This commit is contained in:
OBS User unknown
Git OBS Bridge
parent
f67a5f0669
commit
faeeb2e5c8
@ -1,53 +0,0 @@
|
||||
diff -ur /usr/src/packages/BUILD/cups-1.2.11/conf/cupsd.conf.in ./conf/cupsd.conf.in
|
||||
--- /usr/src/packages/BUILD/cups-1.2.11/conf/cupsd.conf.in 2007-07-30 13:56:58.000000000 -0400
|
||||
+++ ./conf/cupsd.conf.in 2007-07-30 13:52:20.000000000 -0400
|
||||
@@ -25,6 +25,9 @@
|
||||
# Default authentication type, when authentication is required...
|
||||
DefaultAuthType Basic
|
||||
|
||||
+# Set the default policy to relaxed...
|
||||
+DefaultPolicy relaxed
|
||||
+
|
||||
# Restrict access to the server...
|
||||
<Location />
|
||||
Order allow,deny
|
||||
@@ -47,6 +50,39 @@
|
||||
Allow localhost
|
||||
</Location>
|
||||
|
||||
+# relaxed policy
|
||||
+<Policy relaxed>
|
||||
+
|
||||
+# Let local users do reasonable things
|
||||
+<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Deactivate-Printer Activate-Printer CUPS-Delete-Printer CUPS-Add-Printer CUPS-Set-Default>
|
||||
+Require user @users @SYSTEM
|
||||
+Order deny,allow
|
||||
+Allow From localhost
|
||||
+</Limit>
|
||||
+
|
||||
+# Job-related operations must be done by the owner or an adminstrator...
|
||||
+<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
|
||||
+Require user @OWNER @SYSTEM
|
||||
+Order deny,allow
|
||||
+</Limit>
|
||||
+<Limit All>
|
||||
+Order deny,allow
|
||||
+</Limit>
|
||||
+
|
||||
+<Limit Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
|
||||
+AuthType Basic
|
||||
+Require user @SYSTEM
|
||||
+Order deny,allow
|
||||
+</Limit>
|
||||
+
|
||||
+# Only the owner or an administrator can cancel or authenticate a job...
|
||||
+<Limit Cancel-Job CUPS-Authenticate-Job>
|
||||
+Require user @OWNER @SYSTEM
|
||||
+Order deny,allow
|
||||
+</Limit>
|
||||
+
|
||||
+</Policy>
|
||||
+
|
||||
# Set the default printer/job policies...
|
||||
<Policy default>
|
||||
# Job-related operations must be done by the owner or an adminstrator...
|
||||
@ -1,191 +0,0 @@
|
||||
--- cups-1.2.10/cups/auth.c.af_unix-auth 2007-01-10 16:48:37.000000000 +0000
|
||||
+++ cups-1.2.10/cups/auth.c 2007-03-29 16:59:51.000000000 +0100
|
||||
@@ -26,6 +26,8 @@
|
||||
* Contents:
|
||||
*
|
||||
* cupsDoAuthentication() - Authenticate a request.
|
||||
+ * cups_peercred_auth() - Find out if SO_PEERCRED authentication
|
||||
+ * is possible
|
||||
* cups_local_auth() - Get the local authorization certificate if
|
||||
* available/applicable...
|
||||
*/
|
||||
@@ -40,7 +42,9 @@
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <pwd.h>
|
||||
#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
#if defined(WIN32) || defined(__EMX__)
|
||||
# include <io.h>
|
||||
#else
|
||||
@@ -177,6 +181,76 @@
|
||||
return (0);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * 'cups_peercred_auth()'
|
||||
+ * - UNIX Domain Sockets authentication
|
||||
+ */
|
||||
+
|
||||
+static int /* O - 0 if available, -1 if not */
|
||||
+cups_peercred_auth(http_t *http) /* I - HTTP connection to server */
|
||||
+{
|
||||
+#ifdef SO_PEERCRED
|
||||
+ long buflen;
|
||||
+ char *buf, *newbuf;
|
||||
+ struct passwd pwbuf, *pwbufptr;
|
||||
+ int r;
|
||||
+
|
||||
+ if (http->hostaddr->addr.sa_family != AF_LOCAL)
|
||||
+ return (-1);
|
||||
+
|
||||
+ /*
|
||||
+ * Are we trying to authenticate as ourselves? If not, SO_PEERCRED
|
||||
+ * is no use.
|
||||
+ */
|
||||
+ buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
|
||||
+ buf = NULL;
|
||||
+ do
|
||||
+ {
|
||||
+ newbuf = realloc (buf, buflen);
|
||||
+ if (newbuf == NULL)
|
||||
+ {
|
||||
+ free (buf);
|
||||
+ return (-1);
|
||||
+ }
|
||||
+
|
||||
+ buf = newbuf;
|
||||
+ r = getpwnam_r (cupsUser(), &pwbuf, buf, buflen, &pwbufptr);
|
||||
+ if (r != 0)
|
||||
+ {
|
||||
+ if (r == ERANGE)
|
||||
+ {
|
||||
+ buflen *= 2;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ free (buf);
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ }
|
||||
+ while (r != 0);
|
||||
+
|
||||
+ if (pwbuf.pw_uid != getuid())
|
||||
+ {
|
||||
+ free (buf);
|
||||
+ return (-1);
|
||||
+ }
|
||||
+
|
||||
+ free (buf);
|
||||
+
|
||||
+ /*
|
||||
+ * Set the authorization string and return...
|
||||
+ */
|
||||
+
|
||||
+ snprintf(http->authstring, sizeof(http->authstring), "SO_PEERCRED");
|
||||
+
|
||||
+ DEBUG_printf(("cups_peercred_auth: Returning authstring = \"%s\"\n",
|
||||
+ http->authstring));
|
||||
+
|
||||
+ return (0);
|
||||
+#else
|
||||
+ return (-1);
|
||||
+#endif /* SO_PEERCRED */
|
||||
+}
|
||||
|
||||
/*
|
||||
* 'cups_local_auth()' - Get the local authorization certificate if
|
||||
@@ -234,7 +308,7 @@
|
||||
{
|
||||
DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
|
||||
filename, strerror(errno)));
|
||||
- return (-1);
|
||||
+ return cups_peercred_auth(http);
|
||||
}
|
||||
|
||||
/*
|
||||
--- cups-1.2.10/scheduler/auth.c.af_unix-auth 2006-09-12 14:58:39.000000000 +0100
|
||||
+++ cups-1.2.10/scheduler/auth.c 2007-03-29 17:03:53.000000000 +0100
|
||||
@@ -60,6 +60,9 @@
|
||||
|
||||
#include "cupsd.h"
|
||||
#include <grp.h>
|
||||
+#include <pwd.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/types.h>
|
||||
#ifdef HAVE_SHADOW_H
|
||||
# include <shadow.h>
|
||||
#endif /* HAVE_SHADOW_H */
|
||||
@@ -79,6 +82,9 @@
|
||||
#ifdef HAVE_MEMBERSHIP_H
|
||||
# include <membership.h>
|
||||
#endif /* HAVE_MEMBERSHIP_H */
|
||||
+#if !defined(WIN32) && !defined(__EMX__)
|
||||
+# include <unistd.h>
|
||||
+#endif
|
||||
|
||||
|
||||
/*
|
||||
@@ -384,6 +390,61 @@
|
||||
"cupsdAuthorize: No authentication data provided.");
|
||||
return;
|
||||
}
|
||||
+#ifdef SO_PEERCRED
|
||||
+ else if (!strncmp(authorization, "SO_PEERCRED", 3) &&
|
||||
+ con->http.hostaddr->addr.sa_family == AF_LOCAL)
|
||||
+ {
|
||||
+ long buflen;
|
||||
+ char *buf, *newbuf;
|
||||
+ struct passwd pwbuf, *pwbufptr;
|
||||
+ struct ucred u;
|
||||
+ socklen_t ulen = sizeof(u);
|
||||
+ int r;
|
||||
+
|
||||
+ if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &u, &ulen) == -1)
|
||||
+ {
|
||||
+ cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
+ "cupsdAuthorize: getsockopt failed for SO_PEERCRED");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
|
||||
+ buf = NULL;
|
||||
+ do
|
||||
+ {
|
||||
+ newbuf = realloc (buf, buflen);
|
||||
+ if (newbuf == NULL)
|
||||
+ {
|
||||
+ free (buf);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ buf = newbuf;
|
||||
+
|
||||
+ /* Look up which username the UID is for. */
|
||||
+ r = getpwuid_r (u.uid, &pwbuf, buf, buflen, &pwbufptr);
|
||||
+ if (r != 0)
|
||||
+ {
|
||||
+ if (r == ERANGE)
|
||||
+ {
|
||||
+ buflen *= 2;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ cupsdLogMessage(CUPSD_LOG_ERROR,
|
||||
+ "cupsdAuthorize: getpwuid_r failed after SO_PEERCRED");
|
||||
+ free (buf);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ while (r != 0);
|
||||
+
|
||||
+ strlcpy(username, pwbuf.pw_name, sizeof(username));
|
||||
+ free (buf);
|
||||
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
|
||||
+ "cupsdAuthorize: using SO_PEERCRED (uid=%d)", u.uid);
|
||||
+ }
|
||||
+#endif /* SO_PEERCRED */
|
||||
else if (!strncmp(authorization, "Local", 5) &&
|
||||
!strcasecmp(con->http.hostname, "localhost"))
|
||||
{
|
||||
10
cups.changes
10
cups.changes
@ -1,13 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 3 16:20:23 CEST 2007 - crivera@suse.de
|
||||
|
||||
- Add cups-conf-relaxed-policy.patch, which defines a relaxed
|
||||
policy in cupsd.conf and makes it the default. This allows
|
||||
normal users to make changes to local printers.
|
||||
- Add cups-domain-socket-auth.patch, which has already been
|
||||
accepted upstream, to allow cups to use domain socket
|
||||
authentication for clients on the local machine.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 30 15:41:27 CEST 2007 - kssingvo@suse.de
|
||||
|
||||
|
||||
13
cups.spec
13
cups.spec
@ -17,7 +17,7 @@ License: GPL v2 or later, individual distribution permission.
|
||||
Group: Hardware/Printing
|
||||
Summary: The Common UNIX Printing System
|
||||
Version: 1.2.12
|
||||
Release: 2
|
||||
Release: 3
|
||||
Requires: cups-libs = %{version}, cups-client = %{version}
|
||||
Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters
|
||||
Requires: util-linux
|
||||
@ -52,8 +52,6 @@ Patch14: cups-1.1.21-testppd_duplex.patch
|
||||
Patch15: cups-1.2.11-testppd_filename.patch
|
||||
Patch16: cups-1.2.5-desktop_file.patch
|
||||
Patch17: cups-1.2.6-lppasswd_permission.patch
|
||||
Patch18: cups-conf-relaxed-policy.patch
|
||||
Patch19: cups-domain-socket-auth.patch
|
||||
Patch100: cups-1.1.23-testpage.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if %suse_version >= 801
|
||||
@ -146,8 +144,6 @@ Authors:
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
if [ -f /.buildenv ]; then
|
||||
. /.buildenv
|
||||
else
|
||||
@ -385,13 +381,6 @@ install -m 644 %{SOURCE17} $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/service
|
||||
%{_datadir}/locale/*/cups_*
|
||||
|
||||
%changelog
|
||||
* Fri Aug 03 2007 - crivera@suse.de
|
||||
- Add cups-conf-relaxed-policy.patch, which defines a relaxed
|
||||
policy in cupsd.conf and makes it the default. This allows
|
||||
normal users to make changes to local printers.
|
||||
- Add cups-domain-socket-auth.patch, which has already been
|
||||
accepted upstream, to allow cups to use domain socket
|
||||
authentication for clients on the local machine.
|
||||
* Mon Jul 30 2007 - kssingvo@suse.de
|
||||
- upgrade to cups-1.2.12:
|
||||
* The PHP cups_print_file() function crashed if the options array
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user