/usr/share/doc/printer-driver-pnm2ppa/README.security is in printer-driver-pnm2ppa 1.13+nondbs-0ubuntu6.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | These notes are for the guidance of distributions that include pnm2ppa:
---------------------------------------------------------------------
Notes on secure installation of pnm2ppa.
What pnm2ppa does:
1. It attempts to open and read a configuration file
"/etc/pnm2ppa.conf", and then any additional configuration
files with paths specified by the -f command line option.
These paths are checked to be shorter than MAXPATHLEN before
they are used, otherwise pnm2ppa terminates.
GNU getopt() is used to process options.
2. It opens an input file (-i option) to receive pnm data.
The pnm format and page size is taken from the header.
If the header does not correspond to a valid pnm format, the rest
of the data is rejected, and pnm2ppa terminates.
The input file path is checked to have a length less than
MAXPATHLEN, as determined at compilation time.
3. It opens an output file (-o option) to send ppa data
(for the printer).
The output file path is checked to have a length less than
MAXPATHLEN.
4. (unless the --noGamma option is specified) it tries to read color
correction data from "/etc/pnm2ppa.gamma", or an alternate file with
a path specified by the -F command line option.
Such paths are also checked to be shorter than MAXPATHLEN before
they are used.
If this data exists, but is not successfully read, pnm2ppa terminates.
(See COLOR.txt).
5. pnm2ppa opens and writes to the syslog with informational messages
about its progress, or, if it terminates, with an error message.
If it is working in --verbose mode, these messages are also sent
to stderr.
No strings derived from user input to pnm2ppa are included in syslog
messages. Syslog messages must fit in a string of length < 128.
They can be suppressed with a keyword "silent 1" in the default
system configuration file (/etc/pnm2ppa.conf), but not from
user-specified config files (from -f option).
All syslog actions by pnm2ppa are "wrapped": message strings
produces in the rest of the program are only sent to the syslog by
code in syslog.c. This is also where openlog() and closelog() are
called.
----------------------------------------------------------------------
Recommendations:
-- do *NOT* install pnm2ppa suid/guid, if is possible that a
"malicious user" might run it. The output file specified
with the -o option could overwrite files to which the user
has no write permission.
-- since pnm2ppa works as an output filter for gs, it only needs the
same privileges that gs would need. If lpr is available, pipe
the pnm2ppa output though "lpr -l ..." to the appropriate printer
rather than directly sending it to e.g. /dev/lp0 (in the latter case,
write privileges on /dev/lp0 would be needed.)
--------------------------------------------------------------
Other (optional) programs in the distribution:
Do NOT install these suid/gid!
calibrate_ppa.c:
This is used to produce various ppmraw format PixMap images
used with pnm2ppa for printer calibration. Note: these
PixMaps are LARGE (100MB!!) and should generally be piped
directly to pnm2ppa.
THIS SHOULD USUALLY BE INSTALLED.
parse_vlink.c
a utility useful in debugging pnm2ppa that can interpret
ppa format output instructions to the printer, whether
produced by pnm2ppa, or captured from the Windows9x drivers.
It is in the ppa_protocol subdirectory, and is not compiled
by default.
THIS IS NOT USUALY INSTALLED.
|