1.4.6 permissions not beinghonoredfrom cupsd.conf after upgrade

Paul Conklin paul.conklin at cerner.com
Tue Jun 28 09:34:38 PDT 2011


fair enough, I can "enhance" this as a one off if need be using 1.3.x style.  Can you for-see any way that this could be configurable?  if so I'll submit an enhancement request, if not I won't.

Here is why I ask...
We expose the WI to users, but it's locked down who can get to it via CITRIX, so we intentionally remove all authentication (except to create, re-configure, and delete queues) since users don't have BE Logins.

As always, thanks for your time and prompt responses.

And as a side note, for Bug's, should just one for the lowest be logged or one for each maintained release?  I wasn't sure when I logged these so i did one for 1.4.6 and one for 1.5rc1 since the issue appeared in both (Now i understand it was working as designed, just asking for future reference)

> Cancel job is different - that is just a single operation so it can be handled by the policy. Move job needs to get a list of allowed printers (requires a username for the filtering) and do the move, which is two separate policies.
>
> Sent from my iPad
>
> On Jun 27, 2011, at 8:27 PM, Paul Conklin <paul.conklin at cerner.com> wrote:
>
> > Does that mean that Cancel is broken as well then as I can cancel jobs w/o authenticating.
> >
> >> This is on purpose: when using the web interface we don't have a way to get a "logged in user" without authenticating.
> >>
> >> On Jun 27, 2011, at 7:07 PM, Paul Conklin wrote:
> >>
> >>> Logging this as a bug.
> >>>
> >>> I tracked down the dode difference to the cgi-bin\ipp-var.c file
> >>>
> >>> in 1.3.x
> >>> if ((user = getenv("REMOTE_USER")) == NULL)
> >>>   user = "guest";
> >>> in 1.4.6
> >>> if ((user = getenv("REMOTE_USER")) == NULL)
> >>> {
> >>>   puts("Status: 401\n");
> >>>   exit(0);
> >>> }
> >>>
> >>> as such, it was essntially ignoring the privs set in cupsd.conf as it was hard coded to throw a 401 (unless i am reading something wrong)  I replaced this function with the 1.3.x style and that seems to have resolved the issue.
> >>>
> >>>> The more I play the more I think this is a bug, but I'll hold off until tomorrow to log it to see if any of you have other directect suggestions to try.  Same behavior occurs on 1.4.6 and 1.5rc1 but NOT 1.3.7.  Cancel job and all other opperations do NOT require un/pw, but moving a job does.  I've also tried adding AuthType None, Allow from all and Encryption Never.  I also tried changing DefaultAuthType to None and that caused it to throw the 401 Unauthorized error.  I also set Limit All to not require anything and the same behavior occured.  Please let me know if anyone has other suggestions.
> >>>>
> >>>>> Odly enough, it will accept any valid username / password, but I don't even want it to prompt, it never used to.
> >>>>>
> >>>>>> Before I post this as a bug, I wanted to put this out there as a second set of eyes to see if I have something messed up that worked in 1.3.7 but needs to be changed in 1.4.6.  this config file worked well in 1.3.7, but after upgrading to 1.4.6, when trying to move a job from one printer to another, it prompts for username / password.
> >>>>>>
> >>>>>> #
> >>>>>> #
> >>>>>> #
> >>>>>> MaxLogSize 2000000000
> >>>>>> MaxJobs 0
> >>>>>> PreserveJobHistory Off
> >>>>>>
> >>>>>> # Log general information in error_log - change "info" to "debug" for
> >>>>>> # troubleshooting...
> >>>>>> LogLevel info
> >>>>>>
> >>>>>> # Administrator user group...
> >>>>>> SystemGroup sys root
> >>>>>>
> >>>>>>
> >>>>>> # Listen on port 631
> >>>>>> Port 631
> >>>>>> Listen /var/run/cups/cups.sock
> >>>>>>
> >>>>>> # Show shared printers on the local network.
> >>>>>> Browsing Off
> >>>>>> BrowseOrder allow,deny
> >>>>>> #BrowseAddress @LOCAL
> >>>>>> #BrowseAllow @LOCAL
> >>>>>> #BrowseShortNames Yes
> >>>>>>
> >>>>>> # Default authentication type, when authentication is required...
> >>>>>> DefaultAuthType Basic
> >>>>>>
> >>>>>> # Restrict access to the server...
> >>>>>> <Location />
> >>>>>> Order allow,deny
> >>>>>> Allow All
> >>>>>> </Location>
> >>>>>>
> >>>>>> # Restrict access to the admin pages...
> >>>>>> <Location /admin>
> >>>>>> Encryption IfRequested
> >>>>>> Order allow,deny
> >>>>>> Allow All
> >>>>>> </Location>
> >>>>>>
> >>>>>> # Restrict access to configuration files...
> >>>>>> <Location /admin/conf>
> >>>>>> AuthType Default
> >>>>>> Require user @SYSTEM
> >>>>>> Order allow,deny
> >>>>>> Allow All
> >>>>>> </Location>
> >>>>>>
> >>>>>> # Set the default printer/job policies...
> >>>>>> <Policy default>
> >>>>>> # Job-related operations must be done by the owner or an administrator...
> >>>>>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
> >>>>>> #    Require user @OWNER @SYSTEM
> >>>>>>   Order deny,allow
> >>>>>> </Limit>
> >>>>>>
> >>>>>> # All administration operations require an administrator to authenticate...
> >>>>>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
> >>>>>>   AuthType Default
> >>>>>>   Require user @SYSTEM
> >>>>>>   Order deny,allow
> >>>>>> </Limit>
> >>>>>>
> >>>>>> # All printer operations require a printer operator to authenticate...
> >>>>>> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
> >>>>>> #    AuthType Default
> >>>>>> #    Require user @SYSTEM
> >>>>>>   Order deny,allow
> >>>>>> </Limit>
> >>>>>>
> >>>>>> # Only the owner or an administrator can cancel or authenticate a job...
> >>>>>> <Limit Cancel-Job CUPS-Authenticate-Job>
> >>>>>> #    Require user @OWNER @SYSTEM
> >>>>>>   Order deny,allow
> >>>>>> </Limit>
> >>>>>>
> >>>>>> <Limit All>
> >>>>>>   Order deny,allow
> >>>>>> </Limit>
> >>>>>> </Policy>
> >>>>>>
> >>>>>> #
> >>>>>> #
> >>>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> cups mailing list
> >>> cups at easysw.com
> >>> http://lists.easysw.com/mailman/listinfo/cups
> >>
> >> ________________________________________________________________________
> >> Michael Sweet, Senior Printing System Engineer, PWG Chair
> >>
> >
> > _______________________________________________
> > cups mailing list
> > cups at easysw.com
> > http://lists.easysw.com/mailman/listinfo/cups
>





More information about the cups mailing list