[cups.bugs] [HIGH] STR #3785: Updating printer config modifies allow, deny order incompatibly
Matt L
mattl at google.com
Wed Jan 26 09:33:33 PST 2011
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
Cups is started with the following locations declared in cupsd.conf:
# Restrict access to the server...
<Location />
Order Deny,Allow
Deny From None
Allow From All
Encryption Required
</Location>
# Restrict access to the admin pages...
<Location /admin>
AuthType Basic
Encryption Required
Order Deny,Allow
Deny From All
Satisfy Any
Require user @SYSTEM @bar @foo
Allow From @IF(lo)
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Encryption Required
Order Deny,Allow
Deny From All
Satisfy Any
Require user @SYSTEM @bar @foo
Allow From @IF(lo)
</Location>
This works as expected, with the proper users getting access to the
system. A major problem arises if someone changes the cupsd config via
the web interface, however. If someone updates something in the config,
the daemon rewrites the locations as follows:
<Location />
Encryption Required
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
AuthType Basic
Encryption Required
Satisfy Any
Require user @SYSTEM @bar @foo
# Allow remote administration...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin/conf>
AuthType Basic
Encryption Required
Satisfy Any
Require user @SYSTEM @bar @foo
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
</Location>
The Order statements are reversed! And, in the case of /, the Deny From
None, Allow From All have vanished! (They have either disappeared or been
altered in the other stanzas as well.) We go from allowing everyone by
default to denying everyone by default. The end result is that everyone
immediately loses access to the web interface.
As far as I can tell from the cupsd.conf man page, the original syntax is
valid, and I don't believe there are any parsing errors, so I'm at a loss
to explain why the daemon is altering its own running configuration when
it saves.
Link: http://www.cups.org/str.php?L3785
Version: 1.4.6
More information about the cups-devel
mailing list