[cups.bugs] [HIGH] STR #2579: Modifying "Basic Server Settings" options re-writes cupsd.conf without local changes

Jean-Michel Dault jmdault+cups at revolutionlinux.com
Thu Nov 1 07:54:56 PDT 2007


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

When modifiyng a "Basic Server Settings" options using the web interface
(or any other gui that accesses /admin/conf on the server), cups re-writes
cupsd.conf without local changes.

For example, if someone modifies the SystemGroup or adds, "Allow
10.0.0.0/8" to enable access to another local network, these changes will
disappear when cups re-writes cupsd.conf.

We have many cups servers setup this way, both at the office and at
customer's sites (20,000-50,000 users, multiple subnets).

In our setup, we have this:
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow 10.0.0.0/8
</Location>

Our @SYSTEM group is setup in LDAP so that sysadmins can add printers.

However, we found out that this wasn't such a good idea when one user with
a Ubuntu laptop tried to change the default printer for his own machine. He
had a client.conf that pointed to the main cups server, and the Ubuntu
python GUI used /admin/conf via port 631 to change the default printer.
Cups then re-wrote cupsd.conf, removing the 10.0.0.0/8 line. Final result:
nobody could print.

Temporary workaround:
- Create a new group, populate with local account, choose a random
password, and put it as the "SystemGroup", so no-one knows the password.
- Modify permissions: make sure /admin/conf is only available to @SYSTEM,
and add @newgroup everywhere else.

Right solution:
- modify cups so that it reads and applies local modifications to
cupsd.conf before overwriting it.

Link: http://www.cups.org/str.php?L2579
Version: 1.3.3





More information about the cups-devel mailing list