Sync from SUSE:SLFO:Main cups revision c19ea54335dc2315461ac6fd8fc5c817
This commit is contained in:
commit
f11dd59b7b
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
BIN
Postscript-level1.ppd.gz
(Stored with Git LFS)
Normal file
BIN
Postscript-level1.ppd.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
Postscript-level2.ppd.gz
(Stored with Git LFS)
Normal file
BIN
Postscript-level2.ppd.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
Postscript.ppd.gz
(Stored with Git LFS)
Normal file
BIN
Postscript.ppd.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
5
baselibs.conf
Normal file
5
baselibs.conf
Normal file
@ -0,0 +1,5 @@
|
||||
libcups2
|
||||
provides "cups-libs-<targettype> = <version>"
|
||||
obsoletes "cups-libs-<targettype> < <version>"
|
||||
libcupsimage2
|
||||
cups-devel
|
26
cups-1.4-do_not_strip_recommended_from_PPDs.patch
Normal file
26
cups-1.4-do_not_strip_recommended_from_PPDs.patch
Normal file
@ -0,0 +1,26 @@
|
||||
--- scheduler/cups-driverd.cxx.orig 2009-06-09 00:00:14.000000000 +0200
|
||||
+++ scheduler/cups-driverd.cxx 2009-07-01 14:38:44.000000000 +0200
|
||||
@@ -211,7 +211,6 @@ add_ppd(const char *filename, /* I - PP
|
||||
const char *scheme) /* I - PPD scheme */
|
||||
{
|
||||
ppd_info_t *ppd; /* PPD */
|
||||
- char *recommended; /* Foomatic driver string */
|
||||
|
||||
|
||||
/*
|
||||
@@ -250,15 +249,6 @@ add_ppd(const char *filename, /* I - PP
|
||||
strlcpy(ppd->record.scheme, scheme, sizeof(ppd->record.scheme));
|
||||
|
||||
/*
|
||||
- * Strip confusing (and often wrong) "recommended" suffix added by
|
||||
- * Foomatic drivers...
|
||||
- */
|
||||
-
|
||||
- if ((recommended = strstr(ppd->record.make_and_model,
|
||||
- " (recommended)")) != NULL)
|
||||
- *recommended = '\0';
|
||||
-
|
||||
- /*
|
||||
* Add the PPD to the PPD arrays...
|
||||
*/
|
||||
|
12
cups-2.1.0-choose-uri-template.patch
Normal file
12
cups-2.1.0-choose-uri-template.patch
Normal file
@ -0,0 +1,12 @@
|
||||
--- templates/choose-uri.tmpl.orig 2013-10-21 23:41:21.000000000 +0200
|
||||
+++ templates/choose-uri.tmpl 2015-09-01 11:00:50.000000000 +0200
|
||||
@@ -23,6 +23,9 @@
|
||||
|
||||
lpd://hostname/queue
|
||||
|
||||
+ smb://servername/printer
|
||||
+ smb://username:password@workgroup/servername/printer
|
||||
+
|
||||
socket://hostname
|
||||
socket://hostname:9100
|
||||
</PRE>
|
21
cups-2.1.0-default-webcontent-path.patch
Normal file
21
cups-2.1.0-default-webcontent-path.patch
Normal file
@ -0,0 +1,21 @@
|
||||
--- config-scripts/cups-directories.m4
|
||||
+++ config-scripts/cups-directories.m4.orig
|
||||
@@ -166,15 +166,15 @@ AS_IF([test "x$menudir" = x], [
|
||||
AC_SUBST([MENUDIR])
|
||||
|
||||
# Documentation files
|
||||
-AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path for documentation]), [
|
||||
+AC_ARG_WITH([docdir], AS_HELP_STRING([--with-docdir], [set path and DocumentRoot directive for web content, default=datadir/cups/webcontent]), [
|
||||
docdir="$withval"
|
||||
], [
|
||||
docdir=""
|
||||
])
|
||||
|
||||
AS_IF([test x$docdir = x], [
|
||||
- CUPS_DOCROOT="$datadir/doc/cups"
|
||||
- docdir="$datadir/doc/cups"
|
||||
+ CUPS_DOCROOT="$datadir/cups/webcontent"
|
||||
+ docdir="$datadir/cups/webcontent"
|
||||
], [
|
||||
CUPS_DOCROOT="$docdir"
|
||||
])
|
12
cups-2.4.2-CVE-2023-32324.patch
Normal file
12
cups-2.4.2-CVE-2023-32324.patch
Normal file
@ -0,0 +1,12 @@
|
||||
--- cups/string.c.orig 2022-05-26 08:17:21.000000000 +0200
|
||||
+++ cups/string.c 2023-06-01 13:26:33.175494819 +0200
|
||||
@@ -730,6 +730,9 @@ _cups_strlcpy(char *dst, /* O - D
|
||||
size_t srclen; /* Length of source string */
|
||||
|
||||
|
||||
+ if (size == 0)
|
||||
+ return (0);
|
||||
+
|
||||
/*
|
||||
* Figure out how much room is needed...
|
||||
*/
|
18
cups-2.4.2-CVE-2023-32360.patch
Normal file
18
cups-2.4.2-CVE-2023-32360.patch
Normal file
@ -0,0 +1,18 @@
|
||||
--- conf/cupsd.conf.in.orig 2022-05-26 08:17:21.000000000 +0200
|
||||
+++ conf/cupsd.conf.in 2023-09-20 13:39:53.316719260 +0200
|
||||
@@ -68,7 +68,14 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
|
||||
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
|
||||
+ Require user @OWNER @SYSTEM
|
||||
+ Order deny,allow
|
||||
+ </Limit>
|
||||
+
|
||||
+ # Require authentication for CUPS-Get-Document otherwise unauthenticated users could access print job documents:
|
||||
+ <Limit CUPS-Get-Document>
|
||||
+ AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
46
cups-2.4.2-CVE-2023-34241.patch
Normal file
46
cups-2.4.2-CVE-2023-34241.patch
Normal file
@ -0,0 +1,46 @@
|
||||
--- scheduler/client.c.orig 2022-05-26 08:17:21.000000000 +0200
|
||||
+++ scheduler/client.c 2023-06-22 12:47:25.329404393 +0200
|
||||
@@ -193,13 +193,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
|
||||
/*
|
||||
* Can't have an unresolved IP address with double-lookups enabled...
|
||||
*/
|
||||
-
|
||||
- httpClose(con->http);
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||
- "Name lookup failed - connection from %s closed!",
|
||||
+ "Name lookup failed - closing connection from %s!",
|
||||
httpGetHostname(con->http, NULL, 0));
|
||||
-
|
||||
+ httpClose(con->http);
|
||||
free(con);
|
||||
return;
|
||||
}
|
||||
@@ -234,12 +231,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
|
||||
* Can't have a hostname that doesn't resolve to the same IP address
|
||||
* with double-lookups enabled...
|
||||
*/
|
||||
-
|
||||
- httpClose(con->http);
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||
- "IP lookup failed - connection from %s closed!",
|
||||
+ "IP lookup failed - closing connection from %s!",
|
||||
httpGetHostname(con->http, NULL, 0));
|
||||
+ httpClose(con->http);
|
||||
free(con);
|
||||
return;
|
||||
}
|
||||
@@ -256,11 +251,10 @@ cupsdAcceptClient(cupsd_listener_t *lis)
|
||||
|
||||
if (!hosts_access(&wrap_req))
|
||||
{
|
||||
- httpClose(con->http);
|
||||
-
|
||||
cupsdLogClient(con, CUPSD_LOG_WARN,
|
||||
"Connection from %s refused by /etc/hosts.allow and "
|
||||
"/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
|
||||
+ httpClose(con->http);
|
||||
free(con);
|
||||
return;
|
||||
}
|
21
cups-2.4.2-CVE-2023-4504.patch
Normal file
21
cups-2.4.2-CVE-2023-4504.patch
Normal file
@ -0,0 +1,21 @@
|
||||
--- cups/raster-interpret.c.orig 2022-05-26 08:17:21.000000000 +0200
|
||||
+++ cups/raster-interpret.c 2023-09-20 14:56:44.666363324 +0200
|
||||
@@ -1113,6 +1113,18 @@ scan_ps(_cups_ps_stack_t *st, /* I - S
|
||||
|
||||
cur ++;
|
||||
|
||||
+ /*
|
||||
+ * Return NULL if we reached NULL terminator, a lone backslash
|
||||
+ * is not a valid character in PostScript.
|
||||
+ */
|
||||
+
|
||||
+ if (!*cur)
|
||||
+ {
|
||||
+ *ptr = NULL;
|
||||
+
|
||||
+ return (NULL);
|
||||
+ }
|
||||
+
|
||||
if (*cur == 'b')
|
||||
*valptr++ = '\b';
|
||||
else if (*cur == 'f')
|
48
cups-2.4.2-additional_policies.patch
Normal file
48
cups-2.4.2-additional_policies.patch
Normal file
@ -0,0 +1,48 @@
|
||||
--- conf/cupsd.conf.in.CVE-2023-32360.patched 2023-09-20 13:39:53.316719260 +0200
|
||||
+++ conf/cupsd.conf.in 2023-09-20 13:46:48.474661749 +0200
|
||||
@@ -196,3 +196,45 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
</Policy>
|
||||
+
|
||||
+# The policy below is added by SUSE during build of our cups package.
|
||||
+# The policy 'allowallforanybody' is totally open and insecure and therefore
|
||||
+# it can only be used within an internal network where only trused users exist
|
||||
+# and where the cupsd is not accessible at all from any external host, see
|
||||
+# http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
|
||||
+# Have in mind that any user who is allowed to do printer admin tasks
|
||||
+# can change the print queues as he likes - e.g. send copies of confidental
|
||||
+# print jobs from an internal network to any external destination, see
|
||||
+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
|
||||
+# For documentation regarding 'Managing Operation Policies' see
|
||||
+# https://openprinting.github.io/cups/doc/policies.html
|
||||
+<Policy allowallforanybody>
|
||||
+ # Allow anybody to access job's private values:
|
||||
+ JobPrivateAccess all
|
||||
+ # Make none of the job values to be private:
|
||||
+ JobPrivateValues none
|
||||
+ # Allow anybody to access subscription's private values:
|
||||
+ SubscriptionPrivateAccess all
|
||||
+ # Make none of the subscription values to be private:
|
||||
+ SubscriptionPrivateValues none
|
||||
+ # Allow anybody to do all IPP operations:
|
||||
+ # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document
|
||||
+ # must be additionally exlicitly specified because those IPP operations are not included
|
||||
+ # in the "All" wildcard value - otherwise cupsd prints error messages of the form
|
||||
+ # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."
|
||||
+ <Limit Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>
|
||||
+ Order deny,allow
|
||||
+ Allow from all
|
||||
+ </Limit>
|
||||
+ # Since CUPS > 1.5.4 the "All" wildcard value must be specified separately,
|
||||
+ # otherwise clients like "lpstat -p" just hang up,
|
||||
+ # see https://bugzilla.opensuse.org/show_bug.cgi?id=936309
|
||||
+ # and https://www.cups.org/str.php?L4659
|
||||
+ <Limit All>
|
||||
+ Order deny,allow
|
||||
+ Allow from all
|
||||
+ </Limit>
|
||||
+</Policy>
|
||||
+# Explicitly set the CUPS 'default' policy to be used by default:
|
||||
+DefaultPolicy default
|
||||
+
|
BIN
cups-2.4.2-source.tar.gz
(Stored with Git LFS)
Normal file
BIN
cups-2.4.2-source.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
cups-2.4.2-source.tar.gz.sig
Normal file
BIN
cups-2.4.2-source.tar.gz.sig
Normal file
Binary file not shown.
28
cups-client.conf
Normal file
28
cups-client.conf
Normal file
@ -0,0 +1,28 @@
|
||||
# CUPS client configuration file (optional).
|
||||
|
||||
# You may use /etc/cups/client.conf (system wide)
|
||||
# or ~/.cups/client.conf (per user).
|
||||
# For more information see "man 5 client.conf".
|
||||
|
||||
# The ServerName directive specifies the remote server
|
||||
# that is to be used for all client operations. That is, it
|
||||
# redirects all client requests directly to that remote server
|
||||
# so that a local running cupsd is not used in this case.
|
||||
# The default is to use the local server ("localhost") or domain socket.
|
||||
# Only one ServerName directive may appear.
|
||||
# If multiple names are present, only the last one is used.
|
||||
# The default port number is 631 but can be overridden by adding
|
||||
# a colon followed by the desired port number.
|
||||
# The default IPP version is 2.0 but can be overridden by adding
|
||||
# a slash followed by version=V where V is 1.0 or 1.1 or 2.0 or 2.1 or 2.2.
|
||||
# IPP version 2.0 does do not work with CUPS 1.3 or older servers.
|
||||
# If an CUPS 1.3 or older server is used, its older IPP version
|
||||
# must be specified as .../version=1.1 or .../version=1.0.
|
||||
|
||||
# Examples:
|
||||
# ServerName sever.example.com
|
||||
# ServerName 192.0.2.10
|
||||
# ServerName sever.example.com:8631
|
||||
# ServerName older.server.example.com/version=1.1
|
||||
# ServerName older.server.example.com:8631/version=1.1
|
||||
|
11
cups-config-libs.patch
Normal file
11
cups-config-libs.patch
Normal file
@ -0,0 +1,11 @@
|
||||
--- cups-config.in.orig 2011-08-27 11:23:01.000000000 +0200
|
||||
+++ cups-config.in 2012-11-27 15:47:27.000000000 +0100
|
||||
@@ -35,7 +35,7 @@ INSTALLSTATIC=@INSTALLSTATIC@
|
||||
# flags for compiler and linker...
|
||||
CFLAGS=""
|
||||
LDFLAGS="@EXPORT_LDFLAGS@"
|
||||
-LIBS="@LIBGSSAPI@ @DNSSDLIBS@ @EXPORT_TLSLIBS@ @LIBZ@ @LIBS@"
|
||||
+LIBS=""
|
||||
|
||||
# Check for local invocation...
|
||||
selfdir=`dirname $0`
|
5
cups-pam.diff
Normal file
5
cups-pam.diff
Normal file
@ -0,0 +1,5 @@
|
||||
--- conf/pam.suse 2003/02/07 11:09:32 1.1
|
||||
+++ conf/pam.suse 2003/02/07 11:10:03
|
||||
@@ -0,0 +1,2 @@
|
||||
+auth include common-auth
|
||||
+account include common-account
|
4793
cups.changes
Normal file
4793
cups.changes
Normal file
File diff suppressed because it is too large
Load Diff
14
cups.keyring
Normal file
14
cups.keyring
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mDMEYfKEjRYJKwYBBAHaRw8BAQdAJggn9NALyWqrgrFGPJ9RvPb7wYbskxKRKQcL
|
||||
v+8Hpbq0QVpkZW5layBEb2huYWwgKFRoZSBvbGQgNEQ0MjI3RDcga2V5IHJldm9r
|
||||
ZWQpIDx6ZG9obmFsQHJlZGhhdC5jb20+iJQEExYKADwWIQRwgqClCi6SZA84gODk
|
||||
Ui3MmyRv9wUCYfKEjQIbAwULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ
|
||||
5FItzJskb/fbUQEAm6R78JoZSIOpu68gtUUp1qbfDdsfoQkbdyfws/myB6gA/A6/
|
||||
9QiIk50DNCmBTisZk5CFP51YNvwnyxafmE3cDn8GuDgEYfKEjRIKKwYBBAGXVQEF
|
||||
AQEHQF6Qgj5UQqUdvqvnDqygQ6Vm59nRGHbPVDTwendtM5cCAwEIB4h4BBgWCgAg
|
||||
FiEEcIKgpQoukmQPOIDg5FItzJskb/cFAmHyhI0CGwwACgkQ5FItzJskb/e2CwD/
|
||||
SyRi/I5Il5XY5VXEL/eBsnNvvtaO0T10V4/vBMiDb+sBAK3YmRl6WStfRiEvMXQv
|
||||
OhMT+sEjx6ufQXkuPeXHvrgK
|
||||
=vSEm
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
845
cups.spec
Normal file
845
cups.spec
Normal file
@ -0,0 +1,845 @@
|
||||
#
|
||||
# spec file for package cups
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
# By default enable testsuite (i.e. in the 'check' section run 'make test')
|
||||
# cf. https://rpm.org/user_doc/conditional_builds.html
|
||||
# To disable the testsuite you may set 'bcond_with testsuite' instead
|
||||
# until https://github.com/OpenPrinting/cups/issues/155 is actually fixed
|
||||
# but we do not error out when 'make test' fails (see the 'check' section):
|
||||
%bcond_without testsuite
|
||||
|
||||
# _tmpfilesdir is not defined in systemd macros up to openSUSE 13.2
|
||||
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
|
||||
|
||||
# dbus too old in SLE 12
|
||||
%if 0%{?suse_version} < 1500
|
||||
%define dbus_dir %{_sysconfdir}/dbus-1
|
||||
%define dbus_config %config
|
||||
%else
|
||||
%define dbus_dir %{_datadir}/dbus-1
|
||||
%define dbus_config %nil
|
||||
%endif
|
||||
|
||||
Name: cups
|
||||
# CUPS beta version numbers like "2.3b6" can be used as is because
|
||||
# "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
|
||||
# "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
|
||||
# version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
|
||||
Version: 2.4.2
|
||||
Release: 0
|
||||
Summary: The Common UNIX Printing System
|
||||
License: Apache-2.0
|
||||
Group: Hardware/Printing
|
||||
URL: https://openprinting.github.io/cups
|
||||
# To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
||||
# wget --no-check-certificate -O cups-2.4.2-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
|
||||
Source0: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz
|
||||
# To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
|
||||
# wget --no-check-certificate -O cups-2.4.2-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
|
||||
Source1: https://github.com/OpenPrinting/cups/releases/download/v2.4.2/cups-2.4.2-source.tar.gz.sig
|
||||
# To make Source2 use e.g.
|
||||
# gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
|
||||
# gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
|
||||
# See https://github.com/OpenPrinting/cups/discussions/327#discussioncomment-2060579
|
||||
# PGP Fingerprint: 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
|
||||
Source2: cups.keyring
|
||||
# To manually verify Source0 with Source1 and Source2 do e.g.
|
||||
# gpg --import cups.keyring
|
||||
# gpg --list-keys | grep -1 'Zdenek Dohnal'
|
||||
# gpg --verify cups-2.4.2-source.tar.gz.sig cups-2.4.2-source.tar.gz
|
||||
Source102: Postscript.ppd.gz
|
||||
Source105: Postscript-level1.ppd.gz
|
||||
Source106: Postscript-level2.ppd.gz
|
||||
Source108: cups-client.conf
|
||||
Source109: baselibs.conf
|
||||
# Patch0...Patch9 is for patches from upstream:
|
||||
# Source10...Source99 is for sources from SUSE which are intended for upstream:
|
||||
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
|
||||
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
|
||||
Patch10: cups-2.1.0-choose-uri-template.patch
|
||||
# Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the
|
||||
# web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent
|
||||
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
|
||||
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
|
||||
Patch11: cups-2.1.0-default-webcontent-path.patch
|
||||
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
|
||||
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
|
||||
Patch100: cups-pam.diff
|
||||
# Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
|
||||
# reverts the change which was added by Michael Sweet in Jan 2007
|
||||
# which strips the word "recommended" from NickName in PPDs because
|
||||
# at least yast2-printer in SUSE needs it, compare the
|
||||
# 'Why not "recommend" PPDs in the NickName?' and the subsequent
|
||||
# 'RFC: New Driver Rating/Information Attributes' mail thread on cups@easysw.com:
|
||||
Patch103: cups-1.4-do_not_strip_recommended_from_PPDs.patch
|
||||
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
|
||||
Patch104: cups-config-libs.patch
|
||||
# Patch107 harden_cups.service.patch adds hardening to systemd service cups.service
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1181400
|
||||
# and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
# where the default hardening settings are enhanced by adding
|
||||
# ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
|
||||
Patch107: harden_cups.service.patch
|
||||
# Patch108 downgrade-autoconf-requirement.patch
|
||||
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
|
||||
Patch108: downgrade-autoconf-requirement.patch
|
||||
# Patch109 cups-2.4.2-CVE-2023-32324.patch
|
||||
# fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1211643
|
||||
Patch109: cups-2.4.2-CVE-2023-32324.patch
|
||||
# Patch110 cups-2.4.2-CVE-2023-34241.patch
|
||||
# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1212230
|
||||
Patch110: cups-2.4.2-CVE-2023-34241.patch
|
||||
# Patch111 cups-2.4.2-CVE-2023-32360.patch
|
||||
# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1214254
|
||||
Patch111: cups-2.4.2-CVE-2023-32360.patch
|
||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||
Patch112: cups-2.4.2-additional_policies.patch
|
||||
# Patch113 cups-2.4.2-CVE-2023-4504.patch
|
||||
# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1215204
|
||||
Patch113: cups-2.4.2-CVE-2023-4504.patch
|
||||
# Build Requirements:
|
||||
BuildRequires: dbus-1-devel
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gnutls-devel
|
||||
BuildRequires: libavahi-devel
|
||||
BuildRequires: libgcrypt-devel
|
||||
BuildRequires: libjpeg-devel
|
||||
BuildRequires: libpng-devel
|
||||
BuildRequires: libtiff-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libusb-1_0-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: zlib-devel
|
||||
%if 0%{?suse_version} >= 1315
|
||||
BuildRequires: pkgconfig(krb5)
|
||||
%else
|
||||
BuildRequires: krb5-devel
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1310
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
%else
|
||||
BuildRequires: pkgconfig(libsystemd-daemon)
|
||||
%endif
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
# Require the exact matching version-release of the cups-client sub-package
|
||||
# (that requires all native CUPS libraries i.e. the libcups* sub-packages)
|
||||
# and the cups-config sub-package.
|
||||
# The exact matching version-release of each sub-package is available
|
||||
# on the same package repository where the cups package is because
|
||||
# all are built simulaneously from the same cups source package
|
||||
# and all required packages are provided on the same repository:
|
||||
Requires: cups-client = %{version}-%{release}
|
||||
Requires: cups-config = %{version}-%{release}
|
||||
Requires(pre): %{_sbindir}/groupadd
|
||||
Requires(pre): coreutils
|
||||
# Cf. https://en.opensuse.org/openSUSE:Systemd_packaging_guidelines
|
||||
# versus https://lists.opensuse.org/opensuse-factory/2015-03/msg00218.html
|
||||
%{?systemd_requires}
|
||||
# Since CUPS 1.6 all non-Mac filters are dropped from CUPS
|
||||
# and provided in the separated cups-filters software from OpenPrinting.org:
|
||||
Recommends: cups-filters
|
||||
# Our Source105 PSLEVEL1.PPD.bz2 and Source106 PSLEVEL2.PPD.bz2 need foomatic-rip
|
||||
# but this does not justify a RPM Requires so that a weak Recommends is sufficient:
|
||||
Recommends: foomatic-filters
|
||||
# The Ghostscript device "cups" is needed by several CUPS filters
|
||||
# (in particular the "rasterto..." filters) which might justify a RPM Requires.
|
||||
# But a RPM requirement for ghostscript would cause a build dependency cycle because
|
||||
# cups Requires ghostscript which BuildRequires cups-devel which Requires libcups2
|
||||
# and libcups2 is a sub-package of cups so that there is an implicit build dependency
|
||||
# cycle between the main-packages cups and ghostscript.
|
||||
# Furthermore, Ghostscript is not needed on a system where those CUPS filters are not used
|
||||
# (e.g. on client systems in the network where the filtering hapens on a CUPS server
|
||||
# or on a CUPS server with only "raw" queues), so that a weak Recommends fits better:
|
||||
Recommends: ghostscript
|
||||
# Install into this non-root directory (required when it is built as non-root user):
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
# Conflicts with other print spoolers which provide same binaries like
|
||||
# /usr/bin/lp and so on or which may listen on the same port (e.g. cups-lpd
|
||||
# versus traditional lpd on port 515):
|
||||
Conflicts: lprng
|
||||
Conflicts: lprold
|
||||
Conflicts: plp
|
||||
|
||||
%description
|
||||
CUPS is a modular printing system which allows a computer to act as a
|
||||
print server. A computer running CUPS is a host that can accept print
|
||||
jobs from client computers, process them, and send them to the
|
||||
appropriate printer.
|
||||
|
||||
CUPS consists of a print spooler and scheduler, a filter system that
|
||||
converts the print data to a format that the printer will understand,
|
||||
and a backend system that sends this data to the print device. CUPS
|
||||
uses the Internet Printing Protocol (IPP) as the basis for managing
|
||||
print jobs and queues. It also provides the traditional command line
|
||||
interfaces for the System V and Berkeley print systems, and provides
|
||||
support for the Berkeley print system's Line Printer Daemon protocol
|
||||
and limited support for the server message block (SMB) protocol.
|
||||
|
||||
CUPS comes with a built-in web-based interface.
|
||||
|
||||
%package -n libcups2
|
||||
Summary: HTTP/IPP communication and printer queue and job library
|
||||
Group: System/Libraries
|
||||
Requires: cups-config
|
||||
Obsoletes: cups-libs < %{version}-%{release}
|
||||
Provides: cups-libs = %{version}-%{release}
|
||||
|
||||
%description -n libcups2
|
||||
The CUPS library contains all of the core HTTP and IPP communications
|
||||
code as well as convenience functions for queuing print jobs, getting
|
||||
printer information, accessing resources via HTTP and IPP, and
|
||||
manipulating PPD files. The scheduler and all commands, filters, and
|
||||
backends use this library.
|
||||
|
||||
%package -n libcupsimage2
|
||||
Summary: CUPS library for working with large images
|
||||
Group: System/Libraries
|
||||
|
||||
%description -n libcupsimage2
|
||||
The CUPS imaging library provides functions for managing large
|
||||
images, doing colorspace conversion and color management, scaling
|
||||
images for printing, and managing raster page streams. It is used by
|
||||
the CUPS image file filters, the PostScript RIP, and all raster
|
||||
printers drivers.
|
||||
|
||||
%package config
|
||||
Summary: CUPS library configuration files
|
||||
Group: Hardware/Printing
|
||||
%if 0%{?suse_version} >= 1330
|
||||
Requires(pre): user(lp)
|
||||
Requires(pre): group(lp)
|
||||
%endif
|
||||
|
||||
%description config
|
||||
CUPS is a modular printing system which allows a computer to act as a
|
||||
print server.
|
||||
|
||||
This subpackage contains some basic configuration files for its
|
||||
operation.
|
||||
|
||||
%package client
|
||||
Summary: CUPS Client Programs
|
||||
# Require the exact matching version-release of the libcups* sub-packages because
|
||||
# non-matching CUPS libraries may let CUPS software crash (e.g. segfault)
|
||||
# because all CUPS software is provided as one single CUPS source tarball
|
||||
# and there are CUPS-internal dependencies via CUPS private API calls
|
||||
# (which do not happen for third-party software which uses only the CUPS public API).
|
||||
# The exact matching version-release of each libcups* sub-package is available
|
||||
# on the same package repository where the cups package is because
|
||||
# all are built simultaneously from the same cups source package
|
||||
# and all required packages are provided on the same repository:
|
||||
Group: Hardware/Printing
|
||||
Requires: libcups2 = %{version}-%{release}
|
||||
Requires: libcupsimage2 = %{version}-%{release}
|
||||
# Conflicts with other print spoolers which provide same binaries like /usr/bin/lp and so on:
|
||||
Conflicts: lprng
|
||||
Conflicts: lprold
|
||||
Conflicts: plp
|
||||
|
||||
%description client
|
||||
CUPS is a modular printing system which allows a computer to act as a
|
||||
print server. A computer running CUPS is a host that can accept print
|
||||
jobs from client computers, process them, and send them to the
|
||||
appropriate printer.
|
||||
|
||||
This package contains the traditional command line interfaces for the
|
||||
System V and Berkeley print systems.
|
||||
|
||||
%package devel
|
||||
Summary: Development Environment for CUPS
|
||||
# Do not require the exact matching version-release
|
||||
# of the native CUPS libraries (i.e. the libcups* sub-packages)
|
||||
# but only CUPS libraries with matching version because
|
||||
# for building third-party software which uses only the CUPS public API
|
||||
# there are no CUPS-internal dependencies via CUPS private API calls
|
||||
# (the latter would require the exact matching CUPS libraries version-release):
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: glibc-devel
|
||||
Requires: libcups2 = %{version}
|
||||
Requires: libcupsimage2 = %{version}
|
||||
# make sure printer drivers benefit from automatic provides
|
||||
%if 0%{?suse_version} >= 1500
|
||||
Requires: cups-rpm-helper
|
||||
%endif
|
||||
|
||||
%description devel
|
||||
CUPS is a modular printing system which allows a computer to act as a
|
||||
print server.
|
||||
|
||||
This subpackage contains the header files for developing applications
|
||||
that want to make use of libcups for adding print support.
|
||||
|
||||
%package ddk
|
||||
Summary: CUPS Driver Development Kit
|
||||
Group: Hardware/Printing
|
||||
Requires: cups = %{version}
|
||||
Requires: cups-devel = %{version}
|
||||
# Since CUPS 1.4 the CUPS Driver Development Kit (DDK) is bundled with CUPS.
|
||||
# For CUPS 1.2.x and 1.3.x, the DDK was separated software
|
||||
# which we provided (up to openSUSE 11.1 / SLE11) in our cupsddk package:
|
||||
Provides: cupsddk = %{version}
|
||||
Obsoletes: cupsddk < %{version}
|
||||
|
||||
%description ddk
|
||||
The CUPS Driver Development Kit (DDK) provides
|
||||
a suite of standard drivers, a PPD file compiler,
|
||||
and other utilities that can be used to develop
|
||||
printer drivers for CUPS.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
# Patch0...Patch9 is for patches from upstream:
|
||||
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
|
||||
# Patch10 cups-2.1.0-choose-uri-template.patch adds 'smb://...' URIs to templates/choose-uri.tmpl:
|
||||
%patch10 -b choose-uri-template.orig
|
||||
# Patch11 cups-2.1.0-default-webcontent-path.patch changes the default path whereto the
|
||||
# web content is installed from /usr/share/doc/cups to /usr/share/cups/webcontent
|
||||
# because the files of the CUPS web content are no documentation, see CUPS STR #3578
|
||||
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments:
|
||||
%patch11 -b default-webcontent-path.orig
|
||||
# Patch100...Patch999 is for private patches from SUSE which are not intended for upstream:
|
||||
# Patch100 cups-pam.diff adds conf/pam.suse regarding support for PAM for SUSE:
|
||||
%patch100 -b cups-pam.orig
|
||||
# Patch103 cups-1.4-do_not_strip_recommended_from_PPDs.patch
|
||||
# reverts the change which was added by Michael Sweet in Jan 2007
|
||||
# which strips the word "recommended" from NickName in PPDs because
|
||||
# at least yast2-printer in SUSE needs it, compare the
|
||||
# 'Why not "recommend" PPDs in the NickName?' and the subsequent
|
||||
# 'RFC: New Driver Rating/Information Attributes' mail thread on cups@easysw.com:
|
||||
%patch103 -b do_not_strip_recommended_from_PPDs.orig
|
||||
# Patch104 cups-config-libs.patch fixes option --libs in cups-config script:
|
||||
%patch104 -b cups-config-libs.orig
|
||||
# Patch107 harden_cups.service.patch adds hardening to systemd service cups.service
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1181400
|
||||
# and https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
# where the default hardening settings are enhanced by adding
|
||||
# ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1195288
|
||||
%patch107 -p1 -b harden_cups.service.orig
|
||||
# Patch108 downgrade-autoconf-requirement.patch
|
||||
# downgrades the autoconf requirement to the autoconf available in Tumbleweed as of this writing:
|
||||
%patch108 -b downgrade-autoconf-requirement.orig
|
||||
# Patch109 cups-2.4.2-CVE-2023-32324.patch
|
||||
# fixes CVE-2023-32324 "Heap buffer overflow in cupsd"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1211643
|
||||
%patch109 -b cups-2.4.2-CVE-2023-32324.orig
|
||||
# Patch110 cups-2.4.2-CVE-2023-34241.patch
|
||||
# fixes CVE-2023-34241 "use-after-free in cupsdAcceptClient()"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1212230
|
||||
%patch110 -b cups-2.4.2-CVE-2023-34241.orig
|
||||
# Patch111 cups-2.4.2-CVE-2023-32360.patch
|
||||
# fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1214254
|
||||
%patch111 -b cups-2.4.2-CVE-2023-32360.orig
|
||||
# Patch112 cups-2.4.2-additional_policies.patch adds the 'allowallforanybody' policy to cupsd.conf
|
||||
# see SUSE FATE 303515 and https://bugzilla.suse.com/show_bug.cgi?id=936309
|
||||
%patch112 -b cups-2.4.2-additional_policies.orig
|
||||
# Patch113 cups-2.4.2-CVE-2023-4504.patch
|
||||
# fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
|
||||
# https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1215204
|
||||
%patch113 -b cups-2.4.2-CVE-2023-4504.orig
|
||||
|
||||
%build
|
||||
# Remove ".SILENT" rule for verbose build output
|
||||
sed 's#^.SILENT:##g' -i Makedefs.in
|
||||
aclocal -I config-scripts
|
||||
autoconf -I config-scripts
|
||||
# Export the build options we desire
|
||||
export CXXFLAGS="$CXXFLAGS %{optflags} -O2 -fstack-protector -fPIE -fPIC"
|
||||
export CFLAGS="$CFLAGS %{optflags} -fstack-protector -fPIE -fPIC"
|
||||
export LDFLAGS="-pie"
|
||||
export CXX=c++
|
||||
export CC=cc
|
||||
# As long as cups-2.1.0-default-webcontent-path.patch is applied
|
||||
# configure --with-docdir=... would be no longer needed
|
||||
# because cups-2.1.0-default-webcontent-path.patch changes the
|
||||
# default with-docdir path whereto the web content is installed
|
||||
# from /usr/share/doc/cups to /usr/share/cups/webcontent because the
|
||||
# files of the CUPS web content are no documentation, see CUPS STR #3578
|
||||
# and https://bugzilla.suse.com/show_bug.cgi?id=546023#c6 and subsequent comments
|
||||
# so that the new default could be used as is but upstream may accept
|
||||
# cups-2.1.0-default-webcontent-path.patch in general but change its default
|
||||
# so that with-docdir is explicitly set here to be future proof.
|
||||
# Regarding --with-rundir and --with-domainsocket
|
||||
# see https://www.cups.org/str.php?L4306 and
|
||||
# http://lists.opensuse.org/opensuse-factory/2013-01/msg00578.html
|
||||
# --without-perl/php - neither actually work correctly so rather disable
|
||||
# --without-xinetd - socket activation from systemd works better
|
||||
# --enable-debug - avoids stripping of binaries
|
||||
# --enable-relro - force relro sections in binaries/libs
|
||||
%configure \
|
||||
--enable-option-checking \
|
||||
--with-docdir=%{_datadir}/cups/webcontent \
|
||||
--with-cups-user=lp \
|
||||
--with-cups-group=lp \
|
||||
--with-system-groups=root \
|
||||
--enable-debug \
|
||||
--enable-debug-printfs \
|
||||
--enable-relro \
|
||||
--enable-gssapi \
|
||||
--enable-libusb \
|
||||
--disable-static \
|
||||
--without-rcdir \
|
||||
--with-cachedir=%{_localstatedir}/cache/cups \
|
||||
--with-rundir=/run/cups \
|
||||
--with-domainsocket=/run/cups/cups.sock \
|
||||
--enable-dbus \
|
||||
--enable-pam \
|
||||
--enable-threads \
|
||||
--enable-gnutls \
|
||||
--enable-systemd \
|
||||
--enable-avahi --disable-dnssd \
|
||||
--enable-libpaper \
|
||||
--without-perl \
|
||||
--without-php \
|
||||
--with-xinetd=no \
|
||||
--enable-webif \
|
||||
localedir=%{_datadir}/locale
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
make BUILDROOT=%{buildroot} DBUSDIR=%{dbus_dir} install
|
||||
# Make directory for ssl files:
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/cups/ssl
|
||||
# Add a client.conf as template (Source108: cups-client.conf):
|
||||
install -m644 %{SOURCE108} %{buildroot}%{_sysconfdir}/cups/client.conf
|
||||
# Make the libraries accessible also via generic named links:
|
||||
ln -sf libcupsimage.so.2 %{buildroot}%{_libdir}/libcupsimage.so
|
||||
ln -sf libcups.so.2 %{buildroot}%{_libdir}/libcups.so
|
||||
# Move /usr/lib/pkgconfig/cups.pc to _libdir if it is not there
|
||||
# to avoid a conflict that cups-devel and cups-devel-32bit
|
||||
# would both contain /usr/lib/pkgconfig/cups.pc because
|
||||
# when cups.pc is arch dependent it has to be in _libdir
|
||||
# which it is because it contains 'libdir=/usr/lib64' on x86_64
|
||||
# (if it was arch independent it would have to be in _datadir)
|
||||
# cf. https://build.opensuse.org/request/show/965680
|
||||
test -d %{buildroot}%{_libdir}/pkgconfig || mv %{buildroot}/usr/lib/pkgconfig %{buildroot}%{_libdir}/pkgconfig
|
||||
# Add missing usual directories:
|
||||
install -d -m755 %{buildroot}%{_datadir}/cups/drivers
|
||||
install -d -m755 %{buildroot}%{_localstatedir}/cache/cups
|
||||
# Add conf/pam.suse regarding support for PAM (see Patch100: cups-pam.diff):
|
||||
%if 0%{?suse_version} > 1500
|
||||
install -d -m755 %{buildroot}%{_pam_vendordir}
|
||||
install -m 644 -D conf/pam.suse %{buildroot}%{_pam_vendordir}/cups
|
||||
# remove /etc/pam.d/cups from conf/pam.std
|
||||
rm -rf %{buildroot}%{_sysconfdir}/pam.d
|
||||
%else
|
||||
install -m 644 -D conf/pam.suse %{buildroot}%{_sysconfdir}/pam.d/cups
|
||||
%endif
|
||||
# Add missing usual documentation.
|
||||
install -d -m755 %{buildroot}/%{_defaultdocdir}/cups
|
||||
for f in CHANGES.md CREDITS.md INSTALL.md LICENSE README.md
|
||||
do install -m 644 "$f" %{buildroot}%{_defaultdocdir}/cups/
|
||||
done
|
||||
# Add generic PostScript printer PPDs:
|
||||
# Source102: Postscript.ppd.gz
|
||||
install -m 644 %{SOURCE102} %{buildroot}%{_datadir}/cups/model/Postscript.ppd.gz
|
||||
# Source105: Postscript-level1.ppd,gz
|
||||
install -m 644 %{SOURCE105} %{buildroot}%{_datadir}/cups/model/Postscript-level1.ppd.gz
|
||||
# Source106: Postscript-level2.ppd.gz
|
||||
install -m 644 %{SOURCE106} %{buildroot}%{_datadir}/cups/model/Postscript-level2.ppd.gz
|
||||
# Rm files for desktop menu:
|
||||
rm -f %{buildroot}%{_datadir}/applications/cups.desktop
|
||||
rm -rf %{buildroot}%{_datadir}/icons
|
||||
# Save /etc/cups/cupsd.conf and /etc/cups/cupsd.conf.default from becoming hardlinked
|
||||
# via the fdupes run below, see https://bugzilla.suse.com/show_bug.cgi?id=773971
|
||||
# by making their content different and at the same time fix the misleading comment.
|
||||
# Intentionally let the build fail if 'grep' does not find what 'sed' should change
|
||||
# because if upstream changed it 'sed' would silently no longer change the files:
|
||||
grep -q '^# Configuration ' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf.default
|
||||
sed -i -e 's/^# Configuration /# Default configuration /' %{buildroot}/%{_sysconfdir}/cups/cupsd.conf.default
|
||||
# rcbla aliases:
|
||||
ln -s service %{buildroot}%{_sbindir}/rccups
|
||||
ln -s service %{buildroot}%{_sbindir}/rccups-lpd
|
||||
# Install /usr/lib/tmpfiles.d/cups.conf
|
||||
# According to
|
||||
# https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-systemd-tmpfiles-on-rhel7/
|
||||
# d /var/spool/cups/tmp - - - 30d
|
||||
# results that each file older than 30 days on /var/spool/cups/tmp will be deleted where a file
|
||||
# will be considered unused only if atime, mtime and ctime are all older than the specified time.
|
||||
# We use group 'root' for /run/cups/certs (instead of 'sys')
|
||||
# d /run/cups/certs 0511 lp root -
|
||||
# because of https://bugzilla.opensuse.org/show_bug.cgi?id=1042916
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}
|
||||
cat > %{buildroot}%{_tmpfilesdir}/cups.conf <<EOF
|
||||
# See tmpfiles.d(5) for details
|
||||
# Type(d=directory) Path Mode UID GID Age(until delete when cleaning)
|
||||
d /run/cups 0755 root lp -
|
||||
d /run/cups/certs 0511 lp root -
|
||||
d %{_localstatedir}/spool/cups/tmp - - - 30d
|
||||
EOF
|
||||
# Never run fdupes carelessly over the whole buildroot directory
|
||||
# because in older openSUSE and SLE11 versions fdupes
|
||||
# links files with different owner, group, or permissions
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=784670
|
||||
# and even in current openSUSE versions fdupes links across sub-package
|
||||
# boundaries, compare https://bugzilla.suse.com/show_bug.cgi?id=784869
|
||||
%fdupes -s %{buildroot}/%{_datadir}/cups/templates
|
||||
|
||||
%check
|
||||
%if %{with testsuite}
|
||||
# There appears to be some kind of race condition when running 'make test'
|
||||
# cf. https://github.com/OpenPrinting/cups/issues/155
|
||||
# so we do not call 'make %{?_smp_mflags} test' but plain 'make test'
|
||||
# cf. https://github.com/OpenPrinting/cups/issues/155#issuecomment-802886811
|
||||
# We print the log files for debugging purposes if the testsuite fails.
|
||||
# The log files in the test directory are named like
|
||||
# access_log-2022-03-04-abuild
|
||||
# debug_log-2022-03-04-abuild
|
||||
# error_log-2022-03-04-abuild
|
||||
# page_log-2022-03-04-abuild
|
||||
# We do not error out because https://github.com/OpenPrinting/cups/issues/155
|
||||
# is not yet actually fixed so currently the testsuite still sometimes fails:
|
||||
echo "TEST: running 'make test'"
|
||||
if make test
|
||||
then echo "TEST: succeeded"
|
||||
else echo "TEST: 'make test' FAILED"
|
||||
for logfile in test/*_log-*-$(whoami)
|
||||
do echo "TEST: printing log file $logfile:"
|
||||
cat $logfile
|
||||
echo "TEST: end of log file $logfile"
|
||||
done
|
||||
echo "TEST: end of printing log files"
|
||||
fi
|
||||
%else
|
||||
echo "TEST: skipped 'make test', cf. https://github.com/OpenPrinting/cups/issues/155"
|
||||
%endif
|
||||
|
||||
%pre -p /bin/bash
|
||||
%if 0%{?suse_version} > 1500
|
||||
# Prepare for migration to /usr/etc; save any old .rpmsave
|
||||
for i in pam.d/cups ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
|
||||
done
|
||||
%endif
|
||||
getent group ntadmin >/dev/null || %{_sbindir}/groupadd -g 71 -o -r ntadmin
|
||||
%service_add_pre cups.service cups-lpd.socket cups.socket
|
||||
|
||||
%post -p /bin/bash
|
||||
%if 0
|
||||
# Use %%tmpfiles_create when 13.2 is oldest in support scope
|
||||
%endif
|
||||
/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/cups.conf || :
|
||||
%service_add_post cups.service cups-lpd.socket cups.socket
|
||||
|
||||
%preun -p /bin/bash
|
||||
%service_del_preun cups.service cups-lpd.socket cups.socket
|
||||
|
||||
%postun -p /bin/bash
|
||||
%service_del_postun cups.service cups-lpd.socket cups.socket
|
||||
|
||||
# Removed code comments from expanded scriptlets to reduce scriptlet size in binary RPMs
|
||||
# but then users could no longer see the comments via "rpm -q --scripts cups"
|
||||
# cf. https://build.opensuse.org/request/show/879976
|
||||
%posttrans -p /bin/bash
|
||||
%if 0
|
||||
# Use a real bash script with an explicit "exit 0" at the end to be by default fail safe
|
||||
# an explicit "exit 1" must be use to enforce package install/upgrade/erase failure where needed
|
||||
# see the "Shared_libraries" section in http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
|
||||
# Begin refresh systemd units and clean up possibly obsolete systemd units
|
||||
# The following is a generic way how to refresh and/or clean up systemd units.
|
||||
# A systemd unit may need a refresh after updating a package when the new package
|
||||
# had installed a changed systemd unit file for an enabled systemd unit.
|
||||
# A systemd unit may become obsolete by updating a package (see bnc#904215).
|
||||
# A systemd unit is considered to have become obsolete when the systemd
|
||||
# symlink /etc/systemd/system/.../unit_name -> /path/to/unit_file is broken.
|
||||
# When during package update the new package does no longer provide a unit file
|
||||
# then the systemd symlink becomes broken after the files of the old package
|
||||
# had been actually removed by RPM.
|
||||
# According to /usr/share/doc/packages/rpm/manual/triggers and according
|
||||
# to https://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets#Scriptlet_Ordering
|
||||
# and http://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Scriptlet_Ordering
|
||||
# from the new package only "posttrans of new package" is run after "removal of old package"
|
||||
# so that the new package must do the clean up as RPM posttrans scriptlet.
|
||||
%endif
|
||||
for u in cups.service cups.socket cups.path; do
|
||||
if systemctl --quiet is-enabled $u 2>/dev/null
|
||||
then
|
||||
%if 0
|
||||
# Refresh still valid enabled systemd units and clean up possibly obsoleted systemd units:
|
||||
# Enforce systemd to use the current unit file which is usually the unit file of the new package
|
||||
# but also in case of custom units (that use other unit files) a "reenable" won't hurt because
|
||||
# "reenable" does not implicitly stop a running service which is "the right thing" because
|
||||
# a RPM package installation must not automatically disrupt (restart) a running service.
|
||||
# Using "--force reenable" is essential to clean up possibly conflicting/broken symlinks.
|
||||
# (without "|| :" build fails with "Failed to get D-Bus connection: No connection to service manager. posttrans script ... failed"):
|
||||
%endif
|
||||
systemctl --quiet --force reenable $u 2>/dev/null || :
|
||||
else
|
||||
%if 0
|
||||
# Refresh still valid disabled systemd units and clean up possibly obsoleted systemd units:
|
||||
# First using "--force reenable" is essential to clean up possibly conflicting/broken symlinks
|
||||
# because there is no "--force disable" that would clean up possibly conflicting/broken symlinks
|
||||
# see https://bugzilla.opensuse.org/show_bug.cgi?id=904215#c34
|
||||
# so that first the unit has a clean state and then it is set back to disabled (as it was before).
|
||||
# If a disabled systemd unit has become obsoleted, "systemctl --force reenable" will clean it up
|
||||
# which means the unit gets removed and the subsequent "systemctl disable" will do nothing.
|
||||
# (without "|| :" build fails with "Failed to get D-Bus connection: No connection to service manager. posttrans script ... failed"):
|
||||
%endif
|
||||
systemctl --quiet --force reenable $u 2>/dev/null || :
|
||||
systemctl --quiet disable $u 2>/dev/null || :
|
||||
fi
|
||||
done
|
||||
%if 0%{?suse_version} > 1500
|
||||
# Migration to /usr/etc, restore just created .rpmsave
|
||||
for i in pam.d/cups ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
|
||||
done
|
||||
%endif
|
||||
exit 0
|
||||
|
||||
%post -n libcups2 -p /sbin/ldconfig
|
||||
%postun -n libcups2 -p /sbin/ldconfig
|
||||
%post -n libcupsimage2 -p /sbin/ldconfig
|
||||
%postun -n libcupsimage2 -p /sbin/ldconfig
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
# In particular all executables are listed explicitly.
|
||||
# This avoids that CUPS' configure magic might silently
|
||||
# not build and install an executable when whatever condition
|
||||
# for configure's automated tests is not fulfilled in the build system.
|
||||
# See https://bugzilla.suse.com/show_bug.cgi?id=526847#c9
|
||||
# Regarding specific owner group and permission settings for directories
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161
|
||||
# When cupsd creates directories with specific owner group and permissions
|
||||
# (usually owner is 'root' and group matches "configure --with-cups-group=lp")
|
||||
# we must specify same owner group and permission settings here
|
||||
# to ensure those directories are installed by RPM with the right settings
|
||||
# because if those directories were installed by RPM with different settings then
|
||||
# cupsd would use them as is and not adjust its specific owner group and permissions.
|
||||
# How cupsd creates those directories:
|
||||
# drwxr-xr-x ... root lp ... /etc/cups/ppd
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
|
||||
# The /etc/cups/ssl directory is not created by cupsd (but needed by it)
|
||||
# and when needed (e.g. during the first run of "# lpstat -E -p")
|
||||
# cupsd creates files in /etc/cups/ssl like localhost.crt and localhost.key
|
||||
# so we specify secure owner group and permissions for /etc/cups/ssl
|
||||
%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cups-files.conf
|
||||
%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cupsd.conf
|
||||
%config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/snmp.conf
|
||||
%if 0%{?suse_version} > 1500
|
||||
%{_pam_vendordir}/cups
|
||||
%else
|
||||
%config %{_sysconfdir}/pam.d/cups
|
||||
%endif
|
||||
%dbus_config %{dbus_dir}/system.d/cups.conf
|
||||
%config %{_sysconfdir}/cups/cupsd.conf.default
|
||||
%config %{_sysconfdir}/cups/cups-files.conf.default
|
||||
%config %{_sysconfdir}/cups/snmp.conf.default
|
||||
%dir %attr(755,root,lp) %{_sysconfdir}/cups/ppd
|
||||
%dir %attr(700,root,root) %{_sysconfdir}/cups/ssl
|
||||
%{_unitdir}/cups.service
|
||||
%{_unitdir}/cups.socket
|
||||
%{_unitdir}/cups.path
|
||||
%{_unitdir}/cups-lpd.socket
|
||||
%{_unitdir}/cups-lpd@.service
|
||||
%{_tmpfilesdir}/cups.conf
|
||||
%{_bindir}/cupstestppd
|
||||
%{_sbindir}/cupsctl
|
||||
%{_sbindir}/cupsd
|
||||
%{_sbindir}/cupsfilter
|
||||
%{_sbindir}/rccups
|
||||
%{_sbindir}/rccups-lpd
|
||||
%dir /usr/lib/cups
|
||||
%dir /usr/lib/cups/backend
|
||||
/usr/lib/cups/backend/dnssd
|
||||
/usr/lib/cups/backend/http
|
||||
/usr/lib/cups/backend/https
|
||||
/usr/lib/cups/backend/ipp
|
||||
/usr/lib/cups/backend/ipps
|
||||
/usr/lib/cups/backend/lpd
|
||||
/usr/lib/cups/backend/snmp
|
||||
/usr/lib/cups/backend/socket
|
||||
/usr/lib/cups/backend/usb
|
||||
%dir /usr/lib/cups/cgi-bin
|
||||
/usr/lib/cups/cgi-bin/admin.cgi
|
||||
/usr/lib/cups/cgi-bin/classes.cgi
|
||||
/usr/lib/cups/cgi-bin/help.cgi
|
||||
/usr/lib/cups/cgi-bin/jobs.cgi
|
||||
/usr/lib/cups/cgi-bin/printers.cgi
|
||||
%dir /usr/lib/cups/command
|
||||
/usr/lib/cups/command/ippevepcl
|
||||
/usr/lib/cups/command/ippeveps
|
||||
%dir /usr/lib/cups/daemon
|
||||
/usr/lib/cups/daemon/cups-deviced
|
||||
/usr/lib/cups/daemon/cups-driverd
|
||||
/usr/lib/cups/daemon/cups-exec
|
||||
/usr/lib/cups/daemon/cups-lpd
|
||||
%dir /usr/lib/cups/driver
|
||||
%dir /usr/lib/cups/filter
|
||||
/usr/lib/cups/filter/commandtops
|
||||
/usr/lib/cups/filter/gziptoany
|
||||
/usr/lib/cups/filter/pstops
|
||||
/usr/lib/cups/filter/rastertoepson
|
||||
/usr/lib/cups/filter/rastertohp
|
||||
/usr/lib/cups/filter/rastertolabel
|
||||
/usr/lib/cups/filter/rastertopwg
|
||||
%dir /usr/lib/cups/monitor
|
||||
/usr/lib/cups/monitor/bcp
|
||||
/usr/lib/cups/monitor/tbcp
|
||||
%dir /usr/lib/cups/notifier
|
||||
/usr/lib/cups/notifier/dbus
|
||||
/usr/lib/cups/notifier/mailto
|
||||
/usr/lib/cups/notifier/rss
|
||||
%dir %attr(0775,root,ntadmin) %{_datadir}/cups/drivers
|
||||
%doc %{_defaultdocdir}/cups
|
||||
%doc %{_mandir}/man1/cups.1.gz
|
||||
%doc %{_mandir}/man1/cupstestppd.1.gz
|
||||
%doc %{_mandir}/man1/ippeveprinter.1.gz
|
||||
%doc %{_mandir}/man5/classes.conf.5.gz
|
||||
%doc %{_mandir}/man5/client.conf.5.gz
|
||||
%doc %{_mandir}/man5/cups-snmp.conf.5.gz
|
||||
%doc %{_mandir}/man5/cups-files.conf.5.gz
|
||||
%doc %{_mandir}/man5/cupsd-logs.5.gz
|
||||
%doc %{_mandir}/man5/cupsd.conf.5.gz
|
||||
%doc %{_mandir}/man5/mailto.conf.5.gz
|
||||
%doc %{_mandir}/man5/mime.convs.5.gz
|
||||
%doc %{_mandir}/man5/mime.types.5.gz
|
||||
%doc %{_mandir}/man5/printers.conf.5.gz
|
||||
%doc %{_mandir}/man5/subscriptions.conf.5.gz
|
||||
%doc %{_mandir}/man7/backend.7.gz
|
||||
%doc %{_mandir}/man7/filter.7.gz
|
||||
%doc %{_mandir}/man7/ippevepcl.7.gz
|
||||
%doc %{_mandir}/man7/ippeveps.7.gz
|
||||
%doc %{_mandir}/man7/notifier.7.gz
|
||||
%doc %{_mandir}/man8/cups-deviced.8.gz
|
||||
%doc %{_mandir}/man8/cups-driverd.8.gz
|
||||
%doc %{_mandir}/man8/cups-exec.8.gz
|
||||
%doc %{_mandir}/man8/cups-lpd.8.gz
|
||||
%doc %{_mandir}/man8/cups-snmp.8.gz
|
||||
%doc %{_mandir}/man8/cupsctl.8.gz
|
||||
%doc %{_mandir}/man8/cupsd.8.gz
|
||||
%doc %{_mandir}/man8/cupsd-helper.8.gz
|
||||
%doc %{_mandir}/man8/cupsfilter.8.gz
|
||||
%{_datadir}/cups/
|
||||
|
||||
%files client
|
||||
%defattr(-,root,root)
|
||||
%{_bindir}/cancel
|
||||
%{_bindir}/ippeveprinter
|
||||
%{_bindir}/ippfind
|
||||
%{_bindir}/ipptool
|
||||
%{_bindir}/lp
|
||||
%{_bindir}/lpoptions
|
||||
%{_bindir}/lpq
|
||||
%{_bindir}/lpr
|
||||
%{_bindir}/lprm
|
||||
%{_bindir}/lpstat
|
||||
%{_sbindir}/cupsaccept
|
||||
%{_sbindir}/cupsdisable
|
||||
%{_sbindir}/cupsenable
|
||||
%{_sbindir}/cupsreject
|
||||
%{_sbindir}/lpadmin
|
||||
%{_sbindir}/lpc
|
||||
%{_sbindir}/lpinfo
|
||||
%{_sbindir}/lpmove
|
||||
%doc %{_mandir}/man1/cancel.1.gz
|
||||
%doc %{_mandir}/man1/ippfind.1.gz
|
||||
%doc %{_mandir}/man1/ipptool.1.gz
|
||||
%doc %{_mandir}/man1/lp.1.gz
|
||||
%doc %{_mandir}/man1/lpoptions.1.gz
|
||||
%doc %{_mandir}/man1/lpq.1.gz
|
||||
%doc %{_mandir}/man1/lpr.1.gz
|
||||
%doc %{_mandir}/man1/lprm.1.gz
|
||||
%doc %{_mandir}/man1/lpstat.1.gz
|
||||
%doc %{_mandir}/man5/ipptoolfile.5.gz
|
||||
%doc %{_mandir}/man8/cupsaccept.8.gz
|
||||
%doc %{_mandir}/man8/cupsdisable.8.gz
|
||||
%doc %{_mandir}/man8/cupsenable.8.gz
|
||||
%doc %{_mandir}/man8/cupsreject.8.gz
|
||||
%doc %{_mandir}/man8/lpadmin.8.gz
|
||||
%doc %{_mandir}/man8/lpc.8.gz
|
||||
%doc %{_mandir}/man8/lpinfo.8.gz
|
||||
%doc %{_mandir}/man8/lpmove.8.gz
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root)
|
||||
%{_includedir}/cups/
|
||||
%{_libdir}/libcups.so
|
||||
%{_libdir}/libcupsimage.so
|
||||
%{_libdir}/pkgconfig/cups.pc
|
||||
|
||||
%files ddk
|
||||
%defattr(-,root,root)
|
||||
%{_bindir}/ppdc
|
||||
%{_bindir}/ppdhtml
|
||||
%{_bindir}/ppdi
|
||||
%{_bindir}/ppdmerge
|
||||
%{_bindir}/ppdpo
|
||||
%doc %{_mandir}/man1/ppdc.1.gz
|
||||
%doc %{_mandir}/man1/ppdhtml.1.gz
|
||||
%doc %{_mandir}/man1/ppdi.1.gz
|
||||
%doc %{_mandir}/man1/ppdmerge.1.gz
|
||||
%doc %{_mandir}/man1/ppdpo.1.gz
|
||||
%doc %{_mandir}/man5/ppdcfile.5.gz
|
||||
|
||||
%files -n libcups2
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libcups.so.2
|
||||
|
||||
%files -n libcupsimage2
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libcupsimage.so.2
|
||||
|
||||
%files config
|
||||
# Regarding specific owner group and permission settings for directories
|
||||
# see the above comment in the files section of the main package.
|
||||
# How cupsd creates those directories:
|
||||
# drwx--x--- ... root lp ... /var/spool/cups
|
||||
# drwxrwx--T ... root lp ... /var/spool/cups/tmp
|
||||
# drwxr-xr-x ... root lp ... /var/log/cups
|
||||
# drwxrwx--- ... root lp ... /var/cache/cups
|
||||
# see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
|
||||
# The 'lp' user does not need write permissions in /var/log/cups
|
||||
# regardless that filters and backends are usually run as user 'lp' because
|
||||
# filters and backends write log messages to the inherited stderr file descriptor
|
||||
# and do not append them directly to /var/log/cups/error_log (via fopen on their own).
|
||||
# The /etc/cups directory is not created by cupsd but needed by it
|
||||
# because cupsd cannot start if there is no /etc/cups/cupsd.conf file
|
||||
# (otherwise cupsd aborts with: "Unable to open /etc/cups/cupsd.conf").
|
||||
%defattr(-,root,root)
|
||||
%if 0%{?suse_version} >= 1330
|
||||
%dir %attr(0755,root,lp) /etc/cups
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/cups/client.conf
|
||||
%dir %attr(0710,root,lp) %{_var}/spool/cups
|
||||
%dir %attr(1770,root,lp) %{_var}/spool/cups/tmp
|
||||
%dir %attr(0755,root,lp) %{_var}/log/cups
|
||||
%dir %attr(0770,root,lp) %{_var}/cache/cups
|
||||
%{_bindir}/cups-config
|
||||
%{_datadir}/locale/*/cups_*
|
||||
%doc %{_mandir}/man1/cups-config.1.gz
|
||||
|
||||
%changelog
|
13
downgrade-autoconf-requirement.patch
Normal file
13
downgrade-autoconf-requirement.patch
Normal file
@ -0,0 +1,13 @@
|
||||
--- configure.ac.orig 2022-05-26 08:17:21.000000000 +0200
|
||||
+++ configure.ac 2022-05-30 10:26:29.258674533 +0200
|
||||
@@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
|
||||
dnl information.
|
||||
dnl
|
||||
|
||||
-dnl We need at least autoconf 2.71...
|
||||
-AC_PREREQ([2.71])
|
||||
+dnl We need at least autoconf 2.69...
|
||||
+AC_PREREQ([2.69])
|
||||
|
||||
dnl Package name and version...
|
||||
AC_INIT([CUPS],[2.4.2],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
|
26
harden_cups.service.patch
Normal file
26
harden_cups.service.patch
Normal file
@ -0,0 +1,26 @@
|
||||
Index: cups-2.3.3op2/scheduler/cups.service.in
|
||||
===================================================================
|
||||
--- cups-2.3.3op2.orig/scheduler/cups.service.in
|
||||
+++ cups-2.3.3op2/scheduler/cups.service.in
|
||||
@@ -5,6 +5,21 @@ After=network.target sssd.service ypbind
|
||||
Requires=cups.socket
|
||||
|
||||
[Service]
|
||||
+# added automatically, for details please see
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectSystem=full
|
||||
+ProtectHome=true
|
||||
+ProtectHostname=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+# end of automatic additions
|
||||
+# cupsd needs write access in /etc/cups see
|
||||
+# https://bugzilla.opensuse.org/show_bug.cgi?id=1195288
|
||||
+ReadWritePaths=/etc/cups
|
||||
+# end of SUSE additions
|
||||
ExecStart=@sbindir@/cupsd -l
|
||||
Type=notify
|
||||
Restart=on-failure
|
Loading…
Reference in New Issue
Block a user