Package: cupsys Version: 1.2.1-2 Severity: important The cups web interface (:631/admin), has a server section with the following checkboxes:
x Show printers shared by other systems Share published printers connected to this system Allow remote administration Allow users to cancel any job (not just their own) x Save debugging information for troubleshooting I put an 'x' in the "Share published printers connected to this system" and clicked on "Change Settings". It then rewrote cupsd.conf and reloaded cupsd. This is where the problems began: - the interface doesn't respect the Include directives in cupsd.conf + when reading the config, browsing was already on + when writing the config, it writes bits that are included into cupsd.conf - it totally screwed my network and authorisation configuration; I had set it up for remote admin, but it disabled it all... I've attached the configuration before and after the change. Regards, Roger -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16.17 Locale: LANG=en_GB.UTF8, LC_CTYPE=en_GB.UTF8 (charmap=UTF-8) Versions of packages cupsys depends on: ii adduser 3.87 Add and remove users and groups ii cdebconf [debconf-2.0] 0.102 Debian Configuration Management Sy ii debconf [debconf-2.0] 1.5.1 Debian configuration management sy ii gs-esp 8.15.1.dfsg.1-2 The Ghostscript PostScript interpr ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libcupsimage2 1.2.1-2 Common UNIX Printing System(tm) - ii libcupsys2 1.2.1-2 Common UNIX Printing System(tm) - ii libdbus-1-2 0.61-6 simple interprocess messaging syst ii libgnutls13 1.3.5-1.1 the GNU TLS library - runtime libr ii libldap2 2.1.30-13 OpenLDAP libraries ii libpam0g 0.79-3.1 Pluggable Authentication Modules l ii libpaper1 1.1.18 Library for handling paper charact ii libslp1 1.2.1-5 OpenSLP libraries ii lsb-base 3.1-10 Linux Standard Base 3.1 init scrip ii patch 2.5.9-4 Apply a diff file to an original ii perl-modules 5.8.8-5 Core Perl modules ii poppler-utils [xpdf-util 0.4.5-4 PDF utilitites (based on libpopple ii procps 1:3.2.6-2.2 /proc file system utilities ii zlib1g 1:1.2.3-11 compression library - runtime Versions of packages cupsys recommends: ii cupsys-client 1.2.1-2 Common UNIX Printing System(tm) - ii foomatic-filters 3.0.2-20060530-1 linuxprinting.org printer support pn smbclient <none> (no description available) -- debconf information: * cupsys/raw-print: false * cupsys/ports: 631 * cupsys/backend: ipp, lpd, socket, usb cupsys/portserror: * cupsys/browse: true
Browsing on
Listen /var/run/cups/cups.sock Listen localhost:631 Listen liet.home.whinlatter.ukfsn.org:631
# # # Sample configuration file for the Common UNIX Printing System (CUPS) # scheduler. See "man cupsd.conf" for a complete description of this # file. # # Log general information in error_log - change "info" to "debug" for # troubleshooting... LogLevel debug # Administrator user group... SystemGroup lpadmin # Only listen for connections from the local machine. # These settings are configured in /etc/cups/cups.d/ports.conf so that # changing them does not require to change this file. # Listen localhost:631 # Listen /var/run/cups/cups.sock # Show shared printers on the local network. # The 'Browsing' setting is configured in /etc/cups/cups.d/browse.conf # so that changing it does not require to change this file. # Browsing Off BrowseOrder allow,deny BrowseAllow @LOCAL BrowseAddress @LOCAL # Default authentication type, when authentication is required... DefaultAuthType Basic # Restrict access to the server... <Location /> Order allow,deny Allow localhost Allow .home.whinlatter.ukfsn.org Allow @IF(eth0) # AuthType None </Location> # Restrict access to the admin pages... <Location /admin> Encryption Required Order allow,deny Allow localhost Allow @IF(eth0) </Location> # Restrict access to configuration files... <Location /admin/conf> AuthType Basic Require user @SYSTEM Order allow,deny Allow localhost Allow @IF(eth0) </Location> # Set the default printer/job policies... <Policy default> # Job-related operations must be done by the owner or an adminstrator... <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> # All administration operations require an adminstrator to authenticate... <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default> AuthType Basic Require user @SYSTEM Order deny,allow </Limit> # Only the owner or an administrator can cancel or authenticate a job... <Limit Cancel-Job CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit> </Policy> # Include files in /etc/cups/conf.d Include /etc/cups/cups.d/ports.conf Include /etc/cups/cups.d/browse.conf # #
# Show troubleshooting information in error_log. LogLevel debug SystemGroup lpadmin # Enable printer sharing and shared printers. Browsing On BrowseOrder allow,deny BrowseAllow @LOCAL BrowseAddress @LOCAL DefaultAuthType Basic <Location /> # Allow shared printing... Order allow,deny Allow @LOCAL </Location> <Location /admin> Encryption Required # Restrict access to the admin pages... Order allow,deny Allow localhost </Location> <Location /admin/conf> AuthType Basic Require user @SYSTEM # Restrict access to the configuration files... Order allow,deny Allow localhost </Location> <Policy default> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default> AuthType Basic Require user @SYSTEM Order deny,allow </Limit> <Limit CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> # Only the owner or an administrator can cancel a job... <Limit Cancel-Job> Order deny,allow Require user @OWNER @SYSTEM </Limit> <Limit All> Order deny,allow </Limit> </Policy> Include /etc/cups/cups.d/ports.conf Include /etc/cups/cups.d/browse.conf # Allow remote access Port 631 Listen /var/run/cups/cups.sock
--- /tmp/cupsd.conf.orig 2006-06-11 11:26:32.000000000 +0100 +++ /tmp/cupsd.conf.new 2006-06-11 11:26:52.000000000 +0100 @@ -1,89 +1,55 @@ -# -# -# Sample configuration file for the Common UNIX Printing System (CUPS) -# scheduler. See "man cupsd.conf" for a complete description of this -# file. -# - -# Log general information in error_log - change "info" to "debug" for -# troubleshooting... +# Show troubleshooting information in error_log. LogLevel debug - -# Administrator user group... SystemGroup lpadmin - -# Only listen for connections from the local machine. -# These settings are configured in /etc/cups/cups.d/ports.conf so that -# changing them does not require to change this file. -# Listen localhost:631 -# Listen /var/run/cups/cups.sock - -# Show shared printers on the local network. -# The 'Browsing' setting is configured in /etc/cups/cups.d/browse.conf -# so that changing it does not require to change this file. -# Browsing Off +# Enable printer sharing and shared printers. +Browsing On BrowseOrder allow,deny BrowseAllow @LOCAL BrowseAddress @LOCAL - -# Default authentication type, when authentication is required... DefaultAuthType Basic - -# Restrict access to the server... <Location /> + # Allow shared printing... Order allow,deny - Allow localhost - Allow .home.whinlatter.ukfsn.org - Allow @IF(eth0) -# AuthType None + Allow @LOCAL </Location> - -# Restrict access to the admin pages... <Location /admin> Encryption Required + # Restrict access to the admin pages... Order allow,deny Allow localhost - Allow @IF(eth0) </Location> - -# Restrict access to configuration files... <Location /admin/conf> AuthType Basic Require user @SYSTEM + # Restrict access to the configuration files... Order allow,deny Allow localhost - Allow @IF(eth0) </Location> - -# Set the default printer/job policies... <Policy default> - # Job-related operations must be done by the owner or an adminstrator... <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> - - # All administration operations require an adminstrator to authenticate... <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default> AuthType Basic Require user @SYSTEM Order deny,allow </Limit> - - # Only the owner or an administrator can cancel or authenticate a job... - <Limit Cancel-Job CUPS-Authenticate-Job> + <Limit CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> - + # Only the owner or an administrator can cancel a job... + <Limit Cancel-Job> + Order deny,allow + Require user @OWNER @SYSTEM + </Limit> <Limit All> Order deny,allow </Limit> </Policy> - -# Include files in /etc/cups/conf.d Include /etc/cups/cups.d/ports.conf Include /etc/cups/cups.d/browse.conf - -# -# +# Allow remote access +Port 631 +Listen /var/run/cups/cups.sock