Ticket #42 (closed defect: wontfix)
cupspykota should drop privileges
Reported by: | sle | Owned by: | jerome |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | pykota | Version: | development |
Keywords: | nfs cupsykota | Cc: |
Description
In [3276], cupspykota was changed to no longer drop elevated privileges because the process provided no actual security benefit. While that reasoning is somewhat valid, cupspykota should continue to drop privileges because pykotadmin.conf may be stored in a location that is inaccessible to users with elevated privileges (e.g. root).
Sample scenario: PyKota's configuration file is stored in ~pykota/pykotadmin.conf. It is common for large organizations to place home directories on NFS shares with root-squash enabled. Thus, if cupsykota does not drop its privileges, it will be unable to read pykotadmin.conf.
Change History
Note: See
TracTickets for help on using
tickets.