-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Limit All" must be on its own otherwise clients like "lpstat -p" hang up #4659
Comments
CUPS.org User: jsmeix.suse Attaching plain text /var/log/cups/error_log was rejected |
CUPS.org User: mike Johannes, The reason "Limit All" does not include Cancel-All-Jobs, etc. is that they typically require authentication or at least a matching requesting user - as those operations were added newly in 1.7 we didn't want people migrating from a prior release to suddenly end up with an insecure policy. I will see about making this check smarter so that a policy with just a "Limit All" section will not require the extra Limit section for the other operations. |
CUPS.org User: mike Fixed in Subversion repository. This fix is only going into 2.1; because we do not want to have an upgrade cause a change in security behavior, I am not comfortable making the change for 2.0.x. |
"str4659.patch": Index: scheduler/conf.c--- scheduler/conf.c (revision 12817)
if (!pol->job_attrs)
if (!pol->sub_access)
if (!pol->sub_attrs)
|
Version: 2.1-current
CUPS.org User: jsmeix.suse
I use CUPS 2.0.3 (without any patches)
and the following in cupsd.conf
(the "Limit" line is shown wrapped here):
JobPrivateAccess all JobPrivateValues none SubscriptionPrivateAccess all SubscriptionPrivateValues none Order deny,allow Allow from all ## DefaultPolicy allowallforanybodyIn this case clients like "lpstat -p" hang up
and need to be aborted by [Ctrl]+[C]:
echo 'begin test lpstat' >>/var/log/cups/error_log
lpstat -p
^C
echo 'end test lpstat' >>/var/log/cups/error_log
Attached /var/log/cups/error_log with LogLevel debug2.
When I use a separated "Limit All" it works:
JobPrivateAccess all JobPrivateValues none SubscriptionPrivateAccess all SubscriptionPrivateValues none Order deny,allow Allow from all Order deny,allow Allow from all ## DefaultPolicy allowallforanybodyI think it is a bug when because of an incorrectly
specified policy cupsd clients like "lpstat -p" hang up.
A side note (minor issue):
I need the
because without it cupsd shows this warnings in error_log
(long lines shown wrapped here):
W ... No limit for Validate-Job defined in policy
allowallforanybody and no suitable template found.
W ... No limit for Cancel-Jobs defined in policy
allowallforanybody and no suitable template found.
W ... No limit for Cancel-My-Jobs defined in policy
allowallforanybody and no suitable template found.
W ... No limit for Close-Job defined in policy
allowallforanybody and no suitable template found.
W ... No limit for CUPS-Get-Document defined in policy
allowallforanybody and no suitable template found.
I think "Limit All" should include Validate-Job Cancel-Jobs
Cancel-My-Jobs Close-Job CUPS-Get-Document so that those
do not need a separated Limit section.
The text was updated successfully, but these errors were encountered: