Bug 48437 - Regression: Unknown directive Include on line 630 of /etc/cups/cupsd.conf
Regression: Unknown directive Include on line 630 of /etc/cups/cupsd.conf
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Printserver
UCS 4.4
Other Linux
: P5 normal with 2 votes (vote)
: UCS 4.4-0-errata
Assigned To: Julia Bremer
Florian Best
https://github.com/apple/cups/commit/...
:
: 48445 (view as bug list)
Depends on: 19552 31902 47354 47570
Blocks: 49197
  Show dependency treegraph
 
Reported: 2019-01-08 12:07 CET by Arvid Requate
Modified: 2019-04-10 14:19 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Ticket number: 2019032821000485
Bug group (optional): API change, Security
Max CVSS v3 score:


Attachments
/var/log/cups/error_log (916 bytes, text/plain)
2019-01-08 12:08 CET, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-01-08 12:07:36 CET
The cupsd.conf UCR template uses an "Include" directive to include cups-access-limit.conf (and cupsd.local.conf if cups/include/local is set).

This Include directive has been removed upstream and the patch has been shipped with the following security updates: 

http://errata.software-univention.de/ucs/4.3/149.html
http://errata.software-univention.de/ucs/4.2/443.html

This was the vulnerability:
 https://security-tracker.debian.org/tracker/CVE-2018-4181

This probably causes a regression for the use cases of Bug #31902 and Bug #19552

Found / reported by: Martin Castillo.
Comment 1 Arvid Requate univentionstaff 2019-01-08 12:08:16 CET
Created attachment 9792 [details]
/var/log/cups/error_log

The cups error_log shows the error message
Comment 2 Erik Damrose univentionstaff 2019-01-11 09:52:02 CET
*** Bug 48445 has been marked as a duplicate of this bug. ***
Comment 3 Erik Damrose univentionstaff 2019-01-11 09:53:08 CET
Note from bug 48445:
------8<--------
So changes to UCR variables 
cups/policy/default/JobPrivateAccess  
cups/policy/default/JobPrivateValues 
wont affect anything.
------>8--------
Comment 4 Markus Dählmann 2019-03-29 11:38:16 CET
Please fix this for 4.3, we need to be able to see the owner and name ob print jobs in the CUPS web interface.
Comment 5 Nico Stöckigt univentionstaff 2019-04-01 15:21:05 CEST
I see Comment #4 as urgend to set the respective flag.
Comment 6 Florian Best univentionstaff 2019-04-02 13:51:53 CEST
Unfortionately the currently commited solution cannot work:
It prints the content of a UCR template into the compiled version of another template - without evaluating the content.

You could use the filtering mechanism of UCR directly:
from univention.config_registry.handler import run_filter
from univention.config_registry import ConfigRegistry
ucr = ConfigRegistry()
ucr.load()
with open(filename) as fd:
    print run_filter(fd.read(), ucr)

Still a bit hacky but probably the easiest way.

If we do this I think we should remove the template files then and move them into a general directory?!

The listener cups-printers is also affected, which contains a Include directive:
services/univention-printserver/cups-printers.py:»   »   »   »   print >>fp, 'include = %s' % os.path.join('/etc/samba/printers.conf.d', f)
Or is Include in these files still supported?
Comment 7 Florian Best univentionstaff 2019-04-02 20:31:56 CEST
Ignore the solution suggestion in my last comment. Also the comment about the listener cups-printers.py is wrong, because it generates a samba config in that case.

I think the best way to solve the problem is to convert all UCR template files which are included there into a UCR subfile and make the cupsd.conf a UCR multifile.

Problematic is only the static file '/etc/cups/cupsd.local.conf' then.
If the file changes we would have to rebuild the cupsd.conf.
I think we can't do this, at least I don't know a way (except for "inotify", but we seriously don't want this). 
So we have to document it (that changing the file requires "ucr commit /etc/cups/cupsd.conf").
Comment 8 Julia Bremer univentionstaff 2019-04-04 10:48:30 CEST
Successful build
Package: univention-printserver
Version: 12.0.1-7A~4.4.0.201904041026
Branch: ucs_4.4-0
Scope: errata4.4-0
User: jbremer

997c2ea645 Bug #48437: yaml
6c94f1ad09 Bug #48437: Version bump
ee11ddf5bc Bug #48437: Fix typo
5fb8fdc6b2 Bug #48437: Make cups-access-limit a subfile of cupsd.conf to avoid removed cups Include directive.


cups-access-limit is now a subfile of cupsd.conf
The contents of cupsd.local.conf will now be appended to cupsd.conf
If changes to cupsd.local.conf are made, it is now neccessary to execute
ucr commit /etc/cups/cupsd.conf to apply those changes.
Comment 9 Florian Best univentionstaff 2019-04-04 16:20:01 CEST
Looks very nice!

One thing I am unsure about is the current order, which changed:
Previously the content of the static file was before the cups-access-limit file.

I am not sure if the order is relevant here. If it is:
We could introduce a 03_local_include subfile.
Comment 10 Julia Bremer univentionstaff 2019-04-04 17:26:54 CEST
Successful build
Package: univention-printserver
Version: 12.0.1-8A~4.4.0.201904041647
Branch: ucs_4.4-0
Scope: errata4.4-0
User: jbremer

I implemented your suggestions.
Comment 11 Florian Best univentionstaff 2019-04-05 13:29:52 CEST
OK: code review
OK: changes work nice and as expected
OK: UCR variable description
OK: UCS manual/documentation changes
OK: YAML (adjusted the description)
Comment 12 Erik Damrose univentionstaff 2019-04-10 14:19:05 CEST
<http://errata.software-univention.de/ucs/4.4/46.html>