Hello community, here is the log from the commit of package cups checked in at Fri Jul 11 21:07:46 CEST 2008. -------- --- cups/cups.changes 2008-07-01 16:01:27.000000000 +0200 +++ cups/cups.changes 2008-07-10 17:09:26.274409000 +0200 @@ -1,0 +2,10 @@ +Thu Jul 10 17:08:55 CEST 2008 - kssingvo@suse.de + +- added two additional policies to cupsd.conf (fate#303515) + +------------------------------------------------------------------- +Tue Jul 9 13:19:34 CEST 2008 - kssingvo@suse.de + +- fixed abuild failure: ownership of lppasswd + +------------------------------------------------------------------- New: ---- cups-1.3.7-additional_policies.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ --- /var/tmp/diff_new_pack.c10088/_old 2008-07-11 21:06:42.000000000 +0200 +++ /var/tmp/diff_new_pack.c10088/_new 2008-07-11 21:06:42.000000000 +0200 @@ -22,7 +22,7 @@ Group: Hardware/Printing Summary: The Common UNIX Printing System Version: 1.3.7 -Release: 29 +Release: 30 Requires: cups-libs = %{version}, cups-client = %{version} Requires: ghostscript_any, ghostscript-fonts-std, foomatic-filters Requires: util-linux /usr/bin/pdftops @@ -73,6 +73,7 @@ Patch21: cups-1.3.7-keeping_recommended.patch Patch22: cups-1.3.7-configfile_NoBrowseAddress.patch Patch23: cups-1.3.7-lppasswd_fixperm.patch +Patch24: cups-1.3.7-additional_policies.patch Patch100: cups-1.1.23-testpage.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -175,6 +176,7 @@ %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 if [ -f /.buildenv ]; then . /.buildenv else @@ -396,7 +398,7 @@ %{_bindir}/lpc %{_bindir}/lphelp %{_bindir}/lpoptions -%attr(2755,-,lp) %{_bindir}/lppasswd +%attr(2755,lp,lp) %{_bindir}/lppasswd %{_bindir}/lpq %{_bindir}/lpr %{_bindir}/lprm @@ -419,7 +421,7 @@ %files libs %defattr(-,root,root) %{_bindir}/cups-config -%dir %attr(0775,root,lp) %{_sysconfdir}/cups/ +# %dir %attr(0775,root,lp) %{_sysconfdir}/cups/ %dir %attr(0710,root,lp) %{_var}/spool/cups %dir %attr(1770,root,lp) %{_var}/spool/cups/tmp %dir %attr(0755,lp,lp) %{_var}/log/cups/ @@ -430,6 +432,10 @@ %{_datadir}/locale/*/cups_* %changelog +* Thu Jul 10 2008 kssingvo@suse.de +- added two additional policies to cupsd.conf (fate#303515) +* Wed Jul 09 2008 kssingvo@suse.de +- fixed abuild failure: ownership of lppasswd * Tue Jul 01 2008 kssingvo@suse.de - fix directory/setgid permissions for lppasswd use (bnc#404142) * Wed Jun 04 2008 kssingvo@suse.de ++++++ cups-1.3.7-additional_policies.patch ++++++ --- cups-1.3.7/conf/cupsd.conf.in.orig 2008-07-08 12:11:01.000000000 +0200 +++ cups-1.3.7/conf/cupsd.conf.in 2008-07-08 13:11:57.000000000 +0200 @@ -78,6 +78,55 @@ </Limit> </Policy> +DefaultPolicy default + +# easy is a very relaxed policy +<Policy easy> + # Job-related operations must be done by the owner or an administrator... + <Limit All> + Satisfany any + Order allow,deny + </Limit> +</Policy> + +# paranoid is a very restricted policy +<Policy paranoid> + # Job-related operations must be done by the owner + <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> + Require user @OWNER + Allow from 127.0.0.0/8 + Order deny,allow + </Limit> + # All administration operations require an administrator to authenticate... + <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> + AuthType Default + Require user @SYSTEM + Allow from 127.0.0.0/8 + Order deny,allow + </Limit> + + # All printer operations require a printer operator to authenticate... + <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> + AuthType Default + Require user @CUPS_DEFAULT_PRINTADMIN_AUTH@ + Allow from 127.0.0.0/8 + Order deny,allow + </Limit> + + # Only the owner or an administrator can cancel or authenticate a job... + <Limit Cancel-Job CUPS-Authenticate-Job> + Require user @OWNER + Allow from 127.0.0.0/8 + Order deny,allow + </Limit> + + <Limit All> + Require user @OWNER @CUPS_DEFAULT_PRINTADMIN_AUTH@ + Allow from 127.0.0.0/8 + Order deny,allow + </Limit> +</Policy> + # # End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $". # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org