mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 05:31:22 +00:00
cups: mount private /tmp
printer driver and wrapper are often not written with security in mind. While reviewing https://github.com/NixOS/nixpkgs/pull/25654 I found a symlink-race vulnerability within the wrapper code, when writing unique files in /tmp. I expect this script to be reused in other models as well as similar vulnerabilities in the code of other vendors. Therefore I propose to make /tmp of cups.service private so that only processes with the same privileges are able to access these files.
This commit is contained in:
parent
98ff062ed4
commit
731917a800
|
@ -324,6 +324,8 @@ in
|
|||
fi
|
||||
''}
|
||||
'';
|
||||
|
||||
serviceConfig.PrivateTmp = true;
|
||||
};
|
||||
|
||||
systemd.services.cups-browsed = mkIf avahiEnabled
|
||||
|
|
Loading…
Reference in a new issue