Issue metadata
Sign in to add a comment
|
CUPS domain socket should only be openable by user chonos |
||||||||||||||||||||||
Issue descriptionThis is a small change
,
Aug 2 2016
,
Aug 11 2016
I'm going to go with permissions 0770 and owner:group = root:chronos. If we need other non-root users that aren't chronos to print, then maybe we'd change this to root:lp, and add chronos and other user(s) to the lp group.
,
Aug 11 2016
Oops, already figured one issue: if Sean's going to sandbox lpadmin processes as a non-root user (e.g., 'cups', or a new 'lpadmin' user) then we definitely can't restrict this to group 'chronos'. How about I go with root:lp, where the members of lp will be: chronos, lp, and lpadmin (or whatever the sanboxed printer admin user will be)
,
Aug 11 2016
LGTM, thanks! Please mark as started when you start work.
,
Aug 11 2016
,
Aug 11 2016
Sean, Are we settled on adding an lpadmin user? (We talked about this over chat.) Since I have to edit both the group config and the security_AccountsBaseline test, it make sense for me to do this all in one go.
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/e133de1ea2d82b5e2b0c0b33ec0bf02cc1779a7a commit e133de1ea2d82b5e2b0c0b33ec0bf02cc1779a7a Author: Brian Norris <briannorris@chromium.org> Date: Thu Aug 11 19:41:30 2016 security_AccountsBaseline: Add chronos to lp group To reflect the changes made in eclass-overlay. BUG= chromium:633385 TEST=`test_that ... security_AccountsBaseline` CQ-DEPEND=I82b41954334b7855feeae8bbe48a90b324ec9965 Change-Id: Ia4ddfb93e69c2b6485362fa0c8e96093bebf0666 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/368371 Reviewed-by: Sean Kau <skau@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/e133de1ea2d82b5e2b0c0b33ec0bf02cc1779a7a/client/site_tests/security_AccountsBaseline/baseline.group
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/eclass-overlay/+/a7e952c0b68f124885cfbb0f08df62be2c19e11d commit a7e952c0b68f124885cfbb0f08df62be2c19e11d Author: Brian Norris <briannorris@chromium.org> Date: Thu Aug 11 19:35:29 2016 Add chronos to lp group We're going to restrict the cups domain socket (/run/cups/cups.sock) to user:group root:lp. We want chronos to be able to print, so add it to lp. BUG= chromium:633385 TEST=check `id chronos` on newly-built image CQ-DEPEND=Ia4ddfb93e69c2b6485362fa0c8e96093bebf0666 CQ-DEPEND=*I057946566100d88ee973ac57cb0b3051fed87004 Change-Id: I82b41954334b7855feeae8bbe48a90b324ec9965 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/368311 Reviewed-by: Sean Kau <skau@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/a7e952c0b68f124885cfbb0f08df62be2c19e11d/profiles/base/accounts/group/lp
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/eclass-overlay/+/a7e952c0b68f124885cfbb0f08df62be2c19e11d commit a7e952c0b68f124885cfbb0f08df62be2c19e11d Author: Brian Norris <briannorris@chromium.org> Date: Thu Aug 11 19:35:29 2016 Add chronos to lp group We're going to restrict the cups domain socket (/run/cups/cups.sock) to user:group root:lp. We want chronos to be able to print, so add it to lp. BUG= chromium:633385 TEST=check `id chronos` on newly-built image CQ-DEPEND=Ia4ddfb93e69c2b6485362fa0c8e96093bebf0666 CQ-DEPEND=*I057946566100d88ee973ac57cb0b3051fed87004 Change-Id: I82b41954334b7855feeae8bbe48a90b324ec9965 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/368311 Reviewed-by: Sean Kau <skau@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/a7e952c0b68f124885cfbb0f08df62be2c19e11d/profiles/base/accounts/group/lp
,
Aug 16 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/autotest-lakitu/+/9d187787c954b5684df0d3a7a853b15c507a080e commit 9d187787c954b5684df0d3a7a853b15c507a080e Author: Brian Norris <briannorris@chromium.org> Date: Tue Aug 16 00:01:08 2016
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/eclass-overlay/+/a7e952c0b68f124885cfbb0f08df62be2c19e11d commit a7e952c0b68f124885cfbb0f08df62be2c19e11d Author: Brian Norris <briannorris@chromium.org> Date: Thu Aug 11 19:35:29 2016 Add chronos to lp group We're going to restrict the cups domain socket (/run/cups/cups.sock) to user:group root:lp. We want chronos to be able to print, so add it to lp. BUG= chromium:633385 TEST=check `id chronos` on newly-built image CQ-DEPEND=Ia4ddfb93e69c2b6485362fa0c8e96093bebf0666 CQ-DEPEND=*I057946566100d88ee973ac57cb0b3051fed87004 Change-Id: I82b41954334b7855feeae8bbe48a90b324ec9965 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/368311 Reviewed-by: Sean Kau <skau@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/a7e952c0b68f124885cfbb0f08df62be2c19e11d/profiles/base/accounts/group/lp
,
Aug 16 2016
,
Aug 29 2016
,
Oct 1 2016
,
Nov 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 21 2017
,
Mar 4 2017
,
Apr 17 2017
,
May 30 2017
,
Aug 1 2017
,
Oct 14 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by raymes@chromium.org
, Aug 1 2016Labels: Security_Impact-Stable Security_Severity-Low