nixpkgs/nixos/modules/services/printing
Jörg Thalheim 731917a800
cups: mount private /tmp
printer driver and wrapper are often not written with security in mind.

While reviewing https://github.com/NixOS/nixpkgs/pull/25654 I found
a symlink-race vulnerability within the wrapper code, when writing
unique files in /tmp.
I expect this script to be reused in other models as well
as similar vulnerabilities in the code of other vendors. Therefore
I propose to make /tmp of cups.service private so that only processes
with the same privileges are able to access these files.
2017-05-10 18:03:42 +01:00
..
cupsd.nix cups: mount private /tmp 2017-05-10 18:03:42 +01:00