Deny/Allow override in Location
Antti Harri
iku at openbsd.fi
Mon Nov 28 07:31:05 PST 2005
This is actually a feature in CUPS, but I consider the behaviour it causes a bug.
A code in auth.c forces access to the user, even though admin has disabled such access from localhost. One can still disable Deny/Allow lines by not having them at all, which is logical.
# example configuration
<Location /admin>
Satisfy All
Order Deny,Allow
Deny From All
</Location>
Accessing http://localhost:631/admin will continue to work, because IP 127.0.0.1 and "localhost" hostname will get bypassed by the security definitions. See the patch below that I wrote (Sorry about the C++ style comments):
--- scheduler/auth.c.orig Mon Jan 3 21:29:59 2005
+++ scheduler/auth.c Mon Nov 28 13:55:44 2005
@@ -912,15 +912,16 @@
address = ntohl(con->http.hostaddr.sin_addr.s_addr);
hostlen = strlen(con->http.hostname);
- if (address == 0x7f000001 || strcasecmp(con->http.hostname, "localhost") == 0)
- {
+// if (address == 0x7f000001 || strcasecmp(con->http.hostname, "localhost") == 0)
+// {
/*
* Access from localhost (127.0.0.1) is always allowed...
*/
- auth = AUTH_ALLOW;
- }
- else if (best->num_allow == 0 && best->num_deny == 0)
+// auth = AUTH_ALLOW;
+// }
+// else if (best->num_allow == 0 && best->num_deny == 0)
+ if (best->num_allow == 0 && best->num_deny == 0)
{
/*
* No allow/deny lines - allow access...
More information about the cups
mailing list