From 77e2265944d287ab4983ef30a7f0e97a6e31df90 Mon Sep 17 00:00:00 2001 From: Kevin Mihelich <kevin@archlinuxarm.org> Date: Wed, 31 Jan 2018 06:35:15 +0000 Subject: [PATCH] extra/cups to 2.2.6-4 --- extra/cups/PKGBUILD | 25 ++++++++++++++++++------ extra/cups/cups.install | 14 ++++++++++++++ extra/cups/cups.sysusers | 2 ++ extra/cups/guid.patch | 42 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 77 insertions(+), 6 deletions(-) create mode 100644 extra/cups/cups.sysusers create mode 100644 extra/cups/guid.patch diff --git a/extra/cups/PKGBUILD b/extra/cups/PKGBUILD index 69cc2f6fb..f2a075273 100644 --- a/extra/cups/PKGBUILD +++ b/extra/cups/PKGBUILD @@ -7,8 +7,8 @@ pkgbase="cups" pkgname=('libcups' 'cups') pkgver=2.2.6 -pkgrel=1 -arch=('i686' 'x86_64') +pkgrel=4 +arch=('x86_64') license=('GPL') url="https://www.cups.org/" makedepends=('libtiff' 'libpng' 'acl' 'pam' 'xdg-utils' 'krb5' 'gnutls' @@ -16,6 +16,7 @@ makedepends=('libtiff' 'libpng' 'acl' 'pam' 'xdg-utils' 'krb5' 'gnutls' 'avahi' 'hicolor-icon-theme' 'systemd' 'inetutils' 'libpaper') source=(https://github.com/apple/cups/releases/download/v${pkgver}/cups-${pkgver}-source.tar.gz{,.sig} cups.logrotate cups.pam + cups.sysusers guid.patch # improve build and linking cups-no-export-ssllibs.patch cups-no-gzip-man.patch @@ -26,6 +27,8 @@ sha256sums=('40385778c2b3bdf55030d1c999734e22774c79e3425d91339ce677825620169b' 'SKIP' 'd87fa0f0b5ec677aae34668f260333db17ce303aa1a752cba5f8e72623d9acf9' '57dfd072fd7ef0018c6b0a798367aac1abb5979060ff3f9df22d1048bb71c0d5' + '06173dfaea37bdd9b39b3e09aba98c34ae7112a2f521db45a688907d8848caa2' + 'd4537526c1e075866ae22ad263da000fc2a592d36c26b79a459a1cfdade2bb2d' 'ff3eb0782af0405f5dafe89e04b1b4ea7a49afc5496860d724343bd04f375832' 'b8fc2e3bc603495f0278410350ea8f0161d9d83719feb64f573b63430cb4800b' '23349c96f2f7aeb7d48e3bcd35a969f5d5ac8f55a032b0cfaa0a03d7e37ea9af' @@ -47,6 +50,9 @@ prepare() { # make sure network is up when starting and notify systemd - FC patch -Np1 -i ${srcdir}/cups-systemd-socket.patch + # FS#56818 - https://github.com/apple/cups/issues/5236 + patch -Np1 -i ${srcdir}/guid.patch + # set MaxLogSize to 0 to prevent using cups internal log rotation sed -i -e '5i\ ' conf/cupsd.conf.in sed -i -e '6i# Disable cups internal logging - use logrotate instead' conf/cupsd.conf.in @@ -59,6 +65,8 @@ prepare() { build() { cd ${pkgbase}-${pkgver} + + # use fixed cups user (id 209) since systemd adds "lp" group without a fixed id ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ @@ -67,8 +75,8 @@ build() { --with-logdir=/var/log/cups \ --with-docdir=/usr/share/cups/doc \ --with-exe-file-perm=0755 \ - --with-cups-user=daemon \ - --with-cups-group=lp \ + --with-cups-user=209 \ + --with-cups-group=209 \ --enable-pam=yes \ --enable-raw-printing \ --enable-dbus --with-dbusdir=/etc/dbus-1 \ @@ -130,8 +138,13 @@ optdepends=('xdg-utils: xdg .desktop file support' chmod 755 ${pkgdir}/var/spool chmod 755 ${pkgdir}/etc + # use cups group FS#36769 + install -Dm644 "$srcdir"/cups.sysusers "${pkgdir}/usr/lib/sysusers.d/$pkgname.conf" + sed -i "s:#User 209:User 209:" ${pkgdir}/etc/cups/cups-files.conf{,.default} + sed -i "s:#Group 209:Group 209:" ${pkgdir}/etc/cups/cups-files.conf{,.default} + # install ssl directory where to store the certs, solves some samba issues - install -dm700 -g lp ${pkgdir}/etc/cups/ssl + install -dm700 -g 209 ${pkgdir}/etc/cups/ssl # remove directory from package, it will be recreated at each server start rm -rf ${pkgdir}/run @@ -139,7 +152,7 @@ optdepends=('xdg-utils: xdg .desktop file support' touch ${pkgdir}/etc/cups/printers.conf touch ${pkgdir}/etc/cups/classes.conf touch ${pkgdir}/etc/cups/subscriptions.conf - chgrp -R lp ${pkgdir}/etc/cups + chgrp -R 209 ${pkgdir}/etc/cups # fix .desktop file sed -i 's|^Exec=htmlview http://localhost:631/|Exec=xdg-open http://localhost:631/|g' ${pkgdir}/usr/share/applications/cups.desktop diff --git a/extra/cups/cups.install b/extra/cups/cups.install index 23732bb74..c83a437ea 100644 --- a/extra/cups/cups.install +++ b/extra/cups/cups.install @@ -4,3 +4,17 @@ post_install() { echo ">> This is because the first request triggers the generation of the CUPS" echo ">> SSL certificates which can be a very time-consuming job." } + +post_upgrade() { + # FS#56818 - make sure we change the ownership to the new cups group + if [[ $(vercmp 2.2.6-3 $2) = 1 ]]; then + chgrp -R 209 /etc/cups + echo "Cups daemon is now running under \"cups\" user+group." + echo "Please make sure to enable the new user+group change in" + echo "/etc/cups/cups-files.conf or merge changes from" + echo "/etc/cups/cups-files.conf.default. After a service restart" + echo "make sure /etc/cups and all files within are owned by" + echo "cups group - run \"chgrp -R cups /etc/cups\"." + fi +} + diff --git a/extra/cups/cups.sysusers b/extra/cups/cups.sysusers new file mode 100644 index 000000000..4ab9d5905 --- /dev/null +++ b/extra/cups/cups.sysusers @@ -0,0 +1,2 @@ +u cups 209 "cups helper user" +m cups lp diff --git a/extra/cups/guid.patch b/extra/cups/guid.patch new file mode 100644 index 000000000..ce28e024f --- /dev/null +++ b/extra/cups/guid.patch @@ -0,0 +1,42 @@ +diff --git a/scheduler/cups-exec.c b/scheduler/cups-exec.c +index aab43a797..46c549075 100644 +--- a/scheduler/cups-exec.c ++++ b/scheduler/cups-exec.c +@@ -133,8 +133,13 @@ main(int argc, /* I - Number of command-line args */ + if (setgid(gid)) + exit(errno + 100); + +- if (setgroups(1, &gid)) ++#include <pwd.h> ++ struct passwd * pwd = getpwuid(uid); ++ if(initgroups(pwd->pw_name,pwd->pw_gid)) ++ { ++ fprintf(stderr, "DEBUG: initgroups failed\n"); + exit(errno + 100); ++ } + + if (uid && setuid(uid)) + exit(errno + 100); +diff --git a/scheduler/util.c b/scheduler/util.c +index 19ebf069b..4638562bd 100644 +--- a/scheduler/util.c ++++ b/scheduler/util.c +@@ -300,7 +300,16 @@ cupsdPipeCommand(int *pid, /* O - Process ID or 0 on error */ + */ + + if (!getuid() && user) +- setuid(user); /* Run as restricted user */ ++ { ++#include <pwd.h> ++ struct passwd * pwd = getpwuid(user); ++ if(initgroups(pwd->pw_name,pwd->pw_gid)) ++ { ++ fprintf(stderr, "DEBUG: initgroups failed\n"); ++ exit(errno + 100); ++ } ++ setuid(user); /* Run as restricted user */ ++ } + + if ((fd = open("/dev/null", O_RDONLY)) > 0) + { +