Univention Bugzilla – Bug 48437
Regression: Unknown directive Include on line 630 of /etc/cups/cupsd.conf
Last modified: 2019-04-10 14:19:05 CEST
The cupsd.conf UCR template uses an "Include" directive to include cups-access-limit.conf (and cupsd.local.conf if cups/include/local is set). This Include directive has been removed upstream and the patch has been shipped with the following security updates: http://errata.software-univention.de/ucs/4.3/149.html http://errata.software-univention.de/ucs/4.2/443.html This was the vulnerability: https://security-tracker.debian.org/tracker/CVE-2018-4181 This probably causes a regression for the use cases of Bug #31902 and Bug #19552 Found / reported by: Martin Castillo.
Created attachment 9792 [details] /var/log/cups/error_log The cups error_log shows the error message
*** Bug 48445 has been marked as a duplicate of this bug. ***
Note from bug 48445: ------8<-------- So changes to UCR variables cups/policy/default/JobPrivateAccess cups/policy/default/JobPrivateValues wont affect anything. ------>8--------
Please fix this for 4.3, we need to be able to see the owner and name ob print jobs in the CUPS web interface.
I see Comment #4 as urgend to set the respective flag.
Unfortionately the currently commited solution cannot work: It prints the content of a UCR template into the compiled version of another template - without evaluating the content. You could use the filtering mechanism of UCR directly: from univention.config_registry.handler import run_filter from univention.config_registry import ConfigRegistry ucr = ConfigRegistry() ucr.load() with open(filename) as fd: print run_filter(fd.read(), ucr) Still a bit hacky but probably the easiest way. If we do this I think we should remove the template files then and move them into a general directory?! The listener cups-printers is also affected, which contains a Include directive: services/univention-printserver/cups-printers.py:» » » » print >>fp, 'include = %s' % os.path.join('/etc/samba/printers.conf.d', f) Or is Include in these files still supported?
Ignore the solution suggestion in my last comment. Also the comment about the listener cups-printers.py is wrong, because it generates a samba config in that case. I think the best way to solve the problem is to convert all UCR template files which are included there into a UCR subfile and make the cupsd.conf a UCR multifile. Problematic is only the static file '/etc/cups/cupsd.local.conf' then. If the file changes we would have to rebuild the cupsd.conf. I think we can't do this, at least I don't know a way (except for "inotify", but we seriously don't want this). So we have to document it (that changing the file requires "ucr commit /etc/cups/cupsd.conf").
Successful build Package: univention-printserver Version: 12.0.1-7A~4.4.0.201904041026 Branch: ucs_4.4-0 Scope: errata4.4-0 User: jbremer 997c2ea645 Bug #48437: yaml 6c94f1ad09 Bug #48437: Version bump ee11ddf5bc Bug #48437: Fix typo 5fb8fdc6b2 Bug #48437: Make cups-access-limit a subfile of cupsd.conf to avoid removed cups Include directive. cups-access-limit is now a subfile of cupsd.conf The contents of cupsd.local.conf will now be appended to cupsd.conf If changes to cupsd.local.conf are made, it is now neccessary to execute ucr commit /etc/cups/cupsd.conf to apply those changes.
Looks very nice! One thing I am unsure about is the current order, which changed: Previously the content of the static file was before the cups-access-limit file. I am not sure if the order is relevant here. If it is: We could introduce a 03_local_include subfile.
Successful build Package: univention-printserver Version: 12.0.1-8A~4.4.0.201904041647 Branch: ucs_4.4-0 Scope: errata4.4-0 User: jbremer I implemented your suggestions.
OK: code review OK: changes work nice and as expected OK: UCR variable description OK: UCS manual/documentation changes OK: YAML (adjusted the description)
<http://errata.software-univention.de/ucs/4.4/46.html>