cups insecure filter

Da_Zims

Cups give me that error in the printer setting
Idle - File "/usr/lib/cups/filter/epson-escpr-wrapper" has insecure permissions (0104755/uid=0/gid=0).
the filter file got the following permission
-rwxr-xr-x 1 root root 76064 Sep 19 15:18 bannertopdf
-rwxr-xr-x 1 root root 2003 Jun 30 06:11 brftoembosser
-rwxr-xr-x 1 root root 3476 Jun 30 06:11 brftopagedbrf
lrwxrwxrwx 1 root root 11 Oct 23 12:29 cgmtopdf -> vectortopdf
lrwxrwxrwx 1 root root 11 Oct 23 12:29 cmxtopdf -> vectortopdf
-rwxr-xr-x 1 root root 14440 Jun 24 19:51 commandtocanon
-rwxr-xr-x 1 root root 14440 Jun 24 19:51 commandtoepson
-rwxr-xr-x 1 root root 14456 Sep 19 15:18 commandtoescpx
-rwxr-xr-x 1 root root 14456 Sep 19 15:18 commandtopclx
-rwxr-xr-x 1 root root 14504 Jun 16 11:56 commandtops
lrwxrwxrwx 1 root root 11 Oct 23 12:29 emftopdf -> vectortopdf
-rwsr-xr-x 1 root root 43672 Jul 2 11:31 epson-escpr
-rwsr-xr-x 1 root root 18536 Jul 2 11:31 epson-escpr-wrapper
-rwxr-xr-x 1 root root 118000 Sep 19 15:18 foomatic-rip
-rwxr-xr-x 1 root root 555 Jun 30 06:11 gstopdf
-rwxr-xr-x 1 root root 558 Jun 30 06:11 gstopxl
-rwxr-xr-x 1 root root 76064 Sep 19 15:18 gstoraster
-rwxr-xr-x 1 root root 14504 Jun 16 11:56 gziptoany
-rwxr-xr-x 1 root root 1540512 Oct 18 16:36 hpcups
-rwxr-xr-x 1 root root 162032 Oct 18 16:36 hpcupsfax
-rwxr-xr-x 1 root root 140320 Oct 18 16:36 hpps
-rwxr-xr-x 1 root root 3759 Jun 30 06:11 imagetobrf
-rwxr-xr-x 1 root root 47272 Sep 19 15:18 imagetopdf
-rwxr-xr-x 1 root root 988 Jun 30 06:11 imagetops
-rwxr-xr-x 1 root root 65008 Sep 19 15:18 imagetoraster
lrwxrwxrwx 1 root root 10 Oct 23 12:29 imagetoubrl -> imagetobrf
-rwxr-xr-x 1 root root 6580 Jun 30 06:11 imageubrltoindexv3
-rwxr-xr-x 1 root root 6648 Jun 30 06:11 imageubrltoindexv4
-rwxr-xr-x 1 root root 1873 Jun 30 06:11 musicxmltobrf
-rwxr-xr-x 1 root root 182568 Sep 19 15:18 pdftopdf
-rwxr-xr-x 1 root root 92808 Sep 19 15:18 pdftops
-rwxr-xr-x 1 root root 47400 Sep 19 15:18 pdftoraster
-rwxr-xr-x 1 root root 55496 Jun 16 11:56 pstops
-rwxr-xr-x 1 root root 1061 Feb 20 2021 pstotiff
lrwxrwxrwx 1 root root 13 Oct 23 12:29 rastertodymo -> rastertolabel
-rwxr-xr-x 1 root root 22696 Jun 16 11:56 rastertoepson
-rwxr-xr-x 1 root root 34936 Sep 19 15:18 rastertoescpx
-rwxr-xr-x 1 root root 51384 Jun 24 19:51 rastertogutenprint.5.3
-rwxr-xr-x 1 root root 18600 Jun 16 11:56 rastertohp
-rwxr-xr-x 1 root root 26792 Jun 16 11:56 rastertolabel
-rwxr-xr-x 1 root root 563 Jun 30 06:11 rastertopclm
-rwxr-xr-x 1 root root 39032 Sep 19 15:18 rastertopclx
-rwxr-xr-x 1 root root 100576 Sep 19 15:18 rastertopdf
-rwxr-xr-x 1 root root 14456 Sep 19 15:18 rastertops
-rwxr-xr-x 1 root root 18600 Jun 16 11:56 rastertopwg
lrwxrwxrwx 1 root root 11 Oct 23 12:29 svgtopdf -> vectortopdf
-rwxr-xr-x 1 root root 30952 Sep 19 15:18 sys5ippprinter
-rwxr-xr-x 1 root root 4911 Jun 30 06:11 textbrftoindexv3
lrwxrwxrwx 1 root root 16 Oct 23 12:29 textbrftoindexv4 -> textbrftoindexv3
-rwxr-xr-x 1 root root 9289 Jun 30 06:11 texttobrf
-rwxr-xr-x 1 root root 54704 Sep 19 15:18 texttopdf
-rwxr-xr-x 1 root root 982 Jun 30 06:11 texttops
-rwxr-xr-x 1 root root 30840 Sep 19 15:18 texttotext
-rwxr-xr-x 1 root root 2588 Jun 30 06:11 vectortobrf
-rwxr-xr-x 1 root root 2177 Jun 30 06:11 vectortopdf
lrwxrwxrwx 1 root root 11 Oct 23 12:29 vectortoubrl -> vectortobrf
lrwxrwxrwx 1 root root 11 Oct 23 12:29 wmftopdf -> vectortopdf
lrwxrwxrwx 1 root root 11 Oct 23 12:29 xfigtopdf -> vectortopdf

what permission do cups need ?

EbonJaeger

Da_Zims I had to remove the suid permission bit for that. The download from Epson doesn't have it set, and I'm not sure why Solus does. After doing that, it works fine for me.

Da_Zims

thanks for the pointer i got the thing to run
For anybody looking in the future

http://www.cups.org/doc/api-filter.html
From the cups documentation

File Permissions

For security reasons, CUPS will only run filters and backends that are owned by root and do not have world or group write permissions. The recommended permissions for filters and backends are 0555 - read and execute but no write. Backends that must run as root should use permissions of 0500 - read and execute by root, no access for other users. Write permissions can be enabled for the root user only.

To avoid a warning message, the directory containing your filter(s) must also be owned by root and have world and group write disabled - permissions of 0755 or 0555 are strongly encouraged.

EbonJaeger

Da_Zims I created an issue on the Solus dev tracker here for this, just in case there's something else in play that we don't know about. 🙂