Bug 38023 - Policy default JobPrivate* not configurable in cupsd.conf template
Policy default JobPrivate* not configurable in cupsd.conf template
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Printserver
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Felix Botner
Arvid Requate
:
Depends on:
Blocks: 40574 40257
  Show dependency treegraph
 
Reported: 2015-03-12 11:30 CET by Janis Meybohm
Modified: 2016-02-04 13:51 CET (History)
7 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-03-12 11:30:30 CET
2015031121000077 


The shipped cupsd.conf (-Template) is very old (e.g. does not contain the default policy blocks shipped with upstream cups).

Users can't change the policies (JobPrivate* settings for example) without adding the complete policy blocks. In Addition "/etc/univention/templates/files/etc/cups/cups-access-limit.conf" add a more or less empty default policy if UCR "cups/printmode/hosts/none" is set.

The cups templates should be updates to reflect the defaults of the upstream package.
Comment 1 Felix Botner univentionstaff 2015-10-01 10:53:57 CEST
again, Ticket #2015092921000274

We need to add "JobPrivateValues none" to make to owner visible the cups webinterface.

Unfortunately, we can not set this without a complete default policy (if i understand cupsd.conf correctly). The debian default policy looks like this


# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription 
Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Ac
tivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

and is a good starting point for a default policy.

We need to:

* change "JobPrivateValues default" to "JobPrivateValues default"
* the policy should be configurable via UCR (as generic as possible)
  cups/policy/default/JobPrivateAccess=default
  cups/policy/default/JobPrivateValues=none
  ...
  # mandatory -> <Limit Cancel-Job CUPS-Authenticate-Job>
  cups/policy/default/Limit/1/Operation="Pause-Printer Cancel-Job"
  # optional -> AuthType Default
  cups/policy/default/Limit/1/AuthType=
  # mandatory -> Require user @OWNER @SYSTEM (not sure if multiple 
  #              Require statements are allowed or necessary
  cups/policy/default/Limit/1/Require="user @OWNER @SYSTEM"
  # mandatory -> Order deny,allow
  cups/policy/default/Limit/1/Order="deny,allow"
  
* <Limit All>Order deny,allow</Limit> is the default for all other operations
  and should be at the end of the policy
* save the policy in /etc/cups/cupsd-policy.conf
* include /etc/cups/cupsd-policy.conf in /etc/cups/cupsd.conf if 
  cups/include/policy is true

I am not sure if we should activate cups/include/policy during the update or only for new installations.
Comment 2 Stefan Gohmann univentionstaff 2015-11-17 15:07:41 CET
It should be fixed for 4.1 first. Please check afterwards a backport to UCS 4.0.
Comment 3 Tobias Birkefeld univentionstaff 2015-12-11 10:07:42 CET
again, Ticket#2015121021000552
Comment 4 Felix Botner univentionstaff 2015-12-15 14:23:22 CET
univention-printserver
* added cups/policy variables to configure cups policies in 
  /etc/cups/cups-access-limit.conf
* added cups default policy (cups/policy/default/...)
* added cups/access/limit to completely disable cups/policy settings
  in /etc/cups/cups-access-limit.conf (to go with the cups default)

QA:
* create/modify/delete printer
* check printing, check UMC Print jobs (deactivate, activate printer)
* check owner in UMC Print jobs
* update/installation
* check if UCS default policy and cups default policy are equal
** to get the cups default policy set ucr set cups/debug/level='debug2' 
** deactivate cups-access-limit.conf with cups/access/limit=no
** restart cups and look for "Creating CUPS default administrative policy:"
   in /var/log/cups/error_log
** this policy and the default policy in /etc/cups/cups-access-limit.conf
   should be equal
* check if cups/printmode/hosts/none still works
** this is used in ucs@school to disbale printing operations for ip's
** added another UCS system to the domain and install univention-printclient
** check if printing is allowed/forbidden for client

YAML: univention-printserver.yaml
Comment 5 Arvid Requate univentionstaff 2015-12-21 20:47:12 CET
> * check if UCS default policy and cups default policy are equal

What is desired: cups or debian default?



* In cupsd.conf.debian (1.5.3-5.99.201510221331) bug missing in new template:

CUPS-Add-Modify-Printer CUPS-Add-Modify-Class CUPS-Get-Devices

* In new template but not in cupsd.conf.debian:

Set-Printer-Attributes CUPS-Add-Printer CUPS-Add-Class
Comment 6 Felix Botner univentionstaff 2015-12-22 11:11:24 CET
(In reply to Arvid Requate from comment #5)
> > * check if UCS default policy and cups default policy are equal
> 
> What is desired: cups or debian default?

I would say cups, because this is what is used at the moment (as we don't have a default policy in out templates). 

> 
> 
> 
> * In cupsd.conf.debian (1.5.3-5.99.201510221331) bug missing in new template:
> 
> CUPS-Add-Modify-Printer CUPS-Add-Modify-Class CUPS-Get-Devices
> 
> * In new template but not in cupsd.conf.debian:
> 
> Set-Printer-Attributes CUPS-Add-Printer CUPS-Add-Class

Ignore cupsd.conf.debian, just check the cups default policy and what we configure as default in cups-access-limit.conf
Comment 7 Florian Best univentionstaff 2016-01-12 16:01:03 CET
Fixed a typo in the YAML:
r66743 | YAML Bug #38023
Comment 8 Arvid Requate univentionstaff 2016-02-03 19:42:00 CET
Verified:

* create/modify/delete printer: Ok
* check printing, check UMC Print jobs (deactivate, activate printer): Ok
* check owner in UMC Print jobs: Ok
* update/installation: Ok
* check if UCS default policy and cups default policy are equal: Ok
* check if cups/printmode/hosts/none still works: Ok
* Advisory: Ok

Created ucs-test Bugs:
* Bug 40573 for cups/printmode/hosts/none
* Bug 40574 for cups/policy/default/JobPrivateAccess
Comment 9 Janek Walkenhorst univentionstaff 2016-02-04 13:51:44 CET
<http://errata.software-univention.de/ucs/4.1/93.html>