Opened 3 years ago

Last modified 15 months ago

#45006 new defect

cups-pdf sandbox issues in yosemite

Reported by: jasonw@… Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.3.1
Keywords: yosemite Cc: cooljeanius (Eric Gallager), icaines77@…
Port: cups-pdf

Description

Installed cups-pdf under Yosemite DP 8 (14A361c), following all directions. When I try to add the printer, no entry for cups-pdf shows.

Log shows this line:

sandboxd[269] ([23432]): cups-deviced(23432) deny file-read-metadata /opt/local/libexec/cups/backend/cups-pdf

To test, I tried replacing the link in /usr/libexec/cups/backend with the actual file (and chown root:wheel, chmod 700 for good measure).

Still, no printer shows up, and log displays:

sandboxd[269] ([23577]): cups-pdf(23577) deny file-read-metadata /opt/local/etc/cups/cups-pdf.conf
sandboxd[269] ([23577]): cups-pdf(23577) deny file-read-metadata /opt/local/var/log/cups
--- last message repeated 1 time ---
sandboxd[269] ([23577]): cups-pdf(23577) deny file-read-metadata /opt/local/var/log
sandboxd[269] ([23577]): cups-pdf(23577) deny file-read-metadata /opt/local/var
sandboxd[269] ([23577]): cups-pdf(23577) deny file-read-metadata /opt/local
sandboxd[269] ([23577]): cups-pdf(23577) deny file-read-metadata /opt

Sandbox no longer complains about the backend, but now it disallows access to the config and log files.

Attachments (2)

Portfile (5.7 KB) - added by icaines77@… 3 years ago.
Revised Portfile with instructions re sandboxing.
Portfile-cups-pdf.diff (4.3 KB) - added by icaines77@… 3 years ago.
Diff of portfile.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 3 years ago by cooljeanius (Eric Gallager)

  • Cc egall@… added

Cc Me!

comment:2 Changed 3 years ago by stoffer@…

Added "Sandboxing off" to /etc/cups/cups-files.conf and changed /opt/local/etc/cups/cups-pdf.conf to use "GhostScript /opt/local/bin/gs" with default "GSCall %s -q -dCompatibilityLevel=%s -dNOPAUSE -dBATCH -dSAFER -sDEVICE=pdfwrite -sOutputFile="%s" -dAutoRotatePages=/PageByPage -dAutoFilterColorImages=false -dColorImageFilter=/FlateEncode -dPDFSETTINGS=/prepress -c .setpdfwrite -f %s"

fixed it for me, maybe the Portfile should be patched?

comment:3 Changed 3 years ago by icaines77@…

Agreed, stoffer@…'s suggestion worked for me. Except that I also needed to comment out the "PDFVer" line.

comment:4 Changed 3 years ago by icaines77@…

  • Cc icaines77@… added

Cc Me!

comment:5 Changed 3 years ago by mf2k (Frank Schima)

Would someone please attach their patch(es)?

Last edited 3 years ago by mf2k (Frank Schima) (previous) (diff)

comment:6 Changed 3 years ago by icaines77@…

I am not sure how to patch for this, since it involves changing a file outside of macports (/etc/cups/cups-files.conf), I suppose we could add it to the instructional blurb that appears when cups-pdf is first installed, or add code to make the change to the ${prefix}/libexec/cups-pdf_links.sh script that users are supposed to run?

comment:7 Changed 3 years ago by mf2k (Frank Schima)

One or both sound reasonable to me.

comment:8 follow-up: Changed 3 years ago by iwatakenichi@…

Adding "Sandboxing off" to /etc/cups/cups-files.conf doesn't look a must, it worked for me without it.

comment:9 in reply to: ↑ 8 Changed 3 years ago by icaines77@…

Replying to iwatakenichi@…:

Adding "Sandboxing off" to /etc/cups/cups-files.conf doesn't look a must, it worked for me without it.

Just to confirm, are you using OSX 10.10 (Yosemite)?

Just checked again, and it looks like cups-pdf will work with either "Sandboxing off" or "Sandboxing relaxed" set in /etc/cups/cups-files.conf, but if I use neither then cups-pdf is still failing with sandboxing errors. Presumably better to recommend people use the "relaxed" option?

(I can take a stab at a revised portfile next week.)

Last edited 3 years ago by icaines77@… (previous) (diff)

Changed 3 years ago by icaines77@…

Revised Portfile with instructions re sandboxing.

Changed 3 years ago by icaines77@…

Diff of portfile.

comment:10 Changed 3 years ago by icaines77@…

I have attached a revised Portfile which includes the changes described above plus a description of how to change the Sandboxing setting on CUPS. Someone who actually knows what they are doing should probably take a look.

comment:11 follow-up: Changed 15 months ago by leonfauster@…

Does someone here had success on El Capitan 10.11 with the above suggestion (see also #52245)?

comment:12 in reply to: ↑ 11 Changed 15 months ago by icaines77@…

Replying to leonfauster@…:

Does someone here had success on El Capitan 10.11 with the above suggestion (see also #52245)?

Yes, it's working for me.

Note: See TracTickets for help on using tickets.