Christoph - thank you for your report.
On Fri 14 Jul 2017 at 08:54:29 +0200, Christoph Pleger wrote: > Package: cups-browsed > Version: 1.11.6-3 > Severity: critical > > Dear maintainers, > > cups-browsed from Debian stretch ignores the "DefaultPolicy authenticated" > entry in my cupsd.conf, so that all browsed-imported printers in > /etc/cups/printers.conf are listed with "OpPolicy default". That differs > from how it was in older Debian versions and their cups-browseds, and it > allows users to print with another user id than their own without > authentication, critical in an environment like ours where users have to pay > for their print quota. An account of my testing procedure. cups and cups-browsed were restarted after a change to cupsd.conf.. 1. No DefaultPolicy directive in cupsd.conf. All five of my remote printers show as "OpPolicy default". 2. Put "DefaultPolicy authenticated" in cupsd.conf. The printers show as in 1. 3. Install cups-browsed 1.10.0-1 (no change in cupsd.conf). The printers show "OpPolicy authenticated". At this point it appears the data support your contention. I was going to suggest a look at /usr/share/doc/cups-filters/changelog.gz (CHANGES IN V1.11.3) and think on whether the implicitclass backend was involved. But I dug a hole for myself. 4. Reinstall stretch's cups-browsed (no change in cupsd.conf) to go back to 2. "OpPolicy authenticated" is what I get! 5. Remove "DefaultPolicy authenticated" from cupsd.conf. Back to 1. Not at all! It's still "DefaultPolicy authenticated". Colour me perplexed (or inept). -- Brian.