Bug#372727: cupsys: cups web interface for server admin corrupts cupsd.conf
Package: cupsys
Version: 1.2.1-2
Severity: important
The cups web interface (:631/admin), has a server section with the
following checkboxes:
x Show printers shared by other systems
Share published printers connected to this system
Allow remote administration
Allow users to cancel any job (not just their own)
x Save debugging information for troubleshooting
I put an 'x' in the "Share published printers connected to this system"
and clicked on "Change Settings". It then rewrote cupsd.conf and
reloaded cupsd.
This is where the problems began:
- the interface doesn't respect the Include directives in cupsd.conf
+ when reading the config, browsing was already on
+ when writing the config, it writes bits that are included into
cupsd.conf
- it totally screwed my network and authorisation configuration; I
had set it up for remote admin, but it disabled it all...
I've attached the configuration before and after the change.
Regards,
Roger
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.17
Locale: LANG=en_GB.UTF8, LC_CTYPE=en_GB.UTF8 (charmap=UTF-8)
Versions of packages cupsys depends on:
ii adduser 3.87 Add and remove users and groups
ii cdebconf [debconf-2.0] 0.102 Debian Configuration Management Sy
ii debconf [debconf-2.0] 1.5.1 Debian configuration management sy
ii gs-esp 8.15.1.dfsg.1-2 The Ghostscript PostScript interpr
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libcupsimage2 1.2.1-2 Common UNIX Printing System(tm) -
ii libcupsys2 1.2.1-2 Common UNIX Printing System(tm) -
ii libdbus-1-2 0.61-6 simple interprocess messaging syst
ii libgnutls13 1.3.5-1.1 the GNU TLS library - runtime libr
ii libldap2 2.1.30-13 OpenLDAP libraries
ii libpam0g 0.79-3.1 Pluggable Authentication Modules l
ii libpaper1 1.1.18 Library for handling paper charact
ii libslp1 1.2.1-5 OpenSLP libraries
ii lsb-base 3.1-10 Linux Standard Base 3.1 init scrip
ii patch 2.5.9-4 Apply a diff file to an original
ii perl-modules 5.8.8-5 Core Perl modules
ii poppler-utils [xpdf-util 0.4.5-4 PDF utilitites (based on libpopple
ii procps 1:3.2.6-2.2 /proc file system utilities
ii zlib1g 1:1.2.3-11 compression library - runtime
Versions of packages cupsys recommends:
ii cupsys-client 1.2.1-2 Common UNIX Printing System(tm) -
ii foomatic-filters 3.0.2-20060530-1 linuxprinting.org printer support
pn smbclient <none> (no description available)
-- debconf information:
* cupsys/raw-print: false
* cupsys/ports: 631
* cupsys/backend: ipp, lpd, socket, usb
cupsys/portserror:
* cupsys/browse: true
Browsing on
Listen /var/run/cups/cups.sock
Listen localhost:631
Listen liet.home.whinlatter.ukfsn.org:631
#
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel debug
# Administrator user group...
SystemGroup lpadmin
# Only listen for connections from the local machine.
# These settings are configured in /etc/cups/cups.d/ports.conf so that
# changing them does not require to change this file.
# Listen localhost:631
# Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
# The 'Browsing' setting is configured in /etc/cups/cups.d/browse.conf
# so that changing it does not require to change this file.
# Browsing Off
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
Order allow,deny
Allow localhost
Allow .home.whinlatter.ukfsn.org
Allow @IF(eth0)
# AuthType None
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
Allow @IF(eth0)
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow @IF(eth0)
</Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an adminstrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an adminstrator to authenticate...
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
# Include files in /etc/cups/conf.d
Include /etc/cups/cups.d/ports.conf
Include /etc/cups/cups.d/browse.conf
#
#
# Show troubleshooting information in error_log.
LogLevel debug
SystemGroup lpadmin
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
# Allow shared printing...
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
Encryption Required
# Restrict access to the admin pages...
Order allow,deny
Allow localhost
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
# Restrict access to the configuration files...
Order allow,deny
Allow localhost
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel a job...
<Limit Cancel-Job>
Order deny,allow
Require user @OWNER @SYSTEM
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
Include /etc/cups/cups.d/ports.conf
Include /etc/cups/cups.d/browse.conf
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
--- /tmp/cupsd.conf.orig 2006-06-11 11:26:32.000000000 +0100
+++ /tmp/cupsd.conf.new 2006-06-11 11:26:52.000000000 +0100
@@ -1,89 +1,55 @@
-#
-#
-# Sample configuration file for the Common UNIX Printing System (CUPS)
-# scheduler. See "man cupsd.conf" for a complete description of this
-# file.
-#
-
-# Log general information in error_log - change "info" to "debug" for
-# troubleshooting...
+# Show troubleshooting information in error_log.
LogLevel debug
-
-# Administrator user group...
SystemGroup lpadmin
-
-# Only listen for connections from the local machine.
-# These settings are configured in /etc/cups/cups.d/ports.conf so that
-# changing them does not require to change this file.
-# Listen localhost:631
-# Listen /var/run/cups/cups.sock
-
-# Show shared printers on the local network.
-# The 'Browsing' setting is configured in /etc/cups/cups.d/browse.conf
-# so that changing it does not require to change this file.
-# Browsing Off
+# Enable printer sharing and shared printers.
+Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL
-
-# Default authentication type, when authentication is required...
DefaultAuthType Basic
-
-# Restrict access to the server...
<Location />
+ # Allow shared printing...
Order allow,deny
- Allow localhost
- Allow .home.whinlatter.ukfsn.org
- Allow @IF(eth0)
-# AuthType None
+ Allow @LOCAL
</Location>
-
-# Restrict access to the admin pages...
<Location /admin>
Encryption Required
+ # Restrict access to the admin pages...
Order allow,deny
Allow localhost
- Allow @IF(eth0)
</Location>
-
-# Restrict access to configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
+ # Restrict access to the configuration files...
Order allow,deny
Allow localhost
- Allow @IF(eth0)
</Location>
-
-# Set the default printer/job policies...
<Policy default>
- # Job-related operations must be done by the owner or an adminstrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
-
- # All administration operations require an adminstrator to authenticate...
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
-
- # Only the owner or an administrator can cancel or authenticate a job...
- <Limit Cancel-Job CUPS-Authenticate-Job>
+ <Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
-
+ # Only the owner or an administrator can cancel a job...
+ <Limit Cancel-Job>
+ Order deny,allow
+ Require user @OWNER @SYSTEM
+ </Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
-
-# Include files in /etc/cups/conf.d
Include /etc/cups/cups.d/ports.conf
Include /etc/cups/cups.d/browse.conf
-
-#
-#
+# Allow remote access
+Port 631
+Listen /var/run/cups/cups.sock
Reply to: