cups/cups-2.0.3-additional_policies.patch

--- conf/cupsd.conf.in.orig	2014-04-02 18:52:53.000000000 +0200
+++ conf/cupsd.conf.in	2015-07-01 14:39:58.000000000 +0200
@@ -127,3 +127,45 @@ WebInterface @CUPS_WEBIF@
     Order deny,allow
   </Limit>
 </Policy>
+
+# The policy below is added by SUSE during build of our cups package.
+# The policy 'allowallforanybody' is totally open and insecure and therefore
+# it can only be used within an internal network where only trused users exist
+# and where the cupsd is not accessible at all from any external host, see
+# http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
+# Have in mind that any user who is allowed to do printer admin tasks
+# can change the print queues as he likes - e.g. send copies of confidental
+# print jobs from an internal network to any external destination, see
+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
+# For documentation regarding 'Managing Operation Policies' see
+# http://www.cups.org/documentation.php/doc-1.7/policies.html
+<Policy allowallforanybody>
+  # Allow anybody to access job's private values:
+  JobPrivateAccess all
+  # Make none of the job values to be private:
+  JobPrivateValues none
+  # Allow anybody to access subscription's private values:
+  SubscriptionPrivateAccess all
+  # Make none of the subscription values to be private:
+  SubscriptionPrivateValues none
+  # Allow anybody to do all IPP operations:
+  # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document
+  # must be additionally exlicitly specified because those IPP operations are not included
+  # in the "All" wildcard value - otherwise cupsd prints error messages of the form
+  # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."
+  <Limit Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>
+    Order deny,allow
+    Allow from all
+  </Limit>
+  # Since CUPS > 1.5.4 the "All" wildcard value must be specified separately,
+  # otherwise clients like "lpstat -p" just hang up,
+  # see https://bugzilla.opensuse.org/show_bug.cgi?id=936309
+  # and https://www.cups.org/str.php?L4659
+  <Limit All>
+    Order deny,allow
+    Allow from all
+  </Limit>
+</Policy>
+# Explicitly set the CUPS 'default' policy to be used by default:
+DefaultPolicy default
+
Accepting request 314729 from home:jsmeix:branches:Printing CUPS bugfix for allowallforanybody policy https://www.cups.org/str.php?L4659 (boo#936309) OBS-URL: https://build.opensuse.org/request/show/314729 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=304 2015-07-01 15:50:32 +02:00			`--- conf/cupsd.conf.in.orig 2014-04-02 18:52:53.000000000 +0200`
			`+++ conf/cupsd.conf.in 2015-07-01 14:39:58.000000000 +0200`
			`@@ -127,3 +127,45 @@ WebInterface @CUPS_WEBIF@`
Accepting request 286363 from home:scarabeus_iv:branches:Printing Final submission, there seem to be no activity on factory so it works or nobody cares :) - Add back the posttrans cleanup script as it is needed - Add patch cups-systemd-socket.patch to fix socket activation and to match socket approach Fedora has. - Version bump to 2.0.2: * Security: cupsRasterReadPixels buffer overflow with invalid page header and compressed raster data (STR #4551) * Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was already an IPP keyword (<rdar://problem/19121005>) * cupsGetPPD* sent bad requests (STR #4567) * For detailed list see CHANGES.txt file - Enable PIE for build - Remove legacy paralel-port support as it is not really needed as most do not want it - Update descriptions to just state what changed and let user find it out. - Add back comment about %fdupes - Remove exit 0 on scriptlets as it is provided by the %service bla ones already - Fix the comment about openSUSE version on tmpfilesdir declaration - cups-2.0.1 update: * lengthy list of changes see the upstream CHANGES.txt that is distributed with the package * Disabling of sslv3 to mitigate poodle - Use gnutls to provide SSLOPtions configuration directive * openssl is no longer supported upstream * Remove the with-openssl-exception from license - Remove cups.sysconfig as it is not used with systemd based distros - Purposely lose support for SLE11 as it doubles size of some of the sections and keep suppor for openSUSE+SLE12 * even with the conditions we would have to go unencrypted only OBS-URL: https://build.opensuse.org/request/show/286363 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=294 2015-02-16 16:27:41 +01:00			`Order deny,allow`
Accepting request 215537 from home:jsmeix:branches:Printing Solve bnc#857372 (and its various duplicates) by a major clean up and fix of the systemd unit files for CUPS that makes it again simple and secure to get cupsd working again as it did all the time in the past by a single simple and secure cups.service unit file. For experienced users cups.socket and cups.path are still provided as templates in /usr/share/doc/packages/cups/systemd/ so that experienced users can derive their own cups.socket and cups.path files according to their particular needs. When cupsd again "just works" as it did all the time in the past, then the next step is an optional systemd generator to create cups.socket that matches cupsd.conf see bnc#861084. OBS-URL: https://build.opensuse.org/request/show/215537 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=274 2014-01-29 16:05:09 +01:00			`</Limit>`
			`</Policy>`
Accepting request 286363 from home:scarabeus_iv:branches:Printing Final submission, there seem to be no activity on factory so it works or nobody cares :) - Add back the posttrans cleanup script as it is needed - Add patch cups-systemd-socket.patch to fix socket activation and to match socket approach Fedora has. - Version bump to 2.0.2: * Security: cupsRasterReadPixels buffer overflow with invalid page header and compressed raster data (STR #4551) * Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was already an IPP keyword (<rdar://problem/19121005>) * cupsGetPPD* sent bad requests (STR #4567) * For detailed list see CHANGES.txt file - Enable PIE for build - Remove legacy paralel-port support as it is not really needed as most do not want it - Update descriptions to just state what changed and let user find it out. - Add back comment about %fdupes - Remove exit 0 on scriptlets as it is provided by the %service bla ones already - Fix the comment about openSUSE version on tmpfilesdir declaration - cups-2.0.1 update: * lengthy list of changes see the upstream CHANGES.txt that is distributed with the package * Disabling of sslv3 to mitigate poodle - Use gnutls to provide SSLOPtions configuration directive * openssl is no longer supported upstream * Remove the with-openssl-exception from license - Remove cups.sysconfig as it is not used with systemd based distros - Purposely lose support for SLE11 as it doubles size of some of the sections and keep suppor for openSUSE+SLE12 * even with the conditions we would have to go unencrypted only OBS-URL: https://build.opensuse.org/request/show/286363 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=294 2015-02-16 16:27:41 +01:00			`+`
Accepting request 86885 from home:jsmeix:branches:Printing cups: upgrade to version 1.5.0 (bnc#722057) OBS-URL: https://build.opensuse.org/request/show/86885 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=228 2011-10-06 11:36:19 +02:00			`+# The policy below is added by SUSE during build of our cups package.`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 23:08:54 +01:00			`+# The policy 'allowallforanybody' is totally open and insecure and therefore`
			`+# it can only be used within an internal network where only trused users exist`
Accepting request 52897 from home:jsmeix:branches:Printing Upgrade to CUPS 1.4.5 OBS-URL: https://build.opensuse.org/request/show/52897 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=207 2010-11-12 09:51:26 +01:00			`+# and where the cupsd is not accessible at all from any external host, see`
			`+# http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 23:08:54 +01:00			`+# Have in mind that any user who is allowed to do printer admin tasks`
Accepting request 52897 from home:jsmeix:branches:Printing Upgrade to CUPS 1.4.5 OBS-URL: https://build.opensuse.org/request/show/52897 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=207 2010-11-12 09:51:26 +01:00			`+# can change the print queues as he likes - e.g. send copies of confidental`
			`+# print jobs from an internal network to any external destination, see`
			`+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 23:08:54 +01:00			`+# For documentation regarding 'Managing Operation Policies' see`
Accepting request 286363 from home:scarabeus_iv:branches:Printing Final submission, there seem to be no activity on factory so it works or nobody cares :) - Add back the posttrans cleanup script as it is needed - Add patch cups-systemd-socket.patch to fix socket activation and to match socket approach Fedora has. - Version bump to 2.0.2: * Security: cupsRasterReadPixels buffer overflow with invalid page header and compressed raster data (STR #4551) * Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was already an IPP keyword (<rdar://problem/19121005>) * cupsGetPPD* sent bad requests (STR #4567) * For detailed list see CHANGES.txt file - Enable PIE for build - Remove legacy paralel-port support as it is not really needed as most do not want it - Update descriptions to just state what changed and let user find it out. - Add back comment about %fdupes - Remove exit 0 on scriptlets as it is provided by the %service bla ones already - Fix the comment about openSUSE version on tmpfilesdir declaration - cups-2.0.1 update: * lengthy list of changes see the upstream CHANGES.txt that is distributed with the package * Disabling of sslv3 to mitigate poodle - Use gnutls to provide SSLOPtions configuration directive * openssl is no longer supported upstream * Remove the with-openssl-exception from license - Remove cups.sysconfig as it is not used with systemd based distros - Purposely lose support for SLE11 as it doubles size of some of the sections and keep suppor for openSUSE+SLE12 * even with the conditions we would have to go unencrypted only OBS-URL: https://build.opensuse.org/request/show/286363 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=294 2015-02-16 16:27:41 +01:00			`+# http://www.cups.org/documentation.php/doc-1.7/policies.html`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 23:08:54 +01:00			`+<Policy allowallforanybody>`
Accepting request 215537 from home:jsmeix:branches:Printing Solve bnc#857372 (and its various duplicates) by a major clean up and fix of the systemd unit files for CUPS that makes it again simple and secure to get cupsd working again as it did all the time in the past by a single simple and secure cups.service unit file. For experienced users cups.socket and cups.path are still provided as templates in /usr/share/doc/packages/cups/systemd/ so that experienced users can derive their own cups.socket and cups.path files according to their particular needs. When cupsd again "just works" as it did all the time in the past, then the next step is an optional systemd generator to create cups.socket that matches cupsd.conf see bnc#861084. OBS-URL: https://build.opensuse.org/request/show/215537 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=274 2014-01-29 16:05:09 +01:00			`+ # Allow anybody to access job's private values:`
			`+ JobPrivateAccess all`
			`+ # Make none of the job values to be private:`
			`+ JobPrivateValues none`
			`+ # Allow anybody to access subscription's private values:`
			`+ SubscriptionPrivateAccess all`
			`+ # Make none of the subscription values to be private:`
			`+ SubscriptionPrivateValues none`
			`+ # Allow anybody to do all IPP operations:`
			`+ # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document`
			`+ # must be additionally exlicitly specified because those IPP operations are not included`
			`+ # in the "All" wildcard value - otherwise cupsd prints error messages of the form`
			`+ # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."`
Accepting request 314729 from home:jsmeix:branches:Printing CUPS bugfix for allowallforanybody policy https://www.cups.org/str.php?L4659 (boo#936309) OBS-URL: https://build.opensuse.org/request/show/314729 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=304 2015-07-01 15:50:32 +02:00			`+ <Limit Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>`
			`+ Order deny,allow`
			`+ Allow from all`
			`+ </Limit>`
			`+ # Since CUPS > 1.5.4 the "All" wildcard value must be specified separately,`
			`+ # otherwise clients like "lpstat -p" just hang up,`
			`+ # see https://bugzilla.opensuse.org/show_bug.cgi?id=936309`
			`+ # and https://www.cups.org/str.php?L4659`
			`+ <Limit All>`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 23:08:54 +01:00			`+ Order deny,allow`
			`+ Allow from all`
			`+ </Limit>`
			`+</Policy>`
Accepting request 52897 from home:jsmeix:branches:Printing Upgrade to CUPS 1.4.5 OBS-URL: https://build.opensuse.org/request/show/52897 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=207 2010-11-12 09:51:26 +01:00			`+# Explicitly set the CUPS 'default' policy to be used by default:`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 23:08:54 +01:00			`+DefaultPolicy default`
Accepting request 314729 from home:jsmeix:branches:Printing CUPS bugfix for allowallforanybody policy https://www.cups.org/str.php?L4659 (boo#936309) OBS-URL: https://build.opensuse.org/request/show/314729 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=304 2015-07-01 15:50:32 +02:00			`+`