Univention Bugzilla – Bug 48437
Regression: Unknown directive Include on line 630 of /etc/cups/cupsd.conf
Last modified: 2019-04-10 14:19:05 CEST
The cupsd.conf UCR template uses an "Include" directive to include cups-access-limit.conf (and cupsd.local.conf if cups/include/local is set).
This Include directive has been removed upstream and the patch has been shipped with the following security updates:
This was the vulnerability:
This probably causes a regression for the use cases of Bug #31902 and Bug #19552
Found / reported by: Martin Castillo.
Created attachment 9792 [details]
The cups error_log shows the error message
*** Bug 48445 has been marked as a duplicate of this bug. ***
Note from bug 48445:
So changes to UCR variables
wont affect anything.
Please fix this for 4.3, we need to be able to see the owner and name ob print jobs in the CUPS web interface.
I see Comment #4 as urgend to set the respective flag.
Unfortionately the currently commited solution cannot work:
It prints the content of a UCR template into the compiled version of another template - without evaluating the content.
You could use the filtering mechanism of UCR directly:
from univention.config_registry.handler import run_filter
from univention.config_registry import ConfigRegistry
ucr = ConfigRegistry()
with open(filename) as fd:
print run_filter(fd.read(), ucr)
Still a bit hacky but probably the easiest way.
If we do this I think we should remove the template files then and move them into a general directory?!
The listener cups-printers is also affected, which contains a Include directive:
services/univention-printserver/cups-printers.py:» » » » print >>fp, 'include = %s' % os.path.join('/etc/samba/printers.conf.d', f)
Or is Include in these files still supported?
Ignore the solution suggestion in my last comment. Also the comment about the listener cups-printers.py is wrong, because it generates a samba config in that case.
I think the best way to solve the problem is to convert all UCR template files which are included there into a UCR subfile and make the cupsd.conf a UCR multifile.
Problematic is only the static file '/etc/cups/cupsd.local.conf' then.
If the file changes we would have to rebuild the cupsd.conf.
I think we can't do this, at least I don't know a way (except for "inotify", but we seriously don't want this).
So we have to document it (that changing the file requires "ucr commit /etc/cups/cupsd.conf").
997c2ea645 Bug #48437: yaml
6c94f1ad09 Bug #48437: Version bump
ee11ddf5bc Bug #48437: Fix typo
5fb8fdc6b2 Bug #48437: Make cups-access-limit a subfile of cupsd.conf to avoid removed cups Include directive.
cups-access-limit is now a subfile of cupsd.conf
The contents of cupsd.local.conf will now be appended to cupsd.conf
If changes to cupsd.local.conf are made, it is now neccessary to execute
ucr commit /etc/cups/cupsd.conf to apply those changes.
Looks very nice!
One thing I am unsure about is the current order, which changed:
Previously the content of the static file was before the cups-access-limit file.
I am not sure if the order is relevant here. If it is:
We could introduce a 03_local_include subfile.
I implemented your suggestions.
OK: code review
OK: changes work nice and as expected
OK: UCR variable description
OK: UCS manual/documentation changes
OK: YAML (adjusted the description)