1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 05:31:22 +00:00

cups: mount private /tmp

printer driver and wrapper are often not written with security in mind.

While reviewing https://github.com/NixOS/nixpkgs/pull/25654 I found
a symlink-race vulnerability within the wrapper code, when writing
unique files in /tmp.
I expect this script to be reused in other models as well
as similar vulnerabilities in the code of other vendors. Therefore
I propose to make /tmp of cups.service private so that only processes
with the same privileges are able to access these files.
This commit is contained in:
Jörg Thalheim 2017-05-10 09:52:11 +01:00
parent 98ff062ed4
commit 731917a800
No known key found for this signature in database
GPG key ID: CA4106B8D7CC79FA

View file

@ -324,6 +324,8 @@ in
fi
''}
'';
serviceConfig.PrivateTmp = true;
};
systemd.services.cups-browsed = mkIf avahiEnabled