29e44712ee
Solve bnc#857372 (and its various duplicates) by a major clean up and fix of the systemd unit files for CUPS that makes it again simple and secure to get cupsd working again as it did all the time in the past by a single simple and secure cups.service unit file. For experienced users cups.socket and cups.path are still provided as templates in /usr/share/doc/packages/cups/systemd/ so that experienced users can derive their own cups.socket and cups.path files according to their particular needs. When cupsd again "just works" as it did all the time in the past, then the next step is an optional systemd generator to create cups.socket that matches cupsd.conf see bnc#861084. OBS-URL: https://build.opensuse.org/request/show/215537 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=274
43 lines
2.0 KiB
Diff
43 lines
2.0 KiB
Diff
--- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100
|
|
+++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100
|
|
@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@
|
|
</Limit>
|
|
</Policy>
|
|
|
|
+# The policy below is added by SUSE during build of our cups package.
|
|
+# The policy 'allowallforanybody' is totally open and insecure and therefore
|
|
+# it can only be used within an internal network where only trused users exist
|
|
+# and where the cupsd is not accessible at all from any external host, see
|
|
+# http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
|
|
+# Have in mind that any user who is allowed to do printer admin tasks
|
|
+# can change the print queues as he likes - e.g. send copies of confidental
|
|
+# print jobs from an internal network to any external destination, see
|
|
+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
|
|
+# For documentation regarding 'Managing Operation Policies' see
|
|
+# http://www.cups.org/documentation.php/doc-1.5/policies.html
|
|
+<Policy allowallforanybody>
|
|
+ # Allow anybody to access job's private values:
|
|
+ JobPrivateAccess all
|
|
+ # Make none of the job values to be private:
|
|
+ JobPrivateValues none
|
|
+ # Allow anybody to access subscription's private values:
|
|
+ SubscriptionPrivateAccess all
|
|
+ # Make none of the subscription values to be private:
|
|
+ SubscriptionPrivateValues none
|
|
+ # Allow anybody to do all IPP operations:
|
|
+ # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document
|
|
+ # must be additionally exlicitly specified because those IPP operations are not included
|
|
+ # in the "All" wildcard value - otherwise cupsd prints error messages of the form
|
|
+ # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."
|
|
+ <Limit All Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>
|
|
+ Order deny,allow
|
|
+ Allow from all
|
|
+ </Limit>
|
|
+</Policy>
|
|
+# Explicitly set the CUPS 'default' policy to be used by default:
|
|
+DefaultPolicy default
|
|
+
|
|
#
|
|
# End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
|
|
#
|