OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cups?expand=0&rev=13

2007-08-03 15:09:00 +00:00 · 2007-08-03 15:09:00 +00:00 · f67a5f0669
commit f67a5f0669
parent a59d90cb79
4 changed files with 266 additions and 1 deletions
--- a/cups-conf-relaxed-policy.patch
+++ b/cups-conf-relaxed-policy.patch
@ -0,0 +1,53 @@
+diff -ur /usr/src/packages/BUILD/cups-1.2.11/conf/cupsd.conf.in ./conf/cupsd.conf.in
+--- /usr/src/packages/BUILD/cups-1.2.11/conf/cupsd.conf.in	2007-07-30 13:56:58.000000000 -0400
+++ ./conf/cupsd.conf.in	2007-07-30 13:52:20.000000000 -0400
+@@ -25,6 +25,9 @@
+ # Default authentication type, when authentication is required...
+ DefaultAuthType Basic
+ 
+# Set the default policy to relaxed...
+DefaultPolicy relaxed
+
+ # Restrict access to the server...
+ <Location />
+   Order allow,deny
+@@ -47,6 +50,39 @@
+   Allow localhost
+ </Location>
+ 
+# relaxed policy
+<Policy relaxed>
+
+# Let local users do reasonable things
+<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Deactivate-Printer Activate-Printer CUPS-Delete-Printer CUPS-Add-Printer CUPS-Set-Default>
+Require user @users @SYSTEM
+Order deny,allow
+Allow From localhost
+</Limit> 
+
+# Job-related operations must be done by the owner or an adminstrator...
+<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
+Require user @OWNER @SYSTEM
+Order deny,allow
+</Limit>
+<Limit All>
+Order deny,allow
+</Limit>
+
+<Limit Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
+AuthType Basic
+Require user @SYSTEM
+Order deny,allow
+</Limit> 
+
+# Only the owner or an administrator can cancel or authenticate a job...
+<Limit Cancel-Job CUPS-Authenticate-Job>
+Require user @OWNER @SYSTEM
+Order deny,allow
+</Limit>
+
+</Policy>
+
+ # Set the default printer/job policies...
+ <Policy default>
+   # Job-related operations must be done by the owner or an adminstrator...
--- a/cups-domain-socket-auth.patch
+++ b/cups-domain-socket-auth.patch
@ -0,0 +1,191 @@
+--- cups-1.2.10/cups/auth.c.af_unix-auth	2007-01-10 16:48:37.000000000 +0000
+++ cups-1.2.10/cups/auth.c	2007-03-29 16:59:51.000000000 +0100
+@@ -26,6 +26,8 @@
+  * Contents:
+  *
+  *   cupsDoAuthentication() - Authenticate a request.
+ *   cups_peercred_auth()   - Find out if SO_PEERCRED authentication
+ *                            is possible
+  *   cups_local_auth()      - Get the local authorization certificate if
+  *                            available/applicable...
+  */
+@@ -40,7 +42,9 @@
+ #include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+#include <pwd.h>
+ #include <sys/stat.h>
+#include <sys/types.h>
+ #if defined(WIN32) || defined(__EMX__)
+ #  include <io.h>
+ #else
+@@ -177,6 +181,76 @@
+   return (0);
+ }
+ 
+/*
+ * 'cups_peercred_auth()'
+ *                     - UNIX Domain Sockets authentication
+ */
+
+static int				/* O - 0 if available, -1 if not */
+cups_peercred_auth(http_t *http)	/* I - HTTP connection to server */
+{
+#ifdef SO_PEERCRED
+  long buflen;
+  char *buf, *newbuf;
+  struct passwd pwbuf, *pwbufptr;
+  int r;
+
+  if (http->hostaddr->addr.sa_family != AF_LOCAL)
+    return (-1);
+
+ /*
+  * Are we trying to authenticate as ourselves?  If not, SO_PEERCRED
+  * is no use.
+  */
+  buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
+  buf = NULL;
+  do
+  {
+    newbuf = realloc (buf, buflen);
+    if (newbuf == NULL)
+    {
+      free (buf);
+      return (-1);
+    }
+
+    buf = newbuf;
+    r = getpwnam_r (cupsUser(), &pwbuf, buf, buflen, &pwbufptr);
+    if (r != 0)
+    {
+      if (r == ERANGE)
+      {
+	buflen *= 2;
+	continue;
+      }
+
+      free (buf);
+      return (-1);
+    }
+  }
+  while (r != 0);
+
+  if (pwbuf.pw_uid != getuid())
+  {
+    free (buf);
+    return (-1);
+  }
+
+  free (buf);
+
+ /*
+  * Set the authorization string and return...
+  */
+
+  snprintf(http->authstring, sizeof(http->authstring), "SO_PEERCRED");
+
+  DEBUG_printf(("cups_peercred_auth: Returning authstring = \"%s\"\n",
+		http->authstring));
+
+  return (0);
+#else
+  return (-1);
+#endif /* SO_PEERCRED */
+}
+ 
+ /*
+  * 'cups_local_auth()' - Get the local authorization certificate if
+@@ -234,7 +308,7 @@
+   {
+     DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
+                   filename, strerror(errno)));
+-    return (-1);
+    return cups_peercred_auth(http);
+   }
+ 
+  /*
+--- cups-1.2.10/scheduler/auth.c.af_unix-auth	2006-09-12 14:58:39.000000000 +0100
+++ cups-1.2.10/scheduler/auth.c	2007-03-29 17:03:53.000000000 +0100
+@@ -60,6 +60,9 @@
+ 
+ #include "cupsd.h"
+ #include <grp.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+ #ifdef HAVE_SHADOW_H
+ #  include <shadow.h>
+ #endif /* HAVE_SHADOW_H */
+@@ -79,6 +82,9 @@
+ #ifdef HAVE_MEMBERSHIP_H
+ #  include <membership.h>
+ #endif /* HAVE_MEMBERSHIP_H */
+#if !defined(WIN32) && !defined(__EMX__)
+#  include <unistd.h>
+#endif
+ 
+ 
+ /*
+@@ -384,6 +390,61 @@
+                     "cupsdAuthorize: No authentication data provided.");
+     return;
+   }
+#ifdef SO_PEERCRED
+  else if (!strncmp(authorization, "SO_PEERCRED", 3) &&
+	   con->http.hostaddr->addr.sa_family == AF_LOCAL)
+  {
+    long buflen;
+    char *buf, *newbuf;
+    struct passwd pwbuf, *pwbufptr;
+    struct ucred u;
+    socklen_t ulen = sizeof(u);
+    int r;
+
+    if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &u, &ulen) == -1)
+    {
+      cupsdLogMessage(CUPSD_LOG_ERROR,
+		      "cupsdAuthorize: getsockopt failed for SO_PEERCRED");
+      return;
+    }
+
+    buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
+    buf = NULL;
+    do
+    {
+      newbuf = realloc (buf, buflen);
+      if (newbuf == NULL)
+      {
+	free (buf);
+	return;
+      }
+
+      buf = newbuf;
+
+      /* Look up which username the UID is for. */
+      r = getpwuid_r (u.uid, &pwbuf, buf, buflen, &pwbufptr);
+      if (r != 0)
+      {
+	if (r == ERANGE)
+	{
+	  buflen *= 2;
+	  continue;
+	}
+
+	cupsdLogMessage(CUPSD_LOG_ERROR,
+			"cupsdAuthorize: getpwuid_r failed after SO_PEERCRED");
+	free (buf);
+	return;
+      }
+    }
+    while (r != 0);
+
+    strlcpy(username, pwbuf.pw_name, sizeof(username));
+    free (buf);
+    cupsdLogMessage(CUPSD_LOG_DEBUG2,
+		    "cupsdAuthorize: using SO_PEERCRED (uid=%d)", u.uid);
+  }
+#endif /* SO_PEERCRED */
+   else if (!strncmp(authorization, "Local", 5) &&
+            !strcasecmp(con->http.hostname, "localhost"))
+   {
--- a/cups.changes
+++ b/cups.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Aug  3 16:20:23 CEST 2007 - crivera@suse.de
+
+- Add cups-conf-relaxed-policy.patch, which defines a relaxed 
+  policy in cupsd.conf and makes it the default.  This allows
+  normal users to make changes to local printers.
+- Add cups-domain-socket-auth.patch, which has already been 
+  accepted upstream, to allow cups to use domain socket 
+  authentication for clients on the local machine.
+
 -------------------------------------------------------------------
 Mon Jul 30 15:41:27 CEST 2007 - kssingvo@suse.de

--- a/cups.spec
+++ b/cups.spec
@ -17,7 +17,7 @@ License:        GPL v2 or later, individual distribution permission.
 Group:          Hardware/Printing
 Summary:        The Common UNIX Printing System
 Version:        1.2.12
-Release:        1
+Release:        2
 Requires:       cups-libs = %{version}, cups-client = %{version}
 Requires:       ghostscript_any, ghostscript-fonts-std, foomatic-filters
 Requires:       util-linux
@ -52,6 +52,8 @@ Patch14:        cups-1.1.21-testppd_duplex.patch
 Patch15:        cups-1.2.11-testppd_filename.patch
 Patch16:        cups-1.2.5-desktop_file.patch
 Patch17:        cups-1.2.6-lppasswd_permission.patch
+Patch18:        cups-conf-relaxed-policy.patch
+Patch19:        cups-domain-socket-auth.patch
 Patch100:       cups-1.1.23-testpage.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %suse_version >= 801
@ -144,6 +146,8 @@ Authors:
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
+%patch19 -p1
 if [ -f /.buildenv ]; then
 	. /.buildenv
 else
@ -381,6 +385,13 @@ install -m 644 %{SOURCE17} $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/service
 %{_datadir}/locale/*/cups_*

 %changelog
+* Fri Aug 03 2007 - crivera@suse.de
+- Add cups-conf-relaxed-policy.patch, which defines a relaxed
+  policy in cupsd.conf and makes it the default.  This allows
+  normal users to make changes to local printers.
+- Add cups-domain-socket-auth.patch, which has already been
+  accepted upstream, to allow cups to use domain socket
+  authentication for clients on the local machine.
 * Mon Jul 30 2007 - kssingvo@suse.de
 - upgrade to cups-1.2.12:
  * The PHP cups_print_file() function crashed if the options array