (fileinfo.st_mode & S_IWGRP) || /* 2. Must not be writable by group */ + (fileinfo.st_mode & S_ISUID) || /* 3. Must not be setuid */ + (fileinfo.st_mode & S_IWOTH)) /* 4. Must not be writable by others */ +-- +2.51.0