Univention Bugzilla – Full Text Bug Listing |
Summary: | Policy default JobPrivate* not configurable in cupsd.conf template | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | Printserver | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | best, birkefeld, botner, gohmann, markus.daehlmann, requate, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 40574, 40257 |
Description
Janis Meybohm
2015-03-12 11:30:30 CET
again, Ticket #2015092921000274 We need to add "JobPrivateValues none" to make to owner visible the cups webinterface. Unfortunately, we can not set this without a complete default policy (if i understand cupsd.conf correctly). The debian default policy looks like this # Set the default printer/job policies... <Policy default> # Job/subscription privacy... JobPrivateAccess default JobPrivateValues default SubscriptionPrivateAccess default SubscriptionPrivateValues default # Job-related operations must be done by the owner or an administrator... <Limit Create-Job Print-Job Print-URI Validate-Job> Order deny,allow </Limit> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> Require user @OWNER @SYSTEM Order deny,allow </Limit> # All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM Order deny,allow </Limit> # All printer operations require a printer operator to authenticate... <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Ac tivate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> # Only the owner or an administrator can cancel or authenticate a job... <Limit Cancel-Job CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit> </Policy> and is a good starting point for a default policy. We need to: * change "JobPrivateValues default" to "JobPrivateValues default" * the policy should be configurable via UCR (as generic as possible) cups/policy/default/JobPrivateAccess=default cups/policy/default/JobPrivateValues=none ... # mandatory -> <Limit Cancel-Job CUPS-Authenticate-Job> cups/policy/default/Limit/1/Operation="Pause-Printer Cancel-Job" # optional -> AuthType Default cups/policy/default/Limit/1/AuthType= # mandatory -> Require user @OWNER @SYSTEM (not sure if multiple # Require statements are allowed or necessary cups/policy/default/Limit/1/Require="user @OWNER @SYSTEM" # mandatory -> Order deny,allow cups/policy/default/Limit/1/Order="deny,allow" * <Limit All>Order deny,allow</Limit> is the default for all other operations and should be at the end of the policy * save the policy in /etc/cups/cupsd-policy.conf * include /etc/cups/cupsd-policy.conf in /etc/cups/cupsd.conf if cups/include/policy is true I am not sure if we should activate cups/include/policy during the update or only for new installations. It should be fixed for 4.1 first. Please check afterwards a backport to UCS 4.0. again, Ticket#2015121021000552 univention-printserver * added cups/policy variables to configure cups policies in /etc/cups/cups-access-limit.conf * added cups default policy (cups/policy/default/...) * added cups/access/limit to completely disable cups/policy settings in /etc/cups/cups-access-limit.conf (to go with the cups default) QA: * create/modify/delete printer * check printing, check UMC Print jobs (deactivate, activate printer) * check owner in UMC Print jobs * update/installation * check if UCS default policy and cups default policy are equal ** to get the cups default policy set ucr set cups/debug/level='debug2' ** deactivate cups-access-limit.conf with cups/access/limit=no ** restart cups and look for "Creating CUPS default administrative policy:" in /var/log/cups/error_log ** this policy and the default policy in /etc/cups/cups-access-limit.conf should be equal * check if cups/printmode/hosts/none still works ** this is used in ucs@school to disbale printing operations for ip's ** added another UCS system to the domain and install univention-printclient ** check if printing is allowed/forbidden for client YAML: univention-printserver.yaml > * check if UCS default policy and cups default policy are equal
What is desired: cups or debian default?
* In cupsd.conf.debian (1.5.3-5.99.201510221331) bug missing in new template:
CUPS-Add-Modify-Printer CUPS-Add-Modify-Class CUPS-Get-Devices
* In new template but not in cupsd.conf.debian:
Set-Printer-Attributes CUPS-Add-Printer CUPS-Add-Class
(In reply to Arvid Requate from comment #5) > > * check if UCS default policy and cups default policy are equal > > What is desired: cups or debian default? I would say cups, because this is what is used at the moment (as we don't have a default policy in out templates). > > > > * In cupsd.conf.debian (1.5.3-5.99.201510221331) bug missing in new template: > > CUPS-Add-Modify-Printer CUPS-Add-Modify-Class CUPS-Get-Devices > > * In new template but not in cupsd.conf.debian: > > Set-Printer-Attributes CUPS-Add-Printer CUPS-Add-Class Ignore cupsd.conf.debian, just check the cups default policy and what we configure as default in cups-access-limit.conf Fixed a typo in the YAML: r66743 | YAML Bug #38023 Verified: * create/modify/delete printer: Ok * check printing, check UMC Print jobs (deactivate, activate printer): Ok * check owner in UMC Print jobs: Ok * update/installation: Ok * check if UCS default policy and cups default policy are equal: Ok * check if cups/printmode/hosts/none still works: Ok * Advisory: Ok Created ucs-test Bugs: * Bug 40573 for cups/printmode/hosts/none * Bug 40574 for cups/policy/default/JobPrivateAccess |