lpadmin to (limited) root privilege escalation

[michaelrsweet]

Version: 1.5.3
CUPS.org User: odyx

Hi,

as was reported to http://bugs.debian.org/692791 , any user belonging to the "lpadmin" group (as defined by the --with-system-groups configure stanza), can get access to any file on the host.

This happens through the following steps:
a) the configuration file is modified through the webinterface with PageLog /etc/shadow (e.g.)
b) the webinterface triggers a server restart
c) as cupsd runs as root, it then grants access to lpadmin users access to /etc/shadow trough the PageLog.

This is clearly a privilege escalation for users in the lpadmin group to access root-owned files.

Cheers,

OdyX

[michaelrsweet]

CUPS.org User: mike

Sigh... I guess we should just blacklist /etc and /usr/local/etc, etc. for the log files. The default LogFilePerm can be changed as well to prevent the log files from having read permissions...

[michaelrsweet]

CUPS.org User: odyx

Hi Michael,

you might want to read the conversations at [0] and [1]. In particular, Jeff Licquia proposed a temporary fix [2] on which it would be good to have your input.

Cheers, OdyX

[0] http://bugs.debian.org/692791
[1] http://thread.gmane.org/gmane.comp.security.oss.general/8773
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=46;filename=bug-692791.dpatch;att=1;bug=692791

[michaelrsweet]

CUPS.org User: mike

Temporary fix 2 is no fix, since it doesn't address the core issue - PUT support for config files and allowing arbitrary values for log files, ServerRoot, and DocumentRoot.

I'm now thinking that the easiest fix is to drop support for those directives and provide command-line options instead. That would allow site configuration by root but not configuration by non-root, and avoids us doing blacklists or whitelists for acceptable locations in cupsd.conf.

I will be investigating this issue more deeply in the coming days and will have a proposed patch at that time.

BTW, the correct vendor contact is security@cups.org and/or security@apple.com, but filing a security bug automatically forwards the report to those addresses.

[michaelrsweet]

CUPS.org User: odyx

Hi Michael,

what is the status of this issue? What could I do to help gettings this solved?

Cheers, Didier

[michaelrsweet]

CUPS.org User: mike

Still working on a patch.

[michaelrsweet]

CUPS.org User: twaugh.redhat

Anything I can do to help out?

By the way, this bug is marked private even though the security issue it talks about is public (since November 8th). Should we open it up?

[michaelrsweet]

CUPS.org User: mike

Tim,

Since this issue is public, I'll open up our bug as well. I got some internal feedback this morning on my proposed fix, will be posting a preliminary patch in another hour or so with some more changes incorporated...

[michaelrsweet]

CUPS.org User: mike

And just so you all know, the changes are somewhat extensive because I opted to move all of the file, directory, user, and group settings out into a separate configuration file that can't be written/read remotely.

[michaelrsweet]

CUPS.org User: mike

Proposed patches attached for 1.6 and 1.7.

Please review...

[michaelrsweet]

CUPS.org User: mike

Here is what is changed:

1. All file, directory, user, and group configuration are now done through the cups-files.conf configuration file.
2. Only cupsd.conf can be read/written remotely now.
3. New sample cups-files.conf, man page, and online help files.

[michaelrsweet]

CUPS.org User: mike

Additional patch to fix default cups-files.conf pathname and to just warn about directives in cupsd.conf that have moved to cups-files.conf (otherwise that would prevent cupsd from starting...)

[michaelrsweet]

CUPS.org User: twaugh.redhat

Thanks, this looks great.

I think something was missing was str4223p2.patch? I've attached cups-str4223-set-default.patch which I think adds in the missing part.

[michaelrsweet]

CUPS.org User: mdeslaur

Here are a couple of small fixes for things I've noticed so far in the 1.6.x branch. (small-fixes.patch)

[michaelrsweet]

CUPS.org User: mdeslaur

Also, DefaultAuthType is now mentioned in the cups-files.conf manpage and help, but it is still being parsed by read_cupsd_conf().

[michaelrsweet]

CUPS.org User: mdeslaur

The attached defaultauthtype.patch patch moves DefaultAuthType to read_cups_files_conf().

[michaelrsweet]

CUPS.org User: mike

Marc, the "small-fixes" patch looks good, will apply and make a new version of the complete patch file. DefaultAuthType shouldn't, IMHO, be in cups-files.conf because the policy and location directives can override it. It was in cupsd.conf, although it looks like a prior find/replace error changed it to "default_auth_type". That was previously fixed in TOT...

Tim, not sure why the p2 patch was missing this bit, but I already have something similar in trunk's main.c...

Will provide a new patch for all of this later today. Thanks, all!

[michaelrsweet]

CUPS.org User: mike

Based on discussions for the Debian bug, I'll also be masking out all but the read/write bits for ConfigFilePerm and LogFilePerm.

[michaelrsweet]

CUPS.org User: odyx

Attached the backport of this issue against 1.5.3. Please review.

Cheers, OdyX

[michaelrsweet]

CUPS.org User: mike

Didier,

Your 1.5.3 patch is just missing Tim's main.c patch for making sure that cups-files.conf is initialized, and I have another change (sorry, got pulled away yesterday) to make sure that ConfigFilePerm and LogFilePerm do not have execute or set-id bits set...

[michaelrsweet]

CUPS.org User: mike

OK, here are the updated patches.

[michaelrsweet]

CUPS.org User: odyx

Here's the patch against 1.5.3, updated. It had a wrong split of configuration stanzas in scheduler/conf.c. Please comment.

I started to work on the patch against 1.4.4 as that's the version we have in our stable release, more news soon.

[michaelrsweet]

CUPS.org User: twaugh.redhat

The FileDevice warning in ipp.c:add_printer() needs to be changed too. Currently it reads:

    send_ipp_status(con, IPP_NOT_POSSIBLE,
                    _("File device URIs have been disabled. "
                      "To enable, see the FileDevice directive in "
                      "\"%s/cupsd.conf\"."),
                    ServerRoot);

[michaelrsweet]

CUPS.org User: mike

Tim, thanks for catching that; changes now in TOT...

[michaelrsweet]

CUPS.org User: twaugh.redhat

I've posted cups-logfile-warning.patch for comment too. It changes the misleading syslog error message when cups-files.conf contains bad content.

Unable to read configuration file '/etc/cups/cupsd.conf' - exiting!

[michaelrsweet]

CUPS.org User: odyx

There, the patch for 1.4.4; please review.

[michaelrsweet]

CUPS.org User: twaugh.redhat

I've just attached another patch fixing a documentation issue (0001-Another-documentation-fix-related-to-CVE-2012-5519.patch).

The cupsctl man page gives "cupsctl FileDevice=Yes" as an example use, but of course this option can no longer be changed that way.

[michaelrsweet]

CUPS.org User: twaugh.redhat

And another documentation patch, cups-str4223-ref-cups-files-conf.patch.

This makes sure the new ref-cups-files-conf.html file is actually installed.

[michaelrsweet]

CUPS.org User: twaugh.redhat

Another patch needed: 0001-Check-permissions-on-cups-files.conf.patch

This time it's to check the permissions on the new cups-files.conf file.

Not sure whether it should use ConfigFilePerm or 0600 for that?

[michaelrsweet]

CUPS.org User: mike

I think ConfigFilePerm, just like cupsd.conf.

Also, I have some changes to cups-logfile-warning.patch and am reviewing the others. Will post a combined patch in a little bit.

[michaelrsweet]

CUPS.org User: mike

Here is a roll-up patch for the v2 patch series:

Fix cupsctl man page

• Generate and install cups-files.conf online help.
• Fix "-t" operation that shows correct filename.
• Use syslog for startup errors.
• Fix installation of cupsd.conf - need to use ConfigurationFile and not ServerRoot/cupsd.conf.
• Check permissions of ConfigurationFile and CupsFilesFile - should be ConfigFilePerm.

[michaelrsweet]

CUPS.org User: mike

OK, think I have all of the documentation changes straightened out now...

[michaelrsweet]

"str4223.patch":

Index: packaging/cups.spec.in

--- packaging/cups.spec.in (revision 10708)
+++ packaging/cups.spec.in (working copy)
@@ -135,6 +135,7 @@
%defattr(-,root,root)
%dir /etc/cups
%config(noreplace) /etc/cups/*.conf
+/etc/cups/cups-files.conf.default
/etc/cups/cupsd.conf.default
%dir /etc/cups/interfaces
%dir /etc/cups/ppd

Index: packaging/cups.list.in

--- packaging/cups.list.in (revision 10708)
+++ packaging/cups.list.in (working copy)
@@ -528,6 +528,8 @@
d 0755 root $CUPS_GROUP $SERVERROOT/interfaces -
d 0755 root $CUPS_GROUP $SERVERROOT/ppd -
d 0700 root $CUPS_GROUP $SERVERROOT/ssl -
+c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf conf/cups-files.conf
+f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf.default conf/cups-files.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf conf/cupsd.conf
f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf.default conf/cupsd.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/snmp.conf conf/snmp.conf

Property changes on: conf

---

Modified: svn:ignore

• cupsd.conf
  mime.convs
  pam.std
  snmp.conf
• cupsd.conf
  cups-files.conf
  mime.convs
  pam.std
  snmp.conf

Index: conf/cups-files.conf.in

--- conf/cups-files.conf.in (revision 10708)
+++ conf/cups-files.conf.in (working copy)
@@ -1,137 +1,97 @@

"$Id$"

-# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a
-# complete description of this file.
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.

-# Log general information in error_log - change "@CUPS_LOG_LEVEL@" to "debug"
-# for troubleshooting...
-LogLevel @CUPS_LOG_LEVEL@
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@

-# Administrator user group...
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
SystemGroup @CUPS_SYSTEM_GROUPS@
@CUPS_SYSTEM_AUTHKEY@

-# Only listen for connections from the local machine.
-Listen localhost:@DEFAULT_IPP_PORT@
-@CUPS_LISTEN_DOMAINSOCKET@
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot

-# Show shared printers on the local network.
-Browsing On
-BrowseLocalProtocols @CUPS_BROWSE_LOCAL_PROTOCOLS@
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No

-# Default authentication type, when authentication is required...
-DefaultAuthType Basic
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@

-# Web interface setting...
-WebInterface @CUPS_WEBIF@
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log

-# Restrict access to the server...
-

• Order allow,deny
  -
  +# Location of cache files used by the scheduler...
  +#CacheDir @CUPS_CACHEDIR@

-# Restrict access to the admin pages...
-<Location /admin>

• Order allow,deny
  -
  +# Location of data files used by the scheduler...
  +#DataDir @CUPS_DATADIR@

-# Restrict access to configuration files...
-<Location /admin/conf>

• AuthType Default
• Require user @System
• Order allow,deny
  -
  +# Location of the static web content served by the scheduler...
  +#DocRoot @CUPS_DOCROOT@

-# Set the default printer/job policies...
-

• Job/subscription privacy...

• JobPrivateAccess default
• JobPrivateValues default
• SubscriptionPrivateAccess default
• SubscriptionPrivateValues default
  +# Location of the file logging all messages produced by the scheduler and any
  +# helper programs; may be the name "syslog". If not an absolute path, the value
  +# of ServerRoot is used as the root directory. Also see the "LogLevel"
  +# directive in cupsd.conf.
  +ErrorLog @CUPS_LOGDIR@/error_log

• Job-related operations must be done by the owner or an administrator...

• Order deny,allow

+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@

• Require user @owner @System
• Order deny,allow

+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@

• All administration operations require an administrator to authenticate...

• AuthType Default
• Require user @System
• Order deny,allow

+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log

• All printer operations require a printer operator to authenticate...

• AuthType Default
• Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
• Order deny,allow

+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@

• Only the owner or an administrator can cancel or authenticate a job...

• Require user @owner @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
• Order deny,allow

+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris

• Order deny,allow

-
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@

-# Set the authenticated printer/job policies...
-

• Job/subscription privacy...

• JobPrivateAccess default
• JobPrivateValues default
• SubscriptionPrivateAccess default
• SubscriptionPrivateValues default
  +# Location of helper programs...
  +#ServerBin @CUPS_SERVERBIN@

• Job-related operations must be done by the owner or an administrator...

• AuthType Default
• Order deny,allow

+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@

• AuthType Default
• Require user @owner @System
• Order deny,allow

+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@

• All administration operations require an administrator to authenticate...

• AuthType Default
• Require user @System
• Order deny,allow

+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@

• All printer operations require a printer operator to authenticate...

• AuthType Default
• Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
• Order deny,allow

+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@

• Only the owner or an administrator can cancel or authenticate a job...

• AuthType Default
• Require user @owner @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
• Order deny,allow

+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@

• Order deny,allow

-
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp

End of "$Id$".

Index: conf/cupsd.conf.in

--- conf/cupsd.conf.in (revision 10708)
+++ conf/cupsd.conf.in (working copy)
@@ -9,10 +9,6 @@

for troubleshooting...

LogLevel @CUPS_LOG_LEVEL@

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@

Index: conf/Makefile

--- conf/Makefile (revision 10708)
+++ conf/Makefile (working copy)
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

Index: CHANGES-1.6.txt

--- CHANGES-1.6.txt (revision 10708)
+++ CHANGES-1.6.txt (working copy)
@@ -4,6 +4,9 @@
CHANGES IN CUPS V1.6.2

- Documentation fixes

• • Security: All file, directory, user, and group settings are now stored

• in a separate cups-files.conf configuration file that cannot be set
  

• through the CUPS web interface or APIs (STR #4223)
  

  • The SNMP backend now tries to work around broken printers that use a
    newline to separate key/value pairs.

  • The IPP backend did not send a cancel request to printers when a job
    Index: config-scripts/cups-ssl.m4

    --- config-scripts/cups-ssl.m4 (revision 10708)
    +++ config-scripts/cups-ssl.m4 (working copy)
    @@ -27,6 +27,8 @@
    SSLFLAGS=""
    SSLLIBS=""
    have_ssl=0
    +CUPS_SERVERCERT=""
    +CUPS_SERVERKEY=""

  if test x$enable_ssl != xno; then
  dnl Look for CDSA...
  @@ -36,6 +38,7 @@
  have_ssl=1
  AC_DEFINE(HAVE_SSL)
  AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecureTransportPriv.h,
  

  @@ -106,6 +109,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -148,6 +154,9 @@
  done

  if test "x${SSLLIBS}" != "x"; then
  

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  • LIBS="$SAVELIBS $SSLLIBS"
    AC_CHECK_FUNCS(SSL_set_tlsext_host_name)
    fi
    @@ -165,6 +174,8 @@
    AC_MSG_ERROR([Unable to enable SSL support.])
    fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(IPPALIASES)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 10708)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -305,6 +305,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -326,6 +327,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],

Index: doc/help/ref-cups-files-conf.html.in

--- doc/help/ref-cups-files-conf.html.in (revision 10708)
+++ doc/help/ref-cups-files-conf.html.in (working copy)
@@ -1,54 +1,15 @@

- <TITLE>cupsd.conf</TITLE> - <TITLE>cups-files.conf</TITLE>

-

cupsd.conf

+

cups-files.conf

-

The /etc/cups/cupsd.conf file contains
-configuration directives that control how the server
-functions. Each directive is listed on a line by itself followed
-by its value. Comments are introduced using the number sign ("#")
-character at the beginning of a line.

+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

-

Since the server configuration file consists of plain text,
-you can use your favorite text editor to make changes to it.
-After making any changes, restart the cupsd(8)

-process using the startup script for your operating system:

-

• AIX, Linux, Solaris:

-/etc/init.d/cups restart

-

• HP-UX:

-/sbin/init.d/cups restart

-

• MacOS X:

-sudo launchctl unload /System/Library/LaunchDaemons/org.cups.cupsd.plist
-sudo launchctl load /System/Library/LaunchDaemons/org.cups.cupsd.plist

-

-

-

You can also edit this file from the CUPS web interface, which

-automatically handles restarting the scheduler.

-

Note:

-

The specification of time units ("w" for weeks, "h" for hours, etc.) in the various time interval directives is new in CUPS 1.6/OS X 10.8. Prior releases of CUPS only supported time intervals in seconds.

-

AccessLog

Examples

@@ -79,363 +40,6 @@ @CUPS_LOGDIR@/access_log.

-

AccessLogLevel

-

Examples

-

-AccessLogLevel config

-AccessLogLevel actions

-AccessLogLevel all

-

-

Description

-

The AccessLogLevel directive controls which requests are logged

-to the access log file. The following levels are defined:

-

• config; Log when printers and classes are added,
• deleted, or modified and when configuration files are accessed or

- updated.

• actions; Log when print jobs are submitted,
• held, released, modified, or canceled, and any of the conditions

- for config.

-

all; Log all requests.

-

-

The default access log level is @CUPS_ACCESS_LOG_LEVEL@.

-

Allow

-

Examples

-

-<Location /path>


...
Allow from All
Allow from None
Allow from *.example.com
Allow from .example.com
Allow from host.example.com
Allow from nnn.*
Allow from nnn.nnn.*
Allow from nnn.nnn.nnn.*
Allow from nnn.nnn.nnn.nnn
Allow from nnn.nnn.nnn.nnn/mm
Allow from nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm
Allow from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]
Allow from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/mmm
Allow from @LOCAL
Allow from @IF(name)

-</Location>

-

-

Description

-

The Allow directive specifies a hostname, IP
-address, or network that is allowed access to the server.
-Allow directives are cumulative, so multiple
-Allow directives can be used to allow access for
-multiple hosts or networks.

-

Host and domain name matching require that you enable the <A
-HREF="#HostNameLookups">HostNameLookups
-directive.

-

The /mm notation specifies a CIDR netmask, as shown in
-Table 1.

-

-
-

-

-

-

-

-

-

-

-

-

-Table 1: CIDR Netmasks

mm	netmask	mm	netmask
0	0.0.0.0	8	255.0.0.0
1	128.0.0.0	16	255.255.0.0
2	192.0.0.0	24	255.255.255.0
...	...	32	255.255.255.255

-

The @LOCAL name will allow access from all local
-interfaces. The @IF(name) name will allow access
-from the named interface. In both cases, CUPS only allows access
-from the network that the interface(s) are configured for -
-requests arriving on the interface from a foreign network will
-not be accepted.

-

The Allow directive must appear inside a <A
-HREF="#Location">Location or <A
-HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use
-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A
-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A
-HREF="#Require">Require directive instead.

-

AuthType

-

Examples

-

-<Location /path>


...
AuthType None
AuthType Basic
AuthType Digest
AuthType BasicDigest
AuthType Negotiate

-</Location>

-

-

Description

-

The AuthType directive defines the type of
-authentication to perform:

-

• None - No authentication should be

- performed (default)

• Basic - Basic authentication should be

- performed using the UNIX password and group files

• Digest - Digest authentication should be
• performed using the /etc/cups/passwd.md5

- file

• BasicDigest - Basic authentication
• should be performed using the

- /etc/cups/passwd.md5 file

• Negotiate - Kerberos authentication

- should be performed

-

-

When using Basic, Digest,
-BasicDigest, or Negotiate authentication,
-clients connecting through the localhost interface can

-also authenticate using certificates.

-

The AuthType directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

AutoPurgeJobs

-

Examples

-

-AutoPurgeJobs Yes

-AutoPurgeJobs No

-

-

Description

-

The AutoPurgeJobs directive specifies whether or
-not to purge completed jobs once they are no longer required for
-quotas. This option has no effect if quotas are not enabled. The

-default setting is No.

-

CUPS 1.2/OS X 10.5BrowseLocalProtocols

-

Examples

-

-BrowseLocalProtocols all

-BrowseLocalProtocols none

-BrowseLocalProtocols dnssd

-

-

Description

-

The BrowseLocalProtocols directive specifies the
-protocols to use when advertising local shared printers on the
-network. Multiple protocols can be specified by separating them

-with spaces. The default is "@CUPS_BROWSE_LOCAL_PROTOCOLS@".

-

BrowseWebIF

-

Examples

-

-BrowseWebIF On

-BrowseWebIF Off

-

-

Description

-

The BrowseWebIF directive controls whether the CUPS web
-interface is advertised via DNS-SD. The default setting is

-Off.

-

Browsing

-

Examples

-

-Browsing On

-Browsing Off

-

-

Description

-

The Browsing directive controls whether or not
-printer sharing is enabled. The default setting is

-@CUPS_BROWSING@.

-

CUPS 1.1.7Classification

-

Examples

-

-Classification

-Classification classified

-Classification confidential

-Classification secret

-Classification topsecret

-Classification unclassified

-

-

Description

-

The Classification directive sets the
-classification level on the server. When this option is set, at
-least one of the banner pages is forced to the classification
-level, and the classification is placed on each page of output.

-The default is no classification level.

-

CUPS 1.1.10ClassifyOverride

-

Examples

-

-ClassifyOverride Yes

-ClassifyOverride No

-

-

Description

-

The ClassifyOverride directive specifies whether
-users can override the default classification level on the
-server. When the server classification is set, users can change
-the classification using the job-sheets option and
-can choose to only print one security banner before or after the
-job. If the job-sheets option is set to
-none then the server default classification is

-used.

-

The default is to not allow classification overrides.

CUPS 1.1.15ConfigFilePerm

Examples

@@ -488,171 +92,6 @@ username. The default is Basic.

-

CUPS 1.2/OS X 10.5DefaultEncryption

-

Examples

-

-DefaultEncryption Never

-DefaultEncryption IfRequested

-DefaultEncryption Required

-

-

Description

-

The DefaultEncryption directive specifies the
-type of encryption to use when performing authentication. The

-default is Required.

-

DefaultLanguage

-

Examples

-

-DefaultLanguage de

-DefaultLanguage en

-DefaultLanguage es

-DefaultLanguage fr

-DefaultLanguage it

-

-

Description

-

The DefaultLanguage directive specifies the
-default language to use for client connections. Setting the
-default language also sets the default character set if a
-language localization file exists for it. The default language

-is "en" for English.

-

CUPS 1.4/OS X 10.6DefaultPaperSize

-

Examples

-

-DefaultPaperSize Letter

-DefaultPaperSize A4

-DefaultPaperSize Auto

-DefaultPaperSize None

-

-

Description

-

The DefaultPaperSize directive specifies the default paper
-size to use when creating new printers. The default is Auto
-which uses a paper size appropriate for the system default locale. A value
-of None tells the scheduler to not set the default paper

-size.

-

CUPS 1.2/OS X 10.5DefaultPolicy

-

Examples

-

-DefaultPolicy default

-DefaultPolicy authenticated

-DefaultPolicy foo

-

-

Description

-

The DefaultPolicy directive specifies the default
-policy to use for IPP operation. The default is
-default. CUPS also includes a policy called
-authenticated that requires a username and password for printing

-and other job operations.

-

CUPS 1.2/OS X 10.5DefaultShared

-

Examples

-

-DefaultShared yes

-DefaultShared no

-

-

Description

-

The DefaultShared directive specifies whether
-printers are shared (published) by default. The default is

-@CUPS_DEFAULT_SHARED@.

-

Deny

-

Examples

-

-<Location /path>


..
Deny from All
Deny from None
Deny from *.example.com
Deny from .example.com
Deny from host.example.com
Deny from nnn.*
Deny from nnn.nnn.*
Deny from nnn.nnn.nnn.*
Deny from nnn.nnn.nnn.nnn
Deny from nnn.nnn.nnn.nnn/mm
Deny from nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm
Deny from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]
Deny from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/mmm
Deny from @LOCAL
Deny from @IF(name)

-</Location>

-

-

Description

-

The Deny directive specifies a hostname, IP
-address, or network that is denied access to the server.
-Deny directives are cumulative, so multiple
-Deny directives can be used to deny access for

-multiple hosts or networks.

-

Host and domain name matching require that you enable the <A
-HREF="#HostNameLookups">HostNameLookups

-directive.

-

The /mm notation specifies a CIDR netmask, a shown in

-Table 1.

-

The @LOCAL name will deny access from all local
-interfaces. The @IF(name) name will deny access from
-the named interface. In both cases, CUPS only denies access from
-the network that the interface(s) are configured for - requests
-arriving on the interface from a foreign network will

-not be denied.

-

The Deny directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

CUPS 1.4/OS X 10.6DirtyCleanInterval

-

Examples

-

-DirtyCleanInterval 1w

-DirtyCleanInterval 1d

-DirtyCleanInterval 1h

-DirtyCleanInterval 1m

-DirtyCleanInterval 30

-DirtyCleanInterval 0

-

-

Description

-

The DirtyCleanInterval directive specifies the amount of time to wait before updating configuration and state files for printers, classes, subscriptions, and jobs in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix). A value of 0 causes the update to occur as soon as possible, typically within a few milliseconds.

-

The default value is 30 (30 seconds).

DocumentRoot

Examples

@@ -679,28 +118,6 @@
language needed.

-

Encryption

-

Examples

-

-<Location /path>


...
Encryption Never
Encryption IfRequested
Encryption Required

-</Location>

-

-

Description

-

The Encryption directive must appear instead a <A
-HREF="#Location">Location or <A
-HREF="#Limit">Limit section and specifies the
-encryption settings for that location. The default setting is

-IfRequested for all locations.

ErrorLog

Examples

@@ -726,45 +143,6 @@
information to the system log instead of a plain file.

-

CUPS 1.3/OS X 10.5ErrorPolicy

-

Examples

-

-ErrorPolicy abort-job

-ErrorPolicy retry-job

-ErrorPolicy stop-printer

-

-

Description

-

The ErrorPolicy directive defines the default policy that
-is used when a backend is unable to send a print job to the

-printer.

-

The following values are supported:

-

• abort-job - Abort the job and proceed

- with the next job in the queue

• retry-job - Retry the job after waiting
• for N seconds; the cupsd.conf <A
• HREF="#JobRetryInterval">JobRetryInterval

- directive controls the value of N

• retry-this-job - Retry the current job immediately

- and indefinitely.

• stop-printer - Stop the printer and keep
• the job for future printing; this is the default

- value

-

CUPS 1.4/OS X 10.6FatalErrors

Examples

@@ -849,50 +227,6 @@

-

CUPS 1.1.3FilterLimit

-

Examples

-

-FilterLimit 0

-FilterLimit 200

-FilterLimit 1000

-

-

Description

-

The FilterLimit directive sets the maximum cost
-of all running job filters. It can be used to limit the number of
-filter programs that are run on a server to minimize disk,
-memory, and CPU resource problems. A limit of 0 disables filter

-limiting.

-

An average print to a non-PostScript printer needs a filter
-limit of about 200. A PostScript printer needs about half that
-(100). Setting the limit below these thresholds will effectively

-limit the scheduler to printing a single job at any time.

-

The default limit is 0.

-

CUPS 1.1.16FilterNice

-

Examples

-

-FilterNice 0

-FilterNice 10

-FilterNice 19

-

-

Description

-

The FilterNice directive sets the nice(1)
-value to assign to filter processes. The nice value ranges from
-0, the highest priority, to 19, the lowest priority. The default

-is 0.

CUPS 1.1.3FontPath

Examples

@@ -926,613 +260,6 @@ nobody.

-

CUPS 1.6/OS X 10.8GSSServiceName

-

Examples

-

-GSSServiceName http

-GSSServiceName ipp

-

-

Description

-

The GSSServiceName directive sets the Kerberos service name to use. The default is @CUPS_DEFAULT_GSSSERVICE_NAME@ for compatibility with Microsoft Windows.

-

HostNameLookups

-

Examples

-

-HostNameLookups On

-HostNameLookups Off

-HostNameLookups Double

-

-

Description

-

The HostNameLookups directive controls whether or
-not CUPS looks up the hostname for connecting clients. The
-Double setting causes CUPS to verify that the
-hostname resolved from the address matches one of the addresses
-returned for that hostname. Double lookups also
-prevent clients with unregistered addresses from connecting to

-your server.

-

The default is Off to avoid the potential server
-performance problems with hostname lookups. Set this option to
-On or Double only if absolutely

-required.

-

CUPS 1.1.9Include

-

Examples

-

-Include filename

-Include /foo/bar/filename

-

-

Description

-

The Include directive includes the named file in
-the cupsd.conf file. If no leading path is provided,
-the file is assumed to be relative to the <A

-HREF="#ServerRoot">ServerRoot directory.

-

CUPS 1.5JobPrivateAccess

-

Examples

-

-JobPrivateAccess all

-JobPrivateAccess default

-JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+

-

-

Description

-

The JobPrivateAccess directive specifies the access list for a
-job's private values. The "default" access list is "@owner @System". "@acl" maps
-to the printer's requesting-user-name-allowed or requesting-user-name-denied

-values.

-

The JobPrivateAccess directive must appear inside a <A

-HREF="#Policy">Policy section.

-

CUPS 1.5JobPrivateValues

-

Examples

-

-JobPrivateValues all

-JobPrivateValues default

-JobPrivateValues none

-JobPrivateValues attribute-name-1 [ ... attribute-name-N ]

-

-

Description

-

The JobPrivateValues directive specifies the list of job values
-to make private. The "default" values are "job-name",

-"job-originating-host-name", "job-originating-user-name", and "phone".

-

The JobPrivateValues directive must appear inside a <A

-HREF="#Policy">Policy section.

-

CUPS 1.2/OS X 10.5JobRetryInterval

-

Examples

-

-JobRetryInterval 1w

-JobRetryInterval 1d

-JobRetryInterval 1h

-JobRetryInterval 1m

-JobRetryInterval 30

-

-

Description

-

The JobRetryInterval directive specifies the amount of time to wait before retrying a job in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix). This is typically used for fax queues but can also be used with normal print queues whose error policy is retry-job or retry-current-job.

-

The default is 30 (30 seconds).

-

CUPS 1.4/OS X 10.6JobKillDelay

-

Examples

-

-JobKillDelay 1w

-JobKillDelay 1d

-JobKillDelay 1h

-JobKillDelay 1m

-JobKillDelay 30

-

-

Description

-

The JobKillDelay directive specifies the amount of time to wait before killing the filters and backend associated with a canceled or held job in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default is 30 (30 seconds).

-

CUPS 1.2/OS X 10.5JobRetryLimit

-

Examples

-

-JobRetryLimit 5

-JobRetryLimit 50

-

-

Description

-

The JobRetryLimit directive specifies the maximum
-number of times the scheduler will try to print a job. This is
-typically used for fax queues but can also be used with normal
-print queues whose error policy is retry-job. The

-default is 5 times.

-

KeepAlive

-

Examples

-

-KeepAlive On

-KeepAlive Off

-

-

Description

-

The KeepAlive directive controls whether or not
-to support persistent HTTP connections. The default is

-On.

-

HTTP/1.1 clients automatically support persistent connections,
-while HTTP/1.0 clients must specifically request them using the
-Keep-Alive attribute in the Connection:

-field of each request.

-

KeepAliveTimeout

-

Examples

-

-KeepAliveTimeout 1w

-KeepAliveTimeout 1d

-KeepAliveTimeout 1h

-KeepAliveTimeout 1m

-KeepAliveTimeout 30

-

-

Description

-

The KeepAliveTimeout directive controls how long a persistent HTTP connection will remain open after the last request in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default is 30 (30 seconds).

-

CUPS 1.1.7Limit (Location)

-

Examples

-

-<Location /path>


<Limit GET POST>
...

-  </Limit>

<Limit ALL>
...
</Limit>

-</Location>

-

-

Description

-

The Limit directive groups access control
-directives for specific types of HTTP requests and must appear
-inside a Location section.
-Access can be limited for individual request types
-(DELETE, GET, HEAD,
-OPTIONS, POST, PUT, and
-TRACE) or for all request types (ALL).
-The request type names are case-sensitive for compatibility with
-Apache.

-

CUPS 1.2/OS X 10.5Limit (Policy)

-

Examples

-

-<Policy name>


<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer>
...

-  </Limit>

<Limit All>
...
</Limit>

-</Policy>

-

-

Description

-

When included in Policy
-sections, the Limit directive groups access control
-directives for specific IPP operations. Multiple operations can
-be listed, separated by spaces. Table 2 lists the supported
-operations.

-

-
-
-

-

-
-
-

-
-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-
-Table 2: Supported IPP Operations

Operation Name	Description
All	All operations - used as the default limit for operations that are not listed
Cancel-Job	Cancel a job
Cancel-Subscription	Cancel a subscription
Create-Job	Create a new, empty job
Create-Job-Subscription	Creates a notification subscription on a job
Create-Printer-Subscription	Creates a notification subscription on a printer
CUPS-Accept-Jobs	Sets the printer-is-accepting-jobs value for a printer to true
CUPS-Add-Modify-Class	Adds or modifies a class
CUPS-Add-Modify-Printer	Adds or modifies a printer
CUPS-Authenticate-Job	Authenticates a job for printing
CUPS-Delete-Class	Deletes a class
CUPS-Delete-Printer	Deletes a printer
CUPS-Get-Classes	Gets a list of classes
CUPS-Get-Default	Gets the (network/server) default printer or class
CUPS-Get-Devices	Gets a list of available devices
CUPS-Get-PPDs	Gets a list of available manufacturers or drivers
CUPS-Get-Printers	Gets a list of printers and/or classes
CUPS-Move-Job	Moves a job to a new destination
CUPS-Reject-Jobs	Sets the printer-is-accepting-jobs value for a printer to false
CUPS-Set-Default	Sets the network/server default printer or class
Disable-Printer	Sets the printer-state value for a printer to stopped
Enable-Printer	Sets the printer-state value for a printer to idle/processing
Get-Job-Attributes	Gets information about a job
Get-Jobs	Gets a list of jobs
Get-Notifications	Gets a list of events
Get-Printer-Attributes	Gets information about a printer or class
Get-Subscription-Attributes	Gets information about a notification subscription
Get-Subscriptions	Gets a list of notification subscriptions
Hold-Job	Holds a job for printing
Pause-Printer	Sets the printer-state value for a printer to stopped
Print-Job	Creates a job with a single file for printing
Purge-Jobs	Removes all jobs from a printer
Release-Job	Releases a previously held job for printing
Renew-Subscription	Renews a notification subscription
Restart-Job	Reprints a job
Resume-Printer	Sets the printer-state value for a printer to idle/processing
Send-Document	Adds a file to an job created with Create-Job
Set-Job-Attributes	Changes job options
Validate-Job	Validates job options prior to printing

-

CUPS 1.1.7LimitExcept

-

Examples

-

-<Location /path>


<LimitExcept GET POST>
...
</LimitExcept>

-</Location>

-

-

Description

-

The LimitExcept directive groups access control
-directives for specific types of HTTP requests and must appear
-inside a Location section.
-Unlike the Limit directive,
-LimitExcept restricts access for all requests
-except those listed on the LimitExcept

-line.

-

LimitRequestBody

-

Examples

-

-LimitRequestBody 10485760

-LimitRequestBody 10m

-LimitRequestBody 0

-

-

Description

-

The LimitRequestBody directive controls the
-maximum size of print files, IPP requests, and HTML form data in
-HTTP POST requests. The default limit is 0 which disables the

-limit check.

-

Listen

-

Examples

-

-Listen 127.0.0.1:631

-Listen 192.0.2.1:631

-Listen [::1]:631

-Listen *:631

-

-

Description

-

The Listen directive specifies a network address
-and port to listen for connections. Multiple Listen

-directives can be provided to listen on multiple addresses.

-

The Listen directive is similar to the <A
-HREF="#Port">Port directive but allows you to

-restrict access to specific interfaces or networks.

-

CUPS 1.1.7ListenBackLog

-

Examples

-

-ListenBackLog 5

-ListenBackLog 10

-

-

Description

-

The ListenBackLog directive sets the maximum
-number of pending connections the scheduler will allow. This
-normally only affects very busy servers that have reached the <A
-HREF="#MaxClients">MaxClients limit, but can
-also be triggered by large numbers of simultaneous connections.
-When the limit is reached, the operating system will refuse
-additional connections until the scheduler can accept the pending
-ones. The default is the OS-defined default limit, typically
-either 5 for older operating systems or 128 for newer operating

-systems.

-

Location

-

Examples

-

-<Location />

-...

-</Location>
-<Location /admin>

-...
-</Location>
-<Location /admin/conf>

-...
-</Location>
-<Location /admin/log>

-...
-</Location>
-<Location /classes>

-...
-</Location>
-<Location /classes/name>

-...
-</Location>
-<Location /jobs>

-...
-</Location>
-<Location /printers>

-...
-</Location>
-<Location /printers/name>

-...
-</Location>
-

-

Description

-

The Location directive specifies access control
-and authentication options for the specified HTTP resource or
-path. The Allow, <A
-HREF="#AuthType">AuthType, <A
-HREF="#Deny">Deny, <A
-HREF="#Encryption">Encryption, <A
-HREF="#Limit">Limit, <A
-HREF="#LimitExcept">LimitExcept, <A
-HREF="#Order">Order, <A
-HREF="#Require">Require, and <A
-HREF="#Satisfy">Satisfy directives may all

-appear inside a location.

-

Note that more specific resources override the less specific
-ones. So the directives inside the /printers/name
-location will override ones from /printers.
-Directives inside /printers will override ones from

-/. None of the directives are inherited.

-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

-

Table 3: Common Locations on the Server

Location	Description
/	The path for all get operations (get-printers, get-jobs, etc.)
/admin	The path for all administration operations (add-printer, delete-printer, start-printer, etc.)
/admin/conf	The path for access to the CUPS configuration files (cupsd.conf, client.conf, etc.)
/admin/log	The path for access to the CUPS log files (access_log, error_log, page_log)
/classes	The path for all classes
/classes/name	The resource for class name
/jobs	The path for all jobs (hold-job, release-job, etc.)
/jobs/id	The resource for job id
/printers	The path for all printers
/printers/name	The path for printer name
/printers/name.ppd	The PPD file path for printer name

-

LogDebugHistory

-

Examples

-

-LogDebugHistory 0

-LogDebugHistory 200

-

-

Description

-

When LogLevel is not set to
-debug or debug2, the LogDebugHistory
-directive specifies the number of debugging messages that are logged when an
-error occurs during printing. The default is 200 messages. A value of 0

-disables debugging history entirely and is not recommended.

CUPS 1.1.15LogFilePerm

Examples

@@ -1549,350 +276,6 @@
is @CUPS_LOG_FILE_PERM@.

-

LogLevel

-

Examples

-

-LogLevel none

-LogLevel emerg

-LogLevel alert

-LogLevel crit

-LogLevel error

-LogLevel warn

-LogLevel notice

-LogLevel info

-LogLevel debug

-LogLevel debug2

-

-

Description

-

The LogLevel directive specifies the level of
-logging for the ErrorLog
-file. The following values are recognized (each level logs

-everything under the preceding levels):

-

-

none - Log nothing

• emerg - Log emergency conditions that

- prevent the server from running

• alert - Log alerts that must be handled

- immediately

• crit - Log critical errors that don't

- prevent the server from running

-

error - Log general errors

-

warn - Log errors and warnings

-

notice - Log temporary error conditions

• info - Log all requests and state

- changes

• debug - Log basic debugging

- information

• debug2 - Log all debugging

- information

-

-

The default LogLevel is @CUPS_LOG_LEVEL@.

-

LogTimeFormat

-

Examples

-

-LogTimeFormat standard

-LogTimeFormat usecs

-

-

Description

-

The LogTimeFormat directive specifies the format used for the
-date and time in the log files. Standard uses the standard Apache
-Common Log Format date and time while usecs adds microseconds.

-The default is standard.

-

MaxClients

-

Examples

-

-MaxClients 100

-MaxClients 1024

-

-

Description

-

The MaxClients directive controls the maximum
-number of simultaneous clients that will be allowed by the

-server. The default is 100 clients.

-

Note:

-

Since each print job requires a file descriptor for the status
-pipe, the scheduler internally limits the MaxClients
-value to 1/3 of the available file descriptors to avoid possible

-problems when printing large numbers of jobs.

-

-

CUPS 1.1.18MaxClientsPerHost

-

Examples

-

-MaxClientsPerHost 10

-

-

Description

-

The MaxClientsPerHost directive controls the
-maximum number of simultaneous clients that will be allowed from
-a single host by the server. The default is the

-MaxClients value.

-

This directive provides a small measure of protection against

-Denial of Service attacks from a single host.

-

CUPS 1.1.16MaxCopies

-

Examples

-

-MaxCopies 100

-MaxCopies 65535

-

-

Description

-

The MaxCopies directive controls the maximum
-number of copies that a user can print of a job. The default is

-@CUPS_MAX_COPIES@ copies.

-

Note:

-

Most HP PCL laser printers internally limit the number of

-copies to 100.

-

-

CUPS 1.6/OS X 10.8MaxHoldTime

-

Examples

-

-MaxHoldTime 10800

-MaxHoldTime 3h

-MaxHoldTime 180m

-MaxHoldTime 0

-

-

Description

-

The MaxHoldTime directive controls the maximum number of seconds allowed for a job to remain in the "indefinite" hold state. The job is canceled automatically if it remains held indefinitely longer than the specified time interval in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default setting is 0 which disables this functionality.

-

MaxJobs

-

Examples

-

-MaxJobs 100

-MaxJobs 9999

-MaxJobs 0

-

-

Description

-

The MaxJobs directive controls the maximum number
-of jobs that are kept in memory. Once the number of jobs reaches
-the limit, the oldest completed job is automatically purged from
-the system to make room for the new one. If all of the known jobs
-are still pending or active then the new job will be

-rejected.

-

Setting the maximum size to 0 disables this functionality. The

-default setting is 500.

-

CUPS 1.1.7MaxJobsPerPrinter

-

Examples

-

-MaxJobsPerPrinter 100

-MaxJobsPerPrinter 9999

-MaxJobsPerPrinter 0

-

-

Description

-

The MaxJobsPerPrinter directive controls the
-maximum number of active jobs that are allowed for each printer
-or class. Once a printer or class reaches the limit, new jobs
-will be rejected until one of the active jobs is completed,

-stopped, aborted, or canceled.

-

Setting the maximum to 0 disables this functionality. The

-default setting is 0.

-

CUPS 1.1.7MaxJobsPerUser

-

Examples

-

-MaxJobsPerUser 100

-MaxJobsPerUser 9999

-MaxJobsPerUser 0

-

-

Description

-

The MaxJobsPerUser directive controls the maximum
-number of active jobs that are allowed for each user. Once a user
-reaches the limit, new jobs will be rejected until one of the

-active jobs is completed, stopped, aborted, or canceled.

-

Setting the maximum to 0 disables this functionality. The

-default setting is 0.

-

CUPS 1.6/OS X 10.8MaxJobTime

-

Examples

-

-MaxJobTime 10800

-MaxJobTime 3h

-MaxJobTime 180m

-MaxJobTime 0

-

-

Description

-

The MaxJobTime directive controls the maximum number of
-seconds allowed for a job to complete printing before it is considered "stuck".

-The job is canceled automatically if it takes longer than the specified time to complete in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

Setting the maximum time to 0 disables this functionality. The default setting is 3h (3 hours).

-

MaxLogSize

-

Examples

-

-MaxLogSize 1048576

-MaxLogSize 1m

-MaxLogSize 0

-

-

Description

-

The MaxLogSize directive controls the maximum
-size of each log file. Once a log file reaches or exceeds the
-maximum size it is closed and renamed to filename.O.
-This allows you to rotate the logs automatically. The default

-size is 1048576 bytes (1MB).

-

Setting the maximum size to 0 disables log rotation.

-

DeprecatedMaxRequestSize

-

Examples

-

-MaxRequestSize 10485760

-MaxRequestSize 10m

-MaxRequestSize 0

-

-

Description

-

The MaxRequestSize directive controls the maximum
-size of print files, IPP requests, and HTML form data in HTTP
-POST requests. The default limit is 0 which disables the limit

-check.

-

This directive is deprecated and will be removed in a
-future CUPS release. Use the <A
-HREF="#LimitRequestBody">LimitRequestBody

-directive instead.

-

CUPS 1.4/OS X 10.6MultipleOperationTimeout

-

Examples

-

-MultipleOperationTimeout 1w

-MultipleOperationTimeout 1d

-MultipleOperationTimeout 1h

-MultipleOperationTimeout 5m

-MultipleOperationTimeout 300

-

-

Description

-

The MultipleOperationTimeout directive sets the maximum amount of time between files in a multi-file print job in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default is 5m (five minutes).

-

Order

-

Examples

-

-<Location /path>


...
Order Allow,Deny
Order Deny,Allow

-</Location>

-

-

Description

-

The Order directive defines the default access
-control. The following values are supported:

-

• allow,deny - Deny requests by default,
• then check the Allow
• lines followed by the <A

- HREF="#Deny">Deny lines

• deny,allow - Allow requests by default,
• then check the Deny
• lines followed by the <A

- HREF="#Allow">Allow lines

-

-

The Order directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

PageLog

Examples

@@ -1918,184 +301,6 @@ information to the system log instead of a plain file.

-

PageLogFormat

-

Examples

-

-PageLogFormat %p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}

-PageLogFormat PAGE %p %u %j %P %C %{job-billing} %{job-originating-host-name}

-

-

Description

-

The PageLogFormat directive sets the format of lines
-that are logged to the page log file. Sequences beginning with percent (%)
-characters are replaced with the corresponding information, while all other
-characters are copied literally. The following percent sequences are

-recognized:

-

-

%%: Inserts a single percent character.

• %{name}: Inserts the value of the specified IPP

- attribute.

-

%C: Inserts the number of copies for the current page.

-

%P: Inserts the current page number.

• %T: Inserts the current date and time in common log

- format.

-

%j: Inserts the job ID.

-

%p: Inserts the printer name.

-

%u: Inserts the username.

-

-

The default is "%p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}".

-

CUPS 1.2/OS X 10.5PassEnv

-

Examples

-

-PassEnv MY_ENV_VARIABLE

-

-

Description

-

The PassEnv directive specifies an environment
-variable that should be passed to child processes. Normally, the
-scheduler only passes the DYLD_LIBRARY_PATH,
-LD_ASSUME_KERNEL, LD_LIBRARY_PATH,
-LD_PRELOAD, NLSPATH,
-SHLIB_PATH, TZ, and VGARGS

-environment variables to child processes.

-

CUPS 1.2/OS X 10.5Policy

-

Examples

-

-<Policy name>


<Limit operation ... operation>
...
</Limit>
<Limit operation ... operation>
...
</Limit>
<Limit All>
...
</Limit>

-</Policy>

-

-

Description

-

The Policy directive specifies IPP operation
-access control limits. Each policy contains 1 or more <A
-HREF="#LimitIPP">Limit sections to set the
-access control limits for specific operations - user limits,
-authentication, encryption, and allowed/denied addresses,
-domains, or hosts. The <Limit All> section
-specifies the default access control limits for operations that
-are not listed.

-

Policies are named and associated with printers via the
-printer's operation policy setting
-(printer-op-policy). The default policy for the
-scheduler is specified using the <A
-HREF="#DefaultPolicy">DefaultPolicy
-directive.

-

Port

-

Examples

-

-Port 631

-Port 80

-

-

Description

-

The Port directive specifies a port to listen on.

[michaelrsweet]

-Multiple Port lines can be specified to listen on
-multiple ports. The Port directive is equivalent to

-"Listen *:nnn". The default port is 631.

-

Note:

-

On systems that support IPv6, this directive will bind to both

-the IPv4 and IPv6 wildcard address.

-

-

PreserveJobHistory

-

Examples

-

-PreserveJobHistory On

-PreserveJobHistory Off

-PreserveJobHistory 1w

-PreserveJobHistory 7d

-PreserveJobHistory 168h

-PreserveJobHistory 10080m

-PreserveJobHistory 604800

-

-

Description

-

The PreserveJobHistory directive controls whether the history of completed, canceled, or aborted print jobs is retained by the scheduler. A value of On preserves job information until the administrator purges it with the cancel command. A value of Off removes the job information as soon as each job is completed, canceled, or aborted. Numeric values preserve job information for the specified number of seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default value is On.

-

Note:

-

The MaxJobs, MaxJobsPerPrinter, and MaxJobsPerUser directives can cause job history to be discarded to make room for new jobs.

-

-

PreserveJobFiles

-

Examples

-

-PreserveJobFiles On

-PreserveJobFiles Off

-PreserveJobFiles 1w

-PreserveJobFiles 7d

-PreserveJobFiles 168h

-PreserveJobFiles 10080m

-PreserveJobFiles 604800

-

-

Description

-

The PreserveJobFiles directive controls whether the document files of completed, canceled, or aborted print jobs are retained. Jobs can be restarted (and reprinted) as desired until they are purged.

-

A value of On preserves job files until the administrator purges them with the cancel command. A value of Off removes the job files as soon as each job is completed, canceled, or aborted. Numeric values preserve job files for the specified number of seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default value is 1d (one day).

-

Note:

-

The MaxJobs, MaxJobsPerPrinter, MaxJobsPerUser, and PreserveJobHistory directives can cause job files to be discarded sooner than specified.

-

Printcap

Examples

@@ -2113,7 +318,7 @@ printcap file is automatically generated and updated with a list of available printers. If specified with no value, then no printcap file will be generated. The default is to generate a -file named @CUPS_DEFAUL_PRINTCAP@.

+file named @CUPS_DEFAULT_PRINTCAP@.

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@), the printcap file is written whenever a printer is added or @@ -2139,22 +344,6 @@ Solaris format on Solaris, and the BSD format on other operating systems.

-

CUPS 1.1.21ReloadTimeout

-

Examples

-

-ReloadTimeout 0

-ReloadTimeout 30

-

-

Description

-

The ReloadTimeout directive specifies the number
-of seconds the scheduler will wait for active jobs to complete

-before doing a restart. The default is 30 seconds.

CUPS 1.1.3RemoteRoot

Examples

@@ -2191,158 +380,6 @@ default request directory is @CUPS_REQUESTS@.

-

CUPS 1.1.7Require

-

Examples

-

-<Location /path>


...
Require group foo bar
Require user john mary
Require valid-user
Require user @groupname
Require user @SYSTEM
Require user @OWNER

-</Location>

-

-

Description

-

The Require directive specifies that
-authentication is required for the resource. The
-group keyword specifies that the authenticated user
-must be a member of one or more of the named groups that
-follow.

-

The user keyword specifies that the
-authenticated user must be one of the named users or groups that
-follow. Group names are specified using the "@" prefix.

-

The valid-user keyword specifies that any
-authenticated user may access the resource.

-

The default is to do no authentication. This directive must
-appear inside a Location or
-Limit section.

-

RIPCache

-

Examples

-

-RIPCache 128m

-RIPCache 1g

-RIPCache 2048k

-

-

Description

-

The RIPCache directive sets the size of the
-memory cache used by Raster Image Processor ("RIP") filters such
-as imagetoraster and pstoraster. The
-size can be suffixed with a "k" for kilobytes, "m" for megabytes,
-or "g" for gigabytes. The default cache size is "128m", or 128
-megabytes.

-

CUPS 1.1.16RootCertDuration

-

Examples

-

-RootCertDuration 0

-RootCertDuration 1w

-RootCertDuration 1d

-RootCertDuration 1h

-RootCertDuration 5m

-RootCertDuration 300

-

-

Description

-

The RootCertDuration directive specifies the amount of time the root certificate remains valid in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix). The scheduler will generate a new certificate as needed when the given time interval has expired. If set to 0, the root certificate is generated only once on startup or on a restart.

-

The default is 5m (five minutes).

-

CUPS 1.1.7Satisfy

-

Examples

-

-<Location /path>


...
Satisfy all
Satisfy any

-</Location>

-

-

Description

-

The Satisfy directive specifies whether all
-conditions must be satisfied to allow access to the resource. If
-set to all, then all authentication and access

-control conditions must be satisfied to allow access.

-

Setting Satisfy to any allows a user
-to gain access if the authentication or access control
-requirements are satisfied. For example, you might require
-authentication for remote access, but allow local access without

-authentication.

-

The default is all. This directive must appear
-inside a Location or <A

-HREF="#Limit">Limit section.

-

ServerAdmin

-

Examples

-

-ServerAdmin user@host

-ServerAdmin root@foo.bar.com

-

-

Description

-

The ServerAdmin directive identifies the email
-address for the administrator on the system. By default the
-administrator email address is root@server, where
-server is the <A

-HREF="#ServerName">ServerName.

-

CUPS 1.3.10ServerAlias

-

Examples

-

-ServerAlias althost

-ServerAlias foo.example.com

-ServerAlias bar.example.com

-ServerAlias one.example.com two.example.com

-ServerAlias *

-

-

Description

-

The ServerAlias directive specifies alternate names that the server is known by. By default it contains a list of all aliases associated with the ServerName. The special name "*" can be used to allow any hostname when accessing CUPS via an external network interfaces.

-

Note

-

The ServerAlias directive is used for HTTP Host header
-validation when clients connect to the scheduler from external interfaces.
-Using the special name "*" can expose your system to known browser-based
-DNS rebinding attacks, even when accessing sites through a firewall. If the
-auto-discovery of alternate names does not work, we recommend listing each

-alternate name with a ServerAlias directive instead of using "*".

-

ServerBin

Examples

@@ -2401,22 +438,6 @@
/etc/cups/ssl/server.crt.

-

ServerName

-

Examples

-

-ServerName foo.example.com

-ServerName myserver.example.com

-

-

Description

-

The ServerName directive specifies the hostname
-that is reported to clients. By default the server name is the

-hostname.

ServerRoot

Examples

@@ -2434,201 +455,6 @@ default server directory is /etc/cups.

-

CUPS 1.1.21ServerTokens

-

Examples

-

-ServerTokens None

-ServerTokens ProductOnly

-ServerTokens Major

-ServerTokens Minor

-ServerTokens Minimal

-ServerTokens OS

-ServerTokens Full

-

-

Description

-

The ServerTokens directive specifies the
-information that is included in the Server: header
-of all HTTP responses. Table 4 lists the token name along with
-the text that is returned. The default is

-Minimal.

-

-
-
-

-

-
-
-

-

-

-

-

-

-

-

-

-

-

-
-

-
-

-

Table 4: ServerToken Names and Values

Name	Value
None	No Server: header is returned
ProductOnly	"CUPS"
Major	"CUPS 1"
Minor	"CUPS 1.2"
Minimal	"CUPS 1.2.N" where N is the patch release
OS	"CUPS 1.2.N (UNAME)" where N is the patch release and UNAME is the output of the uname(1) command
Full	"CUPS 1.2.N (UNAME) IPP/1.1" where N is the patch release and UNAME is the output of the uname(1) command

-

CUPS 1.2/OS X 10.5SetEnv

-

Examples

-

-SetEnv PATH /usr/lib/cups/filter:/bin:/usr/bin:/usr/local/bin

-SetEnv MY_ENV_VAR foo

-

-

Description

-

The SetEnv directive specifies an environment

-variable that should be passed to child processes.

-

SSLListen

-

Examples

-

-SSLListen 127.0.0.1:443

-SSLListen 192.0.2.1:443

-

-

Description

-

The SSLListen directive specifies a network
-address and port to listen for secure connections. Multiple
-SSLListen directives can be provided to listen on

-multiple addresses.

-

The SSLListen directive is similar to the <A
-HREF="#SSLPort">SSLPort directive but allows you

-to restrict access to specific interfaces or networks.

-

SSLOptions

-

Examples

-

-SSLOptions None

-SSLOptions NoEmptyFragments

-

-

Description

-

The SSLOptions directive specifies additional SSL/TLS
-protocol options to use for encrypted connected. Currently only two
-options are supported - None (the default) for the most
-secure mode and NoEmptyFragments to allow CUPS to work with

-Microsoft Windows with the FIPS conformance mode enabled.

-

SSLPort

-

Examples

-

-SSLPort 443

-

-

Description

-

The SSLPort directive specifies a port to listen
-on for secure connections. Multiple SSLPort lines

-can be specified to listen on multiple ports.

-

CUPS 1.6StrictConformance

-

Examples

-

-StrictConformance No

-StrictConformance Yes

-

-

Description

-

The StrictConformance directive specifies whether the scheduler
-requires strict IPP conformance for client requests, for example to not allow
-document attributes in a Create-Job request. The default is

-No.

-

CUPS 1.5SubscriptionPrivateAccess

-

Examples

-

-SubscriptionPrivateAccess all

-SubscriptionPrivateAccess default

-SubscriptionPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+

-

-

Description

-

The SubscriptionPrivateAccess directive specifies the access list for a
-subscription's private values. The "default" access list is "@owner @System".
-"@acl" maps to the printer's requesting-user-name-allowed or

-requesting-user-name-denied values.

-

The SubscriptionPrivateAccess directive must appear inside a <A

-HREF="#Policy">Policy section.

-

CUPS 1.5SubscriptionPrivateValues

-

Examples

-

-SubscriptionPrivateValues all

-SubscriptionPrivateValues default

-SubscriptionPrivateValues none

-SubscriptionPrivateValues attribute-name-1 [ ... attribute-name-N ]

-

-

Description

-

The SubscriptionPrivateValues directive specifies the list of
-subscription values to make private. The "default" values are "notify-events",
-"notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and

-"notify-user-data".

-

The SubscriptionPrivateValues directive must appear inside a <A

-HREF="#Policy">Policy section.

SystemGroup

Examples

@@ -2676,48 +502,6 @@

-

Timeout

-

Examples

-

-Timeout 1w

-Timeout 1d

-Timeout 1h

-Timeout 5m

-Timeout 300

-

-

Description

-

The Timeout directive controls the amount of time

-to wait before an active HTTP or IPP request times out in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).

-

The default timeout is 5m (five minutes).

-

CUPS 1.2/OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

User

Examples

@@ -2743,18 +527,5 @@

-

CUPS 1.5WebInterface

-

Examples

-

-WebInterface yes

-WebInterface no

-

-

Description

-

The WebInterface directive specifies whether the web interface is enabled. The default value is @CUPS_WEBIF@.

Index: doc/help/ref-cupsd-conf.html.in

--- doc/help/ref-cupsd-conf.html.in (revision 10708)
+++ doc/help/ref-cupsd-conf.html.in (working copy)
@@ -197,82 +197,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2096,49 +2020,6 @@

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2155,42 +2036,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2343,64 +2188,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2417,23 +2204,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -2629,53 +2399,6 @@ HREF="#Policy">Policy section.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -2696,53 +2419,6 @@

The default timeout is 5m (five minutes).

-

CUPS 1.2/OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

CUPS 1.5WebInterface

Examples

Index: doc/Makefile

--- doc/Makefile (revision 10708)
+++ doc/Makefile (working copy)
@@ -3,7 +3,7 @@

Documentation makefile for CUPS.

-# Copyright 2007-2011 by Apple Inc.
+# Copyright 2007-2012 by Apple Inc.

Copyright 1997-2007 by Easy Software Products.

These coded instructions, statements, and computer programs are the

Property changes on: man

---

Modified: svn:ignore

• *.0
  *.1
  *.1m
  *.3
  *.5
  *.7
  *.8
  *.gz
  *.z
  client.conf.man
  cups-deviced.man
  cups-driverd.man
  cups-lpd.man
  cups-snmp.man
  cupsaddsmb.man
  cupsd.conf.man
  cupsd.man
  lpoptions.man
  mantohtml
• *.0
  *.1
  *.1m
  *.3
  *.5
  *.7
  *.8
  *.gz
  *.z
  client.conf.man
  cups-deviced.man
  cups-driverd.man
  cups-files.conf.man
  cups-lpd.man
  cups-snmp.man
  cupsaddsmb.man
  cupsd.conf.man
  cupsd.man
  lpoptions.man
  mantohtml

Index: man/cupsd.conf.man.in

--- man/cupsd.conf.man.in (revision 10708)
+++ man/cupsd.conf.man.in (working copy)
@@ -12,12 +12,15 @@
." which should have been included with this file. If this file is
." file is missing or damaged, see the license at "http://www.cups.org/".
."
-.TH cupsd.conf 5 "CUPS" "18 May 2012" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc."
.SH NAME
cupsd.conf - server configuration file for cups
.SH DESCRIPTION
The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
-is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
+is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR
+File, directory, and user configuration directives that used to be allowed in
+the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead
+in order to prevent certain types of privilege escalation attacks.
.LP
Each line in the file can be a configuration directive, a blank line,
or a comment. Comment lines start with the # character. The
@@ -27,12 +30,6 @@
The following directives are understood by \fIcupsd(8)\fR. Consult the
on-line help for detailed descriptions:
.TP 5
-AccessLog filename
-.TP 5
-AccessLog syslog
-.br
-Defines the access log filename.
-.TP 5
AccessLogLevel config
.TP 5
AccessLogLevel actions
@@ -61,20 +58,6 @@
.br
Allows access from the named hosts or addresses.
.TP 5
-AuthClass User
-.TP 5
-AuthClass Group
-.TP 5
-AuthClass System
-.br
-Specifies the authentication class (User, Group, System) -
-\fBthis directive is deprecated\fR.
-.TP 5
-AuthGroupName group-name
-.br
-Specifies the authentication group - \fBthis directive is
-deprecated\fR.
-.TP 5
AuthType None
.TP 5
AuthType Basic
@@ -108,7 +91,7 @@
.TP 5
Browsing No
.br
-Specifies whether or not remote printer browsing should be enabled.
+Specifies whether or not shared printers should be advertised.
.TP 5
Classification banner
.br
@@ -121,15 +104,6 @@
Specifies whether to allow users to override the classification
of individual print jobs.
.TP 5
-ConfigFilePerm mode
-.br
-Specifies the permissions for all configuration files that the scheduler
-writes.
-.TP 5
-DataDir path
-.br
-Specified the directory where data files can be found.
-.TP 5
DefaultAuthType Basic
.TP 5
DefaultAuthType BasicDigest
@@ -197,10 +171,6 @@
causes the update to happen as soon as possible, typically within a few
milliseconds.
.TP 5
-DocumentRoot directory
-.br
-Specifies the root directory for the internal web server documents.
-.TP 5
Encryption IfRequested
.TP 5
Encryption Never
@@ -210,28 +180,6 @@
Specifies the level of encryption that is required for a particular
location.
.TP 5
-ErrorLog filename
-.TP 5
-ErrorLog syslog
-.br
-Specifies the error log filename.
-.TP 5
-FatalErrors none
-.TP 5
-FatalErrors all -kind [... -kind]
-.TP 5
-FatalErrors kind [... kind]
-.br
-Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
-"browse", "config", "listen", "log", or "permissions".
-.TP 5
-FileDevice Yes
-.TP 5
-FileDevice No
-.br
-Specifies whether the file pseudo-device can be used for new
-printer queues.
-.TP 5
FilterLimit limit
.br
Specifies the maximum cost of filters that are run concurrently.
@@ -241,15 +189,6 @@
Specifies the scheduling priority ("nice" value) of filters that
are run to print a job.
.TP 5
-FontPath directory[:directory:...]
-.br
-Specifies the search path for fonts.
-.TP 5
-Group group-name-or-number
-.br
-Specifies the group name or ID that will be used when executing
-external programs.
-.TP 5
GSSServiceName name
.br
Specifies the service name when using Kerberos authentication. The default
@@ -341,10 +280,6 @@
Specifies the number of debugging messages that are logged when an error
occurs in a print job.
.TP 5
-LogFilePerm mode
-.br
-Specifies the permissions for all log files that the scheduler writes.
-.TP 5
LogLevel alert
.TP 5
LogLevel crit
@@ -429,12 +364,6 @@
.br
Specifies the order of HTTP access control (allow,deny or deny,allow)
.TP 5
-PageLog filename
-.TP 5
-PageLog syslog
-.br
-Specifies the page log filename.
-.TP 5
PageLogFormat format string
.br
Specifies the format of page log lines.
@@ -464,15 +393,6 @@
Specifies whether or not to preserve the job history after they are
printed.
.TP 5
-Printcap
-.TP 5
-Printcap filename
-.br
-Specifies the filename for a printcap file that is updated
-automatically with a list of available printers (needed for
-legacy applications); specifying Printcap with no filename
-disables printcap generation.
-.TP 5
PrintcapFormat bsd
.TP 5
PrintcapFormat plist
@@ -481,29 +401,11 @@
.br
Specifies the format of the printcap file.
.TP 5
-PrintcapGUI
-.TP 5
-PrintcapGUI gui-program-filename
-.br
-Specifies whether to generate option panel definition files on
-some operating systems. When provided with no program filename,
-disables option panel definition files.
-.TP 5
ReloadTimeout seconds
.br
Specifies the amount of time to wait for job completion before
restarting the scheduler.
.TP 5
-RemoteRoot user-name
-.br
-Specifies the username that is associated with unauthenticated root
-accesses.
-.TP 5
-RequestRoot directory
-.br
-Specifies the directory to store print jobs and other HTTP request
-data.
-.TP 5
Require group group-name-list
.TP 5
Require user user-name-list
@@ -535,27 +437,10 @@
Specifies an alternate name that the server is known by. The special name "*"
allows any name to be used.
.TP 5
-ServerBin directory
-.br
-Specifies the directory where backends, CGIs, daemons, and filters may
-be found.
-.TP 5
-ServerCertificate filename
-.br
-Specifies the encryption certificate to use.
-.TP 5
-ServerKey filename
-.br
-Specifies the encryption key to use.
-.TP 5
ServerName hostname-or-ip-address
.br
Specifies the fully-qualified hostname of the server.
.TP 5
-ServerRoot directory
-.br
-Specifies the directory where the server configuration files can be found.
-.TP 5
ServerTokens Full
.TP 5
ServerTokens Major
@@ -619,29 +504,17 @@
"notify-events", "notify-pull-method", "notify-recipient-uri",
"notify-subscriber-user-name", and "notify-user-data".
.TP 5
-SystemGroup group-name [group-name ...]
-.br
-Specifies the group(s) to use for System class authentication.
-.TP 5
-TempDir directory
-.br
-Specifies the directory where temporary files are stored.
-.TP 5
Timeout seconds
.br
Specifies the HTTP request timeout in seconds.
.TP 5
-User user-name
-.br
-Specifies the user name or ID that is used when running external programs.
-.TP 5
WebInterface yes
.TP 5
WebInterface no
Specifies whether the web interface is enabled.
.SH SEE ALSO
-\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
-\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR,
+\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR,
\fIsubscriptions.conf(5)\fR,
.br
http://localhost:631/help

Index: man/cups-files.conf.man.in

--- man/cups-files.conf.man.in (revision 10708)
+++ man/cups-files.conf.man.in (working copy)
@@ -12,17 +12,16 @@
." which should have been included with this file. If this file is
." file is missing or damaged, see the license at "http://www.cups.org/".
."
-.TH cupsd.conf 5 "CUPS" "18 May 2012" "Apple Inc."
+.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc."
.SH NAME
-cupsd.conf - server configuration file for cups
+cups-files.conf - file and directory configuration file for cups
.SH DESCRIPTION
-The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
-is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
+The \fIcups-file.conf\fR file configures the files and directories used by the
+CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the
+\fI@CUPS_SERVERROOT@\fR directory.
.LP
Each line in the file can be a configuration directive, a blank line,
-or a comment. Comment lines start with the # character. The
-configuration directives are intentionally similar to those used by the
-popular Apache web server software and are described below.
+or a comment. Comment lines start with the # character.
.SH DIRECTIVES
The following directives are understood by \fIcupsd(8)\fR. Consult the
on-line help for detailed descriptions:
@@ -33,94 +32,6 @@
.br
Defines the access log filename.
.TP 5
-AccessLogLevel config
-.TP 5
-AccessLogLevel actions
-.TP 5
-AccessLogLevel all
-.br
-Specifies the logging level for the AccessLog file.
-.TP 5
-Allow all
-.TP 5
-Allow none
-.TP 5
-Allow host.domain.com
-.TP 5
-Allow .domain.com
-.TP 5
-Allow ip-address
-.TP 5
-Allow ip-address/netmask
-.TP 5
-Allow ip-address/mm
-.TP 5
-Allow @if(name)
-.TP 5
-Allow @Local
-.br
-Allows access from the named hosts or addresses.
-.TP 5
-AuthClass User
-.TP 5
-AuthClass Group
-.TP 5
-AuthClass System
-.br
-Specifies the authentication class (User, Group, System) -
-\fBthis directive is deprecated\fR.
-.TP 5
-AuthGroupName group-name
-.br
-Specifies the authentication group - \fBthis directive is
-deprecated\fR.
-.TP 5
-AuthType None
-.TP 5
-AuthType Basic
-.TP 5
-AuthType BasicDigest
-.TP 5
-AuthType Digest
-.TP 5
-AuthType Negotiate
-.br
-Specifies the authentication type (None, Basic, BasicDigest, Digest, Negotiate)
-.TP 5
-AutoPurgeJobs Yes
-.TP 5
-AutoPurgeJobs No
-.br
-Specifies whether to purge job history data automatically when
-it is no longer required for quotas.
-.TP 5
-BrowseLocalProtocols [All] [DNSSD]
-.br
-Specifies the protocols to use for local printer sharing.
-.TP 5
-BrowseWebIF Yes
-.TP 5
-BrowseWebIF No
-.br
-Specifies whether the CUPS web interface is advertised via DNS-SD.
-.TP 5
-Browsing Yes
-.TP 5
-Browsing No
-.br
-Specifies whether or not remote printer browsing should be enabled.
-.TP 5
-Classification banner
-.br
-Specifies the security classification of the server.
-.TP 5
-ClassifyOverride Yes
-.TP 5
-ClassifyOverride No
-.br
-Specifies whether to allow users to override the classification
-of individual print jobs.
-.TP 5
ConfigFilePerm mode
.br
Specifies the permissions for all configuration files that the scheduler
@@ -130,86 +41,10 @@
.br
Specified the directory where data files can be found.
.TP 5
-DefaultAuthType Basic
-.TP 5
-DefaultAuthType BasicDigest
-.TP 5
-DefaultAuthType Digest
-.TP 5
-DefaultAuthType Negotiate
-.br
-Specifies the default type of authentication to use.
-.TP 5
-DefaultEncryption Never
-.TP 5
-DefaultEncryption IfRequested
-.TP 5
-DefaultEncryption Required
-.br
-Specifies the type of encryption to use for authenticated requests.
-.TP 5
-DefaultLanguage locale
-.br
-Specifies the default language to use for text and web content.
-.TP 5
-DefaultPaperSize Auto
-.TP 5
-DefaultPaperSize None
-.TP 5
-DefaultPaperSize sizename
-.br
-Specifies the default paper size for new print queues. "Auto" uses a locale-
-specific default, while "None" specifies there is no default paper size.
-.TP 5
-DefaultPolicy policy-name
-.br
-Specifies the default access policy to use.
-.TP 5
-DefaultShared Yes
-.TP 5
-DefaultShared No
-.br
-Specifies whether local printers are shared by default.
-.TP 5
-Deny all
-.TP 5
-Deny none
-.TP 5
-Deny host.domain.com
-.TP 5
-Deny *.domain.com
-.TP 5
-Deny ip-address
-.TP 5
-Deny ip-address/netmask
-.TP 5
-Deny ip-address/mm
-.TP 5
-Deny @if(name)
-.TP 5
-Deny @Local
-.br
-Denies access to the named host or address.
-.TP 5
-DirtyCleanInterval seconds
-.br
-Specifies the delay for updating of configuration and state files. A value of 0
-causes the update to happen as soon as possible, typically within a few
-milliseconds.
-.TP 5
DocumentRoot directory
.br
Specifies the root directory for the internal web server documents.
.TP 5
-Encryption IfRequested
-.TP 5
-Encryption Never
-.TP 5
-Encryption Required
-.br
-Specifies the level of encryption that is required for a particular
-location.
-.TP 5
ErrorLog filename
.TP 5
ErrorLog syslog
@@ -232,15 +67,6 @@
Specifies whether the file pseudo-device can be used for new
printer queues.
.TP 5
-FilterLimit limit
-.br
-Specifies the maximum cost of filters that are run concurrently.
-.TP 5
-FilterNice nice-value
-.br
-Specifies the scheduling priority ("nice" value) of filters that
-are run to print a job.
-.TP 5
FontPath directory[:directory:...]
.br
Specifies the search path for fonts.
@@ -250,220 +76,16 @@
Specifies the group name or ID that will be used when executing
external programs.
.TP 5
-GSSServiceName name
-.br
-Specifies the service name when using Kerberos authentication. The default
-service name is "@CUPS_DEFAULT_GSSSERVICENAME@".
-.TP 5
-HostNameLookups On
-.TP 5
-HostNameLookups Off
-.TP 5
-HostNameLookups Double
-.br
-Specifies whether or not to do reverse lookups on client addresses.
-.TP 5
-Include filename
-.br
-Includes the named file.
-.TP 5
-JobKillDelay seconds
-.br
-Specifies the number of seconds to wait before killing the filters and backend
-associated with a canceled or held job.
-.TP 5
-JobPrivateAccess all
-.TP 5
-JobPrivateAccess default
-.TP 5
-JobPrivateAccess {user|@group|@acl|@owner|@System}+
-.br
-Specifies an access list for a job's private values. The "default" access list
-is "@owner @System". "@acl" maps to the printer's requesting-user-name-allowed
-or requesting-user-name-denied values.
-.TP 5
-JobPrivateValues all
-.TP 5
-JobPrivateValues default
-.TP 5
-JobPrivateValues none
-.TP 5
-JobPrivateValues attribute-name-1 [ ... attribute-name-N ]
-Specifies the list of job values to make private. The "default" values are
-"job-name", "job-originating-host-name", and "job-originating-user-name".
-.TP 5
-JobRetryInterval seconds
-.br
-Specifies the interval between retries of jobs in seconds.
-.TP 5
-JobRetryLimit count
-.br
-Specifies the number of retries that are done for jobs.
-.TP 5
-KeepAlive Yes
-.TP 5
-KeepAlive No
-.br
-Specifies whether to support HTTP keep-alive connections.
-.TP 5
-KeepAliveTimeout seconds
-.br
-Specifies the amount of time that connections are kept alive.
-.TP 5
- ...
-.br
-Specifies the IPP operations that are being limited inside a policy.
-.TP 5
- ...
-.TP 5
- ...
-.br
-Specifies the HTTP methods that are being limited inside a location.
-.TP 5
-LimitRequestBody
-.br
-Specifies the maximum size of any print job request.
-.TP 5
-Listen ip-address:port
-.TP 5
-Listen *:port
-.TP 5
-Listen /path/to/domain/socket
-.br
-Listens to the specified address and port or domain socket path.
-.TP 5
-<Location /path> ...
-.br
-Specifies access control for the named location.
-.TP 5
-LogDebugHistory #-messages
-.br
-Specifies the number of debugging messages that are logged when an error
-occurs in a print job.
-.TP 5
LogFilePerm mode
.br
Specifies the permissions for all log files that the scheduler writes.
.TP 5
-LogLevel alert
-.TP 5
-LogLevel crit
-.TP 5
-LogLevel debug2
-.TP 5
-LogLevel debug
-.TP 5
-LogLevel emerg
-.TP 5
-LogLevel error
-.TP 5
-LogLevel info
-.TP 5
-LogLevel none
-.TP 5
-LogLevel notice
-.TP 5
-LogLevel warn
-.br
-Specifies the logging level for the ErrorLog file.
-.TP 5
-LogTimeFormat standard
-.TP 5
-LogTimeFormat usecs
-.br
-Specifies the format of the date and time in the log files.
-.TP 5
-MaxClients number
-.br
-Specifies the maximum number of simultaneous clients to support.
-.TP 5
-MaxClientsPerHost number
-.br
-Specifies the maximum number of simultaneous clients to support from a
-single address.
-.TP 5
-MaxCopies number
-.br
-Specifies the maximum number of copies that a user can print of each job.
-.TP 5
-MaxHoldTime seconds
-.br
-Specifies the maximum time a job may remain in the "indefinite" hold state
-before it is canceled. Set to 0 to disable cancellation of held jobs.
-.TP 5
-MaxJobs number
-.br
-Specifies the maximum number of simultaneous jobs to support.
-.TP 5
-MaxJobsPerPrinter number
-.br
-Specifies the maximum number of simultaneous jobs per printer to support.
-.TP 5
-MaxJobsPerUser number
-.br
-Specifies the maximum number of simultaneous jobs per user to support.
-.TP 5
-MaxJobTime seconds
-.br
-Specifies the maximum time a job may take to print before it is canceled. The
-default is 10800 seconds (3 hours). Set to 0 to disable cancellation of "stuck"
-jobs.
-.TP 5
-MaxLogSize number-bytes
-.br
-Specifies the maximum size of the log files before they are
-rotated (0 to disable rotation)
-.TP 5
-MaxRequestSize number-bytes
-.br
-Specifies the maximum request/file size in bytes (0 for no limit)
-.TP 5
-MultipleOperationTimeout seconds
-.br
-Specifies the maximum amount of time to allow between files in a multiple file
-print job.
-.TP 5
-Order allow,deny
-.TP 5
-Order deny,allow
-.br
-Specifies the order of HTTP access control (allow,deny or deny,allow)
-.TP 5
PageLog filename
.TP 5
PageLog syslog
.br
Specifies the page log filename.
.TP 5
-PageLogFormat format string
-.br
-Specifies the format of page log lines.
-.TP 5
-PassEnv variable [... variable]
-.br
-Passes the specified environment variable(s) to child processes.
-.TP 5
- ...
-.br
-Specifies access control for the named policy.
-.TP 5
-Port number
-.br
-Specifies a port number to listen to for HTTP requests.
-.TP 5
-PreserveJobFiles Yes
-.TP 5
-PreserveJobFiles No
-.br
-Specifies whether or not to preserve job files after they are printed.
-.TP 5
-PreserveJobHistory Yes
-.TP 5
-PreserveJobHistory No
-.br
-Specifies whether or not to preserve the job history after they are
-printed.
-.TP 5
Printcap
.TP 5
Printcap filename
@@ -473,27 +95,6 @@
legacy applications); specifying Printcap with no filename
disables printcap generation.
.TP 5
-PrintcapFormat bsd
-.TP 5
-PrintcapFormat plist
-.TP 5
-PrintcapFormat solaris
-.br
-Specifies the format of the printcap file.
-.TP 5
-PrintcapGUI
-.TP 5
-PrintcapGUI gui-program-filename
-.br
-Specifies whether to generate option panel definition files on
-some operating systems. When provided with no program filename,
-disables option panel definition files.
-.TP 5
-ReloadTimeout seconds
-.br
-Specifies the amount of time to wait for job completion before
-restarting the scheduler.
-.TP 5
RemoteRoot user-name
.br
Specifies the username that is associated with unauthenticated root
@@ -504,37 +105,6 @@
Specifies the directory to store print jobs and other HTTP request
data.
.TP 5
-Require group group-name-list
-.TP 5
-Require user user-name-list
-.TP 5
-Require valid-user
-.br
-Specifies that user or group authentication is required.
-.TP 5
-RIPCache bytes
-.br
-Specifies the maximum amount of memory to use when converting images
-and PostScript files to bitmaps for a printer.
-.TP 5
-Satisfy all
-.TP 5
-Satisfy any
-.br
-Specifies whether all or any limits set for a Location must be
-satisfied to allow access.
-.TP 5
-ServerAdmin user@domain.com
-.br
-Specifies the email address of the server administrator.
-.TP 5
-ServerAlias hostname [... hostname]
-.TP 5
-ServerAlias *
-.br
-Specifies an alternate name that the server is known by. The special name ""
-allows any name to be used.
-.TP 5
ServerBin directory
.br
Specifies the directory where backends, CGIs, daemons, and filters may
@@ -548,77 +118,10 @@
.br
Specifies the encryption key to use.
.TP 5
-ServerName hostname-or-ip-address
-.br
-Specifies the fully-qualified hostname of the server.
-.TP 5
ServerRoot directory
.br
Specifies the directory where the server configuration files can be found.
.TP 5
-ServerTokens Full
-.TP 5
-ServerTokens Major
-.TP 5
-ServerTokens Minimal
-.TP 5
-ServerTokens Minor
-.TP 5
-ServerTokens None
-.TP 5
-ServerTokens OS
-.TP 5
-ServerTokens ProductOnly
-.br
-Specifies what information is included in the Server header of HTTP
-responses.
-.TP 5
-SetEnv variable value
-.br
-Set the specified environment variable to be passed to child processes.
-.TP 5
-SSLListen
-.br
-Listens on the specified address and port for encrypted connections.
-.TP 5
-SSLOptions None
-.TP 5
-SSLOptions NoEmptyFragments
-.br
-Sets SSL/TLS protocol options for encrypted connections.
-.TP 5
-SSLPort
-.br
-Listens on the specified port for encrypted connections.
-.TP 5
-StrictConformance Yes
-.TP 5
-StrictConformance No
-.br
-Specifies whether the scheduler requires clients to strictly adhere to the IPP
-specifications. The default is No.
-.TP 5
-SubscriptionPrivateAccess all
-.TP 5
-SubscriptionPrivateAccess default
-.TP 5
-SubscriptionPrivateAccess {user|@group|@acl|@owner|@System}+
-.br
-Specifies an access list for a subscription's private values. The "default"
-access list is "@owner @System". "@acl" maps to the printer's
-requesting-user-name-allowed or requesting-user-name-denied values.
-.TP 5
-SubscriptionPrivateValues all
-.TP 5
-SubscriptionPrivateValues default
-.TP 5
-SubscriptionPrivateValues none
-.TP 5
-SubscriptionPrivateValues attribute-name-1 [ ... attribute-name-N ]
-Specifies the list of job values to make private. The "default" values are
-"notify-events", "notify-pull-method", "notify-recipient-uri",
-"notify-subscriber-user-name", and "notify-user-data".
-.TP 5
SystemGroup group-name [group-name ...]
.br
Specifies the group(s) to use for System class authentication.
@@ -627,20 +130,11 @@
.br
Specifies the directory where temporary files are stored.
.TP 5
-Timeout seconds
-.br
-Specifies the HTTP request timeout in seconds.
-.TP 5
User user-name
.br
Specifies the user name or ID that is used when running external programs.
-.TP 5
-WebInterface yes
-.TP 5
-WebInterface no
-Specifies whether the web interface is enabled.
.SH SEE ALSO
-\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
+\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR,
\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
\fIsubscriptions.conf(5)\fR,
.br

Index: man/Makefile

--- man/Makefile (revision 10708)
+++ man/Makefile (working copy)
@@ -39,6 +39,7 @@
ppdpo.$(MAN1EXT)
MAN5 = classes.conf.$(MAN5EXT)
client.conf.$(MAN5EXT) \

•   cups-files.conf.$(MAN5EXT) \
  cups-snmp.conf.$(MAN5EXT) \
  cupsd.conf.$(MAN5EXT) \
  ipptoolfile.$(MAN5EXT) \
  

  Index: test/run-stp-tests.sh

  --- test/run-stp-tests.sh (revision 10708)
  +++ test/run-stp-tests.sh (working copy)
  @@ -390,26 +390,11 @@
  cat >/tmp/cups-$user/cupsd.conf <<EOF
  StrictConformance Yes
  Browsing Off
  -FileDevice yes
  -Printcap
  Listen localhost:$port
  -User $user
  -ServerRoot /tmp/cups-$user
  -StateDir /tmp/cups-$user
  -ServerBin /tmp/cups-$user/bin
  -CacheDir /tmp/cups-$user/share
  -DataDir /tmp/cups-$user/share
  -FontPath /tmp/cups-$user/share/fonts
  PassEnv LOCALEDIR
  PassEnv DYLD_INSERT_LIBRARIES
  -DocumentRoot $root/doc
  -RequestRoot /tmp/cups-$user/spool
  -TempDir /tmp/cups-$user/spool/temp
  MaxSubscriptions 3
  MaxLogSize 0
  -AccessLog /tmp/cups-$user/log/access_log
  -ErrorLog /tmp/cups-$user/log/error_log
  -PageLog /tmp/cups-$user/log/page_log
  AccessLogLevel actions
  LogLevel debug2
  LogTimeFormat usecs
  @@ -422,6 +407,24 @@
  
  EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

Index: configure.in

--- configure.in (revision 10708)
+++ configure.in (working copy)
@@ -60,6 +60,7 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs

• conf/cups-files.conf
  

  conf/cupsd.conf
  conf/mime.convs
  conf/pam.std
  @@ -73,6 +74,7 @@
  man/client.conf.man
  man/cups-deviced.man
  man/cups-driverd.man

• man/cups-files.conf.man
  

  man/cups-lpd.man
  man/cups-snmp.man
  man/cupsaddsmb.man
  Index: scheduler/conf.c

  --- scheduler/conf.c (revision 10708)
  +++ scheduler/conf.c (working copy)
  @@ -14,23 +14,25 @@
  *
  • Contents:
    *
• * cupsdAddAlias() - Add a host alias.
• * cupsdAddAlias() - Add a host alias.
  • cupsdCheckPermissions() - Fix the mode and ownership of a file or
• * directory.
• * directory.
  • cupsdDefaultAuthType() - Get the default AuthType.
  • cupsdFreeAliases() - Free all of the alias entries.
  • cupsdReadConfiguration() - Read the cupsd.conf file.
• * get_address() - Get an address + port number from a line.
• * get_address() - Get an address + port number from a line.
  • get_addr_and_mask() - Get an IP address and netmask.
• * mime_error_cb() - Log a MIME error.
• * parse_aaa() - Parse authentication, authorization, and access
• * control lines.
• * mime_error_cb() - Log a MIME error.
• * parse_aaa() - Parse authentication, authorization, and access
• * control lines.
  • parse_fatal_errors() - Parse FatalErrors values in a string.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * read_configuration() - Read a configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * parse_variable() - Parse a variable line.
• * read_cupsd_conf() - Read the cupsd.conf configuration file.
• * read_cups_files_conf() - Read the cups-files.conf configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
  • set_policy_defaults() - Set default policy values as needed.
    */

@@ -83,35 +85,25 @@

• Local globals...
  */

-static int default_auth_type = CUPSD_AUTH_AUTO;

•               /\* Default AuthType, if not specified */
  

  -static const cupsd_var_t variables[] =
  +static const cupsd_var_t cupsd_vars[] =
  {
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
  #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_DNSSD || HAVE_AVAHI */
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_TIME },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_TIME },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  #ifdef HAVE_GSSAPI
  { "GSSServiceName", &GSSServiceName, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_GSSAPI */
  @@ -126,8 +118,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -146,17 +136,34 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },
  { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_TIME },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  +};
  +static const cupsd_var_t cupsfiles_vars[] =
  +{
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  @@ -164,20 +171,17 @@
  { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },

endif /* HAVE_LIBSSL || HAVE_GNUTLS _/

#endif /_ HAVE_SSL */

• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
  { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
  { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
  { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
  #ifdef HAVE_AUTHORIZATION_H
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME }
  };
  -#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

+static int default_auth_type = CUPSD_AUTH_AUTO;

•               /* Default AuthType, if not specified */
  

  static const unsigned ones[4] =
  {
  @@ -202,7 +206,12 @@
  static int parse_fatal_errors(const char *s);
  static int parse_groups(const char *s);
  static int parse_protocols(const char *s);
  -static int read_configuration(cups_file_t *fp);
  +static int parse_variable(const char *filename, int linenum,

•                      const char *line, const char *value,
  

•                      size_t num_vars,
  

•                      const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);
  static void set_policy_defaults(cupsd_policy_t *pol);
  @@ -778,22 +787,48 @@
  cupsdInitEnv();

  /*

• * Read the configuration file...

• • Read the cups-files.conf file...
    */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)

• {

• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)

•  return (0);
  

• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*
• * Read the cupsd.conf file...
• */

if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);
• }
• status = read_configuration(fp);
• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)
return (0);

• if (!ErrorLog)

- cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

RunUser = getuid();

cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
@@ -2548,13 +2583,244 @@

/*

• * 'read_configuration()' - Read a configuration file.

• • 'parse_variable()' - Parse a variable line.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from */
  +parse_variable(

• const char filename, / I - Name of configuration file */

• int linenum, /* I - Line in configuration file */

• const char line, / I - Line from configuration file */

• const char value, / I - Value from configuration file */

• size_t num_vars, /* I - Number of variables */

• const cupsd_var_t vars) / I - Variables */
  {

• int i; /* Looping var */

• size_t i; /* Looping var */

• const cupsd_var_t var; / Variables */

• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!_cups_strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

[michaelrsweet]

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_TIME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&

•    (!_cups_strcasecmp(value, "true") ||
  

•     !_cups_strcasecmp(value, "on") ||
  

•     !_cups_strcasecmp(value, "enabled") ||
  

•     !_cups_strcasecmp(value, "yes")))
  

• {

• *((int *)var->ptr) = INT_MAX;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no"))
  

• {

• *((int *)var->ptr) = 0;
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• double    n;      /\* Number */
  

• char      _units;     /_ Units */
  

• n = strtod(value, &units);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d of %s.", line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0.0 || n > INT_MAX)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad time value for %s on line %d of %s.",
  

•           line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = (int)n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strcasecmp(value, "true") ||

•    !_cups_strcasecmp(value, "on") ||
  

•    !_cups_strcasecmp(value, "enabled") ||
  

•    !_cups_strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no") ||
  

•    !_cups_strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• * 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from /
  +{
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2563,12 +2829,10 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */
• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */
• struct group group; / Group */

/*
@@ -2600,7 +2864,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2624,8 +2888,6 @@
  if (linenum == 0)
  return (0);
  }

• else if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!_cups_strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -2769,10 +3031,10 @@

  BrowseLocalProtocols = protocols;
  }

• else if (!_cups_strcasecmp(line, "default_auth_type") && value)

• else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)
  {
  /*

•  \* default_auth_type {basic,digest,basicdigest,negotiate}
  

•  * DefaultAuthType {basic,digest,basicdigest,negotiate}
  

  */

  if (!_cups_strcasecmp(value, "none"))
  @@ -2821,81 +3083,6 @@
  }
  }
  #endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring.",
  

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -2974,22 +3161,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3116,181 +3287,158 @@
  }
  #endif /* HAVE_SSL */
  else

• {

• /*
  

•  \* Find a simple variable in the list...
  

•  */
  

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!_cups_strcasecmp(line, var->name))
  

• break;
  

• return (1);
  +}

•  if (i == 0)
  

•  {
  

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

•  }
  

  +/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.

• */

•  switch (var->type)
  

•  {
  

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Bad integer value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

•     char  _units;     /_ Units _/
  

  +static int /_ O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{

• int linenum; /* Current line number */

• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

•          n = strtol(value, &units, 0);
  

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d.",
  

•             line, linenum);
  

•     break;
  

•   }
  

•     }
  

• /*

• * Loop through each line in the file...

• */

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• linenum = 0;

•    case CUPSD_VARTYPE_TIME :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&
  

•            (!_cups_strcasecmp(value, "true") ||
  

•         !_cups_strcasecmp(value, "on") ||
  

•         !_cups_strcasecmp(value, "enabled") ||
  

•         !_cups_strcasecmp(value, "yes")))
  

•     *((int *)var->ptr) = INT_MAX;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•            !_cups_strcasecmp(value, "disabled") ||
  

•            !_cups_strcasecmp(value, "no"))
  

•     *((int *)var->ptr) = 0;
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     double    n;      /\* Number */
  

•     char  _units;     /_ Units */
  

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!_cups_strcasecmp(line, "Group") && value)

• {

• /*
  

•  \* Group ID to run as...
  

•  */
  

•          n = strtod(value, &units);
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

• group = getgrnam(value);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•       else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d.", line, linenum);
  

•     break;
  

•   }
  

•     }
  

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }

•  }
  

• }

• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)

• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•          if (n < 0.0 || n > INT_MAX)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad time value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = (int)n;
  

•   }
  

•   break;
  

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d.",
  

•             line, linenum);
  

•        else if (!_cups_strcasecmp(value, "true") ||
  

•            !_cups_strcasecmp(value, "on") ||
  

•        !_cups_strcasecmp(value, "enabled") ||
  

•        !_cups_strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•        !_cups_strcasecmp(value, "disabled") ||
  

•        !_cups_strcasecmp(value, "no") ||
  

•        !_cups_strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d.",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist.", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);

  Index: scheduler/conf.h

  --- scheduler/conf.h (revision 10708)
  +++ scheduler/conf.h (working copy)
  @@ -97,7 +97,9 @@
  */

  VAR char *ConfigurationFile VALUE(NULL),

•               /\* Configuration file to use */
  

•               /\* cupsd.conf file to use */
  

•       *CupsFilesFile      VALUE(NULL),
  

•               /\* cups-files.conf file to use _/
      *ServerName     VALUE(NULL),
              /_ FQDN for server */
      *ServerAdmin        VALUE(NULL),
  

  Index: scheduler/client.c

  --- scheduler/client.c (revision 10708)
  +++ scheduler/client.c (working copy)
  @@ -32,7 +32,7 @@

  • compare_clients() - Compare two client connections.
  • data_ready() - Check whether data is available from a client.
  • get_file() - Get a filename and state info.

• * install_conf_file() - Install a configuration file.

• • install_cupsd_conf() - Install a configuration file.
  • is_cgi() - Is the resource a CGI script/program?
  • is_path_absolute() - Is a path absolute and free of relative elements

  •           (i.e. "..").
    

    @@ -98,7 +98,7 @@
    static int data_ready(cupsd_client_t *con);
    static char *get_file(cupsd_client_t *con, struct stat *filestats,
    char *filename, int len);
    -static http_status_t install_conf_file(cupsd_client_t *con);
    +static http_status_t install_cupsd_conf(cupsd_client_t *con);
    static int is_cgi(cupsd_client_t *con, const char *filename,
    struct stat *filestats, mime_type_t *type);
    static int is_path_absolute(const char *path);
    @@ -1670,17 +1670,14 @@
    • Validate the resource name...
      */

•        if (strncmp(con->uri, "/admin/conf/", 12) ||
  

•       strchr(con->uri + 12, '/') ||
  

•   strlen(con->uri) == 12)
  

•        if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
  {
   /*
  

•     \* PUT can only be done to configuration files under
  

•     \* /admin/conf...
  

•     * PUT can only be done to the cupsd.conf file...
    */
  
    cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "[Client %d] Request for subdirectory \"%s\".",
  

•             "[Client %d] Disallowed PUT request for \"%s\".",
            con->http.fd, con->uri);
  
    if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
  

  @@ -2052,7 +2049,7 @@

  • Install the configuration file...
    */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3311,14 +3308,13 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  char filename[1024]; / Configuration filename */

• mode_t mode; /* Permissions /
  cups_file_t *in, / Input file /
  *out; / Output file /
  char buffer[16384]; / Copy buffer */
  @@ -3340,13 +3336,8 @@

• Open the new config file...
  */

• snprintf(filename, sizeof(filename), "%s%s", ServerRoot, con->uri + 11);

• if (!strcmp(con->uri, "/admin/conf/printers.conf"))

• mode = ConfigFilePerm & 0600;

• else

- mode = ConfigFilePerm;

• if ((out = cupsdCreateConfFile(filename, mode)) == NULL)
• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);
• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  @@ -3391,14 +3382,10 @@
  cupsdClearString(&con->filename);

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*

Index: scheduler/main.c

--- scheduler/main.c (revision 10708)
+++ scheduler/main.c (working copy)
@@ -208,7 +208,6 @@

         char *current;     /* Current directory */

       /*
        * Allocate a buffer for the current working directory to
    * reduce run-time stack usage; this approximates the

@@ -234,6 +233,35 @@
cupsdSetStringf(&ConfigurationFile, "%s/%s", current, argv[i]);
free(current);
}
+

•     if (!CupsFilesFile)
  

•     {
  

•       char    _filename,  /_ Copy of cupsd.conf filename */
  

•       _slash;     /_ Final slash in cupsd.conf filename */
  

•   size_t  len;        /\* Size of buffer */
  

•   len = strlen(ConfigurationFile) + 15;
  

•   if ((filename = malloc(len)) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(filename, ConfigurationFile, len);
  

•   if ((slash = strrchr(filename, '/')) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(slash, "/cups-files.conf", len - (slash - filename));
  

•   cupsdSetString(&CupsFilesFile, filename);
  

•   free(filename);
  

•     }
    break;
  
     case 'f' : /* Run in foreground... */
  

  @@ -272,6 +300,29 @@
  UseProfiles = 0;
  break;

•      case 's' : /* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "

[michaelrsweet]

"str4223-1.6.patch":

Index: packaging/cups.spec.in

--- packaging/cups.spec.in (revision 10708)
+++ packaging/cups.spec.in (working copy)
@@ -135,6 +135,7 @@
%defattr(-,root,root)
%dir /etc/cups
%config(noreplace) /etc/cups/*.conf
+/etc/cups/cups-files.conf.default
/etc/cups/cupsd.conf.default
%dir /etc/cups/interfaces
%dir /etc/cups/ppd

Index: packaging/cups.list.in

--- packaging/cups.list.in (revision 10708)
+++ packaging/cups.list.in (working copy)
@@ -528,6 +528,8 @@
d 0755 root $CUPS_GROUP $SERVERROOT/interfaces -
d 0755 root $CUPS_GROUP $SERVERROOT/ppd -
d 0700 root $CUPS_GROUP $SERVERROOT/ssl -
+c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf conf/cups-files.conf
+f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf.default conf/cups-files.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf conf/cupsd.conf
f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf.default conf/cupsd.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/snmp.conf conf/snmp.conf

Index: conf/cups-files.conf.in

--- conf/cups-files.conf.in (revision 0)
+++ conf/cups-files.conf.in (revision 0)
@@ -0,0 +1,98 @@
+#
+# "$Id$"
+#
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.
+#
+
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@
+
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
+SystemGroup @CUPS_SYSTEM_GROUPS@
+@CUPS_SYSTEM_AUTHKEY@
+
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot
+
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No
+
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@
+
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log
+
+# Location of cache files used by the scheduler...
+#CacheDir @CUPS_CACHEDIR@
+
+# Location of data files used by the scheduler...
+#DataDir @CUPS_DATADIR@
+
+# Location of the static web content served by the scheduler...
+#DocRoot @CUPS_DOCROOT@
+
+# Location of the file logging all messages produced by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "LogLevel"
+# directive in cupsd.conf.
+ErrorLog @CUPS_LOGDIR@/error_log
+
+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@
+
+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@
+
+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log
+
+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@
+
+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris
+
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@
+
+# Location of helper programs...
+#ServerBin @CUPS_SERVERBIN@
+
+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@
+
+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@
+
+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@
+
+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@
+
+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@
+
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp
+
+#
+# End of "$Id$".
+#

Property changes on: conf/cups-files.conf.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: conf/cupsd.conf.in

--- conf/cupsd.conf.in (revision 10708)
+++ conf/cupsd.conf.in (working copy)
@@ -9,10 +9,6 @@

for troubleshooting...

LogLevel @CUPS_LOG_LEVEL@

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@

Index: conf/Makefile

--- conf/Makefile (revision 10708)
+++ conf/Makefile (working copy)
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

Index: config-scripts/cups-ssl.m4

--- config-scripts/cups-ssl.m4 (revision 10708)
+++ config-scripts/cups-ssl.m4 (working copy)
@@ -27,6 +27,8 @@
SSLFLAGS=""
SSLLIBS=""
have_ssl=0
+CUPS_SERVERCERT=""
+CUPS_SERVERKEY=""

if test x$enable_ssl != xno; then
dnl Look for CDSA...
@@ -36,6 +38,7 @@
have_ssl=1
AC_DEFINE(HAVE_SSL)
AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecureTransportPriv.h,
  

  @@ -106,6 +109,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -148,6 +154,9 @@
  done

  if test "x${SSLLIBS}" != "x"; then
  

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  • LIBS="$SAVELIBS $SSLLIBS"
    AC_CHECK_FUNCS(SSL_set_tlsext_host_name)
    fi
    @@ -165,6 +174,8 @@
    AC_MSG_ERROR([Unable to enable SSL support.])
    fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(IPPALIASES)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 10708)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -305,6 +305,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -326,6 +327,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],

Index: doc/help/ref-cups-files-conf.html.in

--- doc/help/ref-cups-files-conf.html.in (revision 0)
+++ doc/help/ref-cups-files-conf.html.in (revision 0)
@@ -0,0 +1,531 @@
+
+
+

• <TITLE>cups-files.conf</TITLE>

+
+
+
+

cups-files.conf

+
+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

+
+

AccessLog

+
+

Examples

+
+

+AccessLog /var/log/cups/access_log

+AccessLog /var/log/cups/access_log-%s

+AccessLog syslog

+

+
+

Description

+
+

The AccessLog directive sets the name of the
+access log file. If the filename is not absolute then it is
+assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+access log file is stored in "common log format" and can be used
+by any web access reporting tool to generate a report on CUPS
+server activity.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the access
+information to the system log instead of a plain file.

+
+

The default access log file is
+@CUPS_LOGDIR@/access_log.

+
+
+

CUPS 1.1.15ConfigFilePerm

+
+

Examples

+
+

+ConfigFilePerm 0644

+ConfigFilePerm 0640

+

+
+

Description

+
+

The ConfigFilePerm directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.

+
+

Note:
+
+

The permissions for the printers.conf file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

+
+

+
+
+

DataDir

+
+

Examples

+
+

+DataDir /usr/share/cups

+

+
+

Description

+
+

The DataDir directive sets the directory to use
+for data files.

+
+
+

CUPS 1.2/OS X 10.5DefaultAuthType

+
+

Examples

+
+

+DefaultAuthType Basic

+DefaultAuthType BasicDigest

+DefaultAuthType Digest

+DefaultAuthType Negotiate

+

+
+

Description

+
+

The DefaultAuthType directive specifies the type
+of authentication to use for IPP operations that require a
+username. The default is Basic.

+
+
+

DocumentRoot

+
+

Examples

+
+

+DocumentRoot /usr/share/doc/cups

+DocumentRoot /foo/bar/doc/cups

+

+
+

Description

+
+

The DocumentRoot directive specifies the location
+of web content for the HTTP server in CUPS. If an absolute path
+is not specified then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default directory is @CUPS_DOCROOT@.

+
+

Documents are first looked up in a sub-directory for the
+primary language requested by the client (e.g.
+@CUPS_DOCROOT@/fr/...) and then directly under
+the DocumentRoot directory (e.g.
+@CUPS_DOCROOT@/...), so it is possible to
+localize the web content by providing subdirectories for each
+language needed.

+
+
+

ErrorLog

+
+

Examples

+
+

+ErrorLog /var/log/cups/error_log

+ErrorLog /var/log/cups/error_log-%s

+ErrorLog syslog

+

+
+

Description

+
+

The ErrorLog directive sets the name of the error
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default error log file is @CUPS_LOGDIR@/error_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the error
+information to the system log instead of a plain file.

+
+
+

CUPS 1.4/OS X 10.6FatalErrors

+
+

Examples

+
+

+FatalErrors none

+FatalErrors all

+FatalErrors browse

+FatalErrors config

+FatalErrors listen

+FatalErrors log

+FatalErrors permissions

+FatalErrors all -permissions

+FatalErrors config permissions log

+

+
+

Description

+
+

The FatalErrors directive determines whether certain kinds of
+errors are fatal. The following kinds of errors are currently recognized:

+
+

+
• none - No errors are fatal
• all - All of the errors below are fatal
• browse - Browsing initialization errors are fatal,
• for example failed binding to the CUPS browse port or failed connections
• to LDAP servers
• config - Configuration file syntax errors are
• fatal
• listen - Listen or Port errors are fatal, except for
• IPv6 failures on the loopback or "any" addresses
• log - Log file creation or write errors are fatal
• permissions - Bad startup file permissions are
• fatal, for example shared SSL certificate and key files with world-
• read permissions

+

+
+

Multiple errors can be listed, and the form "-kind" can be used with
+all to remove specific kinds of errors. The default setting is
+@CUPS_FATAL_ERRORS@.

+
+
+

CUPS 1.1.18FileDevice

+
+

Examples

+
+

+FileDevice Yes

+FileDevice No

+

+
+

Description

+
+

The FileDevice directive determines whether the
+scheduler allows new printers to be added using device URIs of
+the form file:/filename. File devices are most often
+used to test new printer drivers and do not support raw file
+printing.

+
+

The default setting is No.

+
+

Note:
+
+

File devices are managed by the scheduler. Since the
+scheduler normally runs as the root user, file devices
+can be used to overwrite system files and potentially
+gain unauthorized access to the system. If you must
+create printers using file devices, we recommend that
+you set the FileDevice directive to
+Yes for only as long as you need to add the
+printers to the system, and then reset the directive to
+No.

+
+

+
+
+

CUPS 1.1.3FontPath

+
+

Examples

+
+

+FontPath /foo/bar/fonts

+FontPath /usr/share/cups/fonts:/foo/bar/fonts

+

+
+

Description

+
+

The FontPath directive specifies the font path to
+use when searching for fonts. The default font path is
+/usr/share/cups/fonts.

+
+
+

Group

+
+

Examples

+
+

+Group lp

+Group nobody

+

+
+

Description

+
+

The Group directive specifies the UNIX group that
+filter and CGI programs run as. The default group is
+system-specific but is usually lp or
+nobody.

+
+
+

CUPS 1.1.15LogFilePerm

+
+

Examples

+
+

+LogFilePerm 0644

+LogFilePerm 0600

+

+
+

Description

+
+

The LogFilePerm directive specifies the
+permissions to use when writing log files. The default
+is @CUPS_LOG_FILE_PERM@.

+
+
+

PageLog

+
+

Examples

+
+

+PageLog /var/log/cups/page_log

+PageLog /var/log/cups/page_log-%s

+PageLog syslog

+

+
+

Description

+
+

The PageLog directive sets the name of the page
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default page log file is @CUPS_LOGDIR@/page_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the page
+information to the system log instead of a plain file.

+
+
+

Printcap

+
+

Examples

+
+

+Printcap

+Printcap /etc/printcap

+Printcap /etc/printers.conf

+Printcap /Library/Preferences/org.cups.printers.plist

+

+
+

Description

+
+

The Printcap directive controls whether or not a
+printcap file is automatically generated and updated with a list
+of available printers. If specified with no value, then no
+printcap file will be generated. The default is to generate a
+file named @CUPS_DEFAULT_PRINTCAP@.

+
+

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
+the printcap file is written whenever a printer is added or
+removed. The printcap file can then be used by applications that
+are hardcoded to look at the printcap file for the available
+printers.

+
+
+

PrintcapFormat

+
+

Examples

+
+

+PrintcapFormat BSD

+PrintcapFormat Solaris

+PrintcapFormat plist

+

+
+

Description

+
+

The PrintcapFormat directive controls the output format of the
+printcap file. The default is to generate the plist format on OS X, the
+Solaris format on Solaris, and the BSD format on other operating systems.

+
+
+

CUPS 1.1.3RemoteRoot

+
+

Examples

+
+

+RemoteRoot remroot

+RemoteRoot root

+

+
+

Description

+
+

The RemoteRoot directive sets the username for
+unauthenticated root requests from remote hosts. The default
+username is remroot. Setting RemoteRoot
+to root effectively disables this security
+mechanism.

+
+
+

RequestRoot

+
+

Examples

+
+

+RequestRoot /var/spool/cups

+RequestRoot /foo/bar/spool/cups

+

+
+

Description

+
+

The RequestRoot directive sets the directory for
+incoming IPP requests and HTML forms. If an absolute path is not
+provided then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default request directory is @CUPS_REQUESTS@.

+
+
+

ServerBin

+
+

Examples

+
+

+ServerBin /usr/lib/cups

+ServerBin /foo/bar/lib/cups

+

+
+

Description

+
+

The ServerBin directive sets the directory for
+server-run executables. If an absolute path is not provided then
+it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default executable directory is /usr/lib/cups,
+/usr/lib32/cups, or /usr/libexec/cups
+depending on the operating system.

+
+
+

ServerCertificate

+
+

Examples

+
+

+ServerCertificate /etc/cups/ssl/server.crt

+

+
+

Description

+
+

The ServerCertificate directive specifies the
+location of the SSL certificate file used by the server when
+negotiating encrypted connections. The certificate must not be
+encrypted (password protected) since the scheduler normally runs
+in the background and will be unable to ask for a password.

+
+

The default certificate file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerKey

+
+

Examples

+
+

+ServerKey /etc/cups/ssl/server.key

+

+
+

Description

+
+

The ServerKey directive specifies the location of
+the SSL private key file used by the server when negotiating
+encrypted connections.

+
+

The default key file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerRoot

+
+

Examples

+
+

+ServerRoot /etc/cups

+ServerRoot /foo/bar/cups

+

+
+

Description

+
+

The ServerRoot directive specifies the absolute
+path to the server configuration and state files. It is also used
+to resolve relative paths in the cupsd.conf file. The
+default server directory is /etc/cups.

+
+
+

SystemGroup

+
+

Examples

+
+

+SystemGroup lpadmin

+SystemGroup sys

+SystemGroup system

+SystemGroup root

+SystemGroup root lpadmin

+

+
+

Description

+
+

The SystemGroup directive specifies the system
+administration group for System authentication.
+Multiple groups can be listed, separated with spaces. The default
+group list is @CUPS_SYSTEM_GROUPS@.

+
+
+

TempDir

+
+

Examples

+
+

+TempDir /var/tmp

+TempDir /foo/bar/tmp

+

+
+

Description

+
+

The TempDir directive specifies an absolute path
+for the directory to use for temporary files. The default
+directory is @CUPS_REQUESTS@/tmp.

+
+

Temporary directories must be world-writable and should have
+the "sticky" permission bit enabled so that other users cannot
+delete filter temporary files. The following commands will create
+an appropriate temporary directory called
+/foo/bar/tmp:

+
+

+mkdir /foo/bar/tmp

+chmod a+rwxt /foo/bar/tmp

+

+
+
+

User

+
+

Examples

+
+

+User lp

+User guest

+

+
+

Description

+
+

The User directive specifies the UNIX user that
+filter and CGI programs run as. The default user is
+@CUPS_USER@.

+
+

Note:
+
+

You may not use user root, as that would expose
+the system to unacceptable security risks. The scheduler will
+automatically choose user nobody if you specify a
+user whose ID is 0.

+
+

+
+
+
+

Property changes on: doc/help/ref-cups-files-conf.html.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: doc/help/ref-cupsd-conf.html.in

--- doc/help/ref-cupsd-conf.html.in (revision 10708)
+++ doc/help/ref-cupsd-conf.html.in (working copy)
@@ -197,82 +197,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2096,65 +2020,6 @@

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

-

CUPS 1.1.13PrintcapGUI

-

Examples

-

-PrintGUI /usr/bin/glpoptions

-

-

Description

-

The PrintcapGUI directive sets the program to
-associate with the IRIX printer GUI interface script which is
-used by IRIX applications to display printer-specific options.

-There is no default program.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2171,42 +2036,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2359,64 +2188,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2433,23 +2204,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -2645,53 +2399,6 @@ HREF="#Policy">Policy section.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -2712,53 +2419,6 @@

The default timeout is 5m (five minutes).

-

CUPS 1.2/OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

CUPS 1.5WebInterface

Examples

Index: doc/Makefile

--- doc/Makefile (revision 10708)
+++ doc/Makefile (working copy)
@@ -3,7 +3,7 @@

Documentation makefile for CUPS.

-# Copyright 2007-2011 by Apple Inc.
+# Copyright 2007-2012 by Apple Inc.

Copyright 1997-2007 by Easy Software Products.

These coded instructions, statements, and computer programs are the

Index: man/cupsd.conf.man.in

--- man/cupsd.conf.man.in (revision 10708)
+++ man/cupsd.conf.man.in (working copy)
@@ -12,12 +12,15 @@
." which should have been included with this file. If this file is
." file is missing or damaged, see the license at "http://www.cups.org/".
."
-.TH cupsd.conf 5 "CUPS" "18 May 2012" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc."
.SH NAME
cupsd.conf - server configuration file for cups
.SH DESCRIPTION
The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
-is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
+is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR
+File, directory, and user configuration directives that used to be allowed in
+the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead
+in order to prevent certain types of privilege escalation attacks.
.LP
Each line in the file can be a configuration directive, a blank line,
or a comment. Comment lines start with the # character. The
@@ -27,12 +30,6 @@
The following directives are understood by \fIcupsd(8)\fR. Consult the
on-line help for detailed descriptions:
.TP 5
-AccessLog filename
-.TP 5
-AccessLog syslog
-.br
-Defines the access log filename.
-.TP 5
AccessLogLevel config
.TP 5
AccessLogLevel actions
@@ -61,20 +58,6 @@
.br
Allows access from the named hosts or addresses.
.TP 5
-AuthClass User
-.TP 5
-AuthClass Group
-.TP 5
-AuthClass System
-.br
-Specifies the authentication class (User, Group, System) -
-\fBthis directive is deprecated\fR.
-.TP 5
-AuthGroupName group-name
-.br
-Specifies the authentication group - \fBthis directive is
-deprecated\fR.
-.TP 5
AuthType None
.TP 5
AuthType Basic
@@ -108,7 +91,7 @@
.TP 5
Browsing No
.br
-Specifies whether or not remote printer browsing should be enabled.
+Specifies whether or not shared printers should be advertised.
.TP 5
Classification banner
.br
@@ -121,15 +104,6 @@
Specifies whether to allow users to override the classification
of individual print jobs.
.TP 5
-ConfigFilePerm mode
-.br
-Specifies the permissions for all configuration files that the scheduler
-writes.
-.TP 5
-DataDir path
-.br
-Specified the directory where data files can be found.
-.TP 5
DefaultAuthType Basic
.TP 5
DefaultAuthType BasicDigest
@@ -197,10 +171,6 @@
causes the update to happen as soon as possible, typically within a few
milliseconds.
.TP 5
-DocumentRoot directory
-.br
-Specifies the root directory for the internal web server documents.
-.TP 5
Encryption IfRequested
.TP 5
Encryption Never
@@ -210,28 +180,6 @@
Specifies the level of encryption that is required for a particular
location.
.TP 5
-ErrorLog filename
-.TP 5
-ErrorLog syslog
-.br
-Specifies the error log filename.
-.TP 5
-FatalErrors none
-.TP 5
-FatalErrors all -kind [... -kind]
-.TP 5
-FatalErrors kind [... kind]
-.br
-Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
-"browse", "config", "listen", "log", or "permissions".
-.TP 5
-FileDevice Yes
-.TP 5
-FileDevice No
-.br
-Specifies whether the file pseudo-device can be used for new
-printer queues.
-.TP 5
FilterLimit limit
.br
Specifies the maximum cost of filters that are run concurrently.
@@ -241,15 +189,6 @@
Specifies the scheduling priority ("nice" value) of filters that
are run to print a job.
.TP 5
-FontPath directory[:directory:...]
-.br
-Specifies the search path for fonts.
-.TP 5
-Group group-name-or-number
-.br
-Specifies the group name or ID that will be used when executing
-external programs.
-.TP 5
GSSServiceName name
.br
Specifies the service name when using Kerberos authentication. The default
@@ -341,10 +280,6 @@
Specifies the number of debugging messages that are logged when an error
occurs in a print job.
.TP 5
-LogFilePerm mode
-.br
-Specifies the permissions for all log files that the scheduler writes.
-.TP 5
LogLevel alert
.TP 5
LogLevel crit
@@ -429,12 +364,6 @@
.br
Specifies the order of HTTP access control (allow,deny or deny,allow)
.TP 5
-PageLog filename
-.TP 5
-PageLog syslog
-.br
-Specifies the page log filename.
-.TP 5
PageLogFormat format string
.br
Specifies the format of page log lines.
@@ -464,15 +393,6 @@
Specifies whether or not to preserve the job history after they are
printed.
.TP 5
-Printcap
-.TP 5
-Printcap filename
-.br
-Specifies the filename for a printcap file that is updated
-automatically with a list of available printers (needed for
-legacy applications); specifying Printcap with no filename
-disables printcap generation.
-.TP 5
PrintcapFormat bsd
.TP 5
PrintcapFormat plist
@@ -481,29 +401,11 @@
.br
Specifies the format of the printcap file.
.TP 5
-PrintcapGUI
-.TP 5
-PrintcapGUI gui-program-filename
-.br
-Specifies whether to generate option panel definition files on
-some operating systems. When provided with no program filename,
-disables option panel definition files.
-.TP 5
ReloadTimeout seconds
.br
Specifies the amount of time to wait for job completion before
restarting the scheduler.
.TP 5
-RemoteRoot user-name
-.br
-Specifies the username that is associated with unauthenticated root
-accesses.
-.TP 5
-RequestRoot directory
-.br
-Specifies the directory to store print jobs and other HTTP request
-data.
-.TP 5
Require group group-name-list
.TP 5
Require user user-name-list
@@ -535,27 +437,10 @@
Specifies an alternate name that the server is known by. The special name "*"
allows any name to be used.
.TP 5
-ServerBin directory
-.br
-Specifies the directory where backends, CGIs, daemons, and filters may
-be found.
-.TP 5
-ServerCertificate filename
-.br
-Specifies the encryption certificate to use.
-.TP 5
-ServerKey filename
-.br
-Specifies the encryption key to use.
-.TP 5
ServerName hostname-or-ip-address
.br
Specifies the fully-qualified hostname of the server.
.TP 5
-ServerRoot directory
-.br
-Specifies the directory where the server configuration files can be found.
-.TP 5
ServerTokens Full
.TP 5
ServerTokens Major
@@ -619,29 +504,17 @@
"notify-events", "notify-pull-method", "notify-recipient-uri",
"notify-subscriber-user-name", and "notify-user-data".
.TP 5
-SystemGroup group-name [group-name ...]
-.br
-Specifies the group(s) to use for System class authentication.
-.TP 5
-TempDir directory
-.br
-Specifies the directory where temporary files are stored.
-.TP 5
Timeout seconds
.br
Specifies the HTTP request timeout in seconds.
.TP 5
-User user-name
-.br
-Specifies the user name or ID that is used when running external programs.
-.TP 5
WebInterface yes
.TP 5
WebInterface no
Specifies whether the web interface is enabled.
.SH SEE ALSO
-\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
-\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR,
+\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR,
\fIsubscriptions.conf(5)\fR,
.br
http://localhost:631/help

Index: man/cups-files.conf.man.in

--- man/cups-files.conf.man.in (revision 0)
+++ man/cups-files.conf.man.in (revision 0)
@@ -0,0 +1,146 @@
+."
+." "$Id$"
+."
+." cupsd.conf man page for CUPS.
+."
+." Copyright 2007-2012 by Apple Inc.
+." Copyright 1997-2006 by Easy Software Products.
+."
+." These coded instructions, statements, and computer programs are the
+." property of Apple Inc. and are protected by Federal copyright
+." law. Distribution and use rights are outlined in the file "LICENSE.txt"
+." which should have been included with this file. If this file is
+." file is missing or damaged, see the license at "http://www.cups.org/".
+."
+.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc."
+.SH NAME
+cups-files.conf - file and directory configuration file for cups
+.SH DESCRIPTION
+The \fIcups-file.conf\fR file configures the files and directories used by the
+CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the
+\fI@CUPS_SERVERROOT@\fR directory.
+.LP
+Each line in the file can be a configuration directive, a blank line,
+or a comment. Comment lines start with the # character.
+.SH DIRECTIVES
+The following directives are understood by \fIcupsd(8)\fR. Consult the
+on-line help for detailed descriptions:
+.TP 5
+AccessLog filename
+.TP 5
+AccessLog syslog
+.br
+Defines the access log filename.
+.TP 5
+ConfigFilePerm mode
+.br
+Specifies the permissions for all configuration files that the scheduler
+writes.
+.TP 5
+DataDir path
+.br
+Specified the directory where data files can be found.
+.TP 5
+DocumentRoot directory
+.br
+Specifies the root directory for the internal web server documents.
+.TP 5
+ErrorLog filename
+.TP 5
+ErrorLog syslog
+.br
+Specifies the error log filename.
+.TP 5
+FatalErrors none
+.TP 5
+FatalErrors all -kind [... -kind]
+.TP 5
+FatalErrors kind [... kind]
+.br
+Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
+"browse", "config", "listen", "log", or "permissions".
+.TP 5
+FileDevice Yes
+.TP 5
+FileDevice No
+.br
+Specifies whether the file pseudo-device can be used for new
+printer queues.
+.TP 5
+FontPath directory[:directory:...]
+.br
+Specifies the search path for fonts.
+.TP 5
+Group group-name-or-number
+.br
+Specifies the group name or ID that will be used when executing
+external programs.
+.TP 5
+LogFilePerm mode
+.br
+Specifies the permissions for all log files that the scheduler writes.
+.TP 5
+PageLog filename
+.TP 5
+PageLog syslog
+.br
+Specifies the page log filename.
+.TP 5
+Printcap
+.TP 5
+Printcap filename
+.br
+Specifies the filename for a printcap file that is updated
+automatically with a list of available printers (needed for
+legacy applications); specifying Printcap with no filename
+disables printcap generation.
+.TP 5
+RemoteRoot user-name
+.br
+Specifies the username that is associated with unauthenticated root
+accesses.
+.TP 5
+RequestRoot directory
+.br
+Specifies the directory to store print jobs and other HTTP request
+data.
+.TP 5
+ServerBin directory
+.br
+Specifies the directory where backends, CGIs, daemons, and filters may
+be found.
+.TP 5
+ServerCertificate filename
+.br
+Specifies the encryption certificate to use.
+.TP 5
+ServerKey filename
+.br
+Specifies the encryption key to use.
+.TP 5
+ServerRoot directory
+.br
+Specifies the directory where the server configuration files can be found.
+.TP 5
+SystemGroup group-name [group-name ...]
+.br
+Specifies the group(s) to use for System class authentication.
+.TP 5
+TempDir directory
+.br
+Specifies the directory where temporary files are stored.
+.TP 5
+User user-name
+.br
+Specifies the user name or ID that is used when running external programs.
+.SH SEE ALSO
+\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR,
+\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIsubscriptions.conf(5)\fR,
+.br
+http://localhost:631/help
+.SH COPYRIGHT
+Copyright 2007-2012 by Apple Inc.
+."
+." End of "$Id$".
+."

Property changes on: man/cups-files.conf.man.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: man/Makefile

--- man/Makefile (revision 10708)
+++ man/Makefile (working copy)
@@ -39,6 +39,7 @@
ppdpo.$(MAN1EXT)
MAN5 = classes.conf.$(MAN5EXT)
client.conf.$(MAN5EXT) \

•   cups-files.conf.$(MAN5EXT) \
  cups-snmp.conf.$(MAN5EXT) \
  cupsd.conf.$(MAN5EXT) \
  ipptoolfile.$(MAN5EXT) \
  

  Index: test/run-stp-tests.sh

  --- test/run-stp-tests.sh (revision 10708)
  +++ test/run-stp-tests.sh (working copy)
  @@ -390,26 +390,11 @@
  cat >/tmp/cups-$user/cupsd.conf <<EOF
  StrictConformance Yes
  Browsing Off
  -FileDevice yes
  -Printcap
  Listen localhost:$port
  -User $user
  -ServerRoot /tmp/cups-$user
  -StateDir /tmp/cups-$user
  -ServerBin /tmp/cups-$user/bin
  -CacheDir /tmp/cups-$user/share
  -DataDir /tmp/cups-$user/share
  -FontPath /tmp/cups-$user/share/fonts
  PassEnv LOCALEDIR
  PassEnv DYLD_INSERT_LIBRARIES
  -DocumentRoot $root/doc
  -RequestRoot /tmp/cups-$user/spool
  -TempDir /tmp/cups-$user/spool/temp
  MaxSubscriptions 3
  MaxLogSize 0
  -AccessLog /tmp/cups-$user/log/access_log
  -ErrorLog /tmp/cups-$user/log/error_log
  -PageLog /tmp/cups-$user/log/page_log
  AccessLogLevel actions
  LogLevel debug2
  LogTimeFormat usecs
  @@ -422,6 +407,24 @@
  
  EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

Index: configure.in

--- configure.in (revision 10708)
+++ configure.in (working copy)
@@ -60,6 +60,7 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs

• conf/cups-files.conf
  

  conf/cupsd.conf
  conf/mime.convs
  conf/pam.std
  @@ -73,6 +74,7 @@
  man/client.conf.man
  man/cups-deviced.man
  man/cups-driverd.man

• man/cups-files.conf.man
  

  man/cups-lpd.man
  man/cups-snmp.man
  man/cupsaddsmb.man

  Index: CHANGES.txt

  --- CHANGES.txt (revision 10708)
  +++ CHANGES.txt (working copy)
  @@ -1,10 +1,13 @@
  -CHANGES.txt - 1.6.2 - 2012-11-08

  +CHANGES.txt - 1.6.2 - 2012-11-26

  CHANGES IN CUPS V1.6.2

  • Documentation fixes
• • Security: All file, directory, user, and group settings are now stored

• in a separate cups-files.conf configuration file that cannot be set
  

• through the CUPS web interface or APIs (STR #4223)
  

  • The SNMP backend now tries to work around broken printers that use a
    newline to separate key/value pairs.

  • The IPP backend did not send a cancel request to printers when a job
    Index: scheduler/conf.c

    --- scheduler/conf.c (revision 10708)
    +++ scheduler/conf.c (working copy)
    @@ -14,23 +14,25 @@
    *
  • Contents:
    *

• * cupsdAddAlias() - Add a host alias.

• * cupsdAddAlias() - Add a host alias.

  • cupsdCheckPermissions() - Fix the mode and ownership of a file or

• * directory.

• * directory.

  • cupsdDefaultAuthType() - Get the default AuthType.
  • cupsdFreeAliases() - Free all of the alias entries.
  • cupsdReadConfiguration() - Read the cupsd.conf file.

• * get_address() - Get an address + port number from a line.

• * get_address() - Get an address + port number from a line.

  • get_addr_and_mask() - Get an IP address and netmask.

• * mime_error_cb() - Log a MIME error.

• * parse_aaa() - Parse authentication, authorization, and access

• * control lines.

• * mime_error_cb() - Log a MIME error.

• * parse_aaa() - Parse authentication, authorization, and access

• * control lines.

  • parse_fatal_errors() - Parse FatalErrors values in a string.

• * parse_groups() - Parse system group names in a string.

• * parse_protocols() - Parse browse protocols in a string.

• * read_configuration() - Read a configuration file.

• * read_location() - Read a definition.

• * read_policy() - Read a definition.

• * parse_groups() - Parse system group names in a string.

• * parse_protocols() - Parse browse protocols in a string.

• * parse_variable() - Parse a variable line.

• * read_cupsd_conf() - Read the cupsd.conf configuration file.

• * read_cups_files_conf() - Read the cups-files.conf configuration file.

• * read_location() - Read a definition.

• * read_policy() - Read a definition.

  • set_policy_defaults() - Set default policy values as needed.
    */

@@ -83,35 +85,25 @@

• Local globals...
  */

-static int default_auth_type = CUPSD_AUTH_AUTO;

•               /\* Default AuthType, if not specified */
  

  -static const cupsd_var_t variables[] =
  +static const cupsd_var_t cupsd_vars[] =
  {
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
  #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_DNSSD || HAVE_AVAHI */
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_TIME },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_TIME },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  #ifdef HAVE_GSSAPI
  { "GSSServiceName", &GSSServiceName, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_GSSAPI */
  @@ -126,8 +118,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -146,18 +136,34 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "PrintcapGUI", &PrintcapGUI, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },
  { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_TIME },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  +};
  +static const cupsd_var_t cupsfiles_vars[] =
  +{
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  @@ -165,20 +171,17 @@
  { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },

endif /* HAVE_LIBSSL || HAVE_GNUTLS _/

#endif /_ HAVE_SSL */

• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
  { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
  { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
  { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
  #ifdef HAVE_AUTHORIZATION_H
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME }
  };
  -#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

+static int default_auth_type = CUPSD_AUTH_AUTO;

•               /* Default AuthType, if not specified */
  

  static const unsigned ones[4] =
  {
  @@ -203,7 +206,12 @@
  static int parse_fatal_errors(const char *s);
  static int parse_groups(const char *s);
  static int parse_protocols(const char *s);
  -static int read_configuration(cups_file_t *fp);
  +static int parse_variable(const char *filename, int linenum,

•                      const char *line, const char *value,
  

•                      size_t num_vars,
  

•                      const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);
  static void set_policy_defaults(cupsd_policy_t *pol);
  @@ -780,22 +788,48 @@
  cupsdInitEnv();

  /*

• * Read the configuration file...

• • Read the cups-files.conf file...
    */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)

• {

• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)

•  return (0);
  

• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*
• * Read the cupsd.conf file...
• */

if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);
• }
• status = read_configuration(fp);
• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)
return (0);

• if (!ErrorLog)

- cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

RunUser = getuid();

cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
@@ -2550,13 +2584,244 @@

/*

• * 'read_configuration()' - Read a configuration file.

• • 'parse_variable()' - Parse a variable line.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from */
  +parse_variable(

• const char filename, / I - Name of configuration file */

• int linenum, /* I - Line in configuration file */

• const char line, / I - Line from configuration file */

• const char value, / I - Value from configuration file */

• size_t num_vars, /* I - Number of variables */

• const cupsd_var_t vars) / I - Variables */
  {

• int i; /* Looping var */

• size_t i; /* Looping var */

• const cupsd_var_t var; / Variables */

• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!_cups_strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_TIME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&

•    (!_cups_strcasecmp(value, "true") ||
  

•     !_cups_strcasecmp(value, "on") ||
  

•     !_cups_strcasecmp(value, "enabled") ||
  

•     !_cups_strcasecmp(value, "yes")))
  

• {

• *((int *)var->ptr) = INT_MAX;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no"))
  

• {

• *((int *)var->ptr) = 0;
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• double    n;      /\* Number */
  

• char      _units;     /_ Units */
  

• n = strtod(value, &units);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d of %s.", line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0.0 || n > INT_MAX)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad time value for %s on line %d of %s.",
  

•           line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = (int)n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strcasecmp(value, "true") ||

•    !_cups_strcasecmp(value, "on") ||
  

•    !_cups_strcasecmp(value, "enabled") ||
  

•    !_cups_strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no") ||
  

•    !_cups_strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

[michaelrsweet]

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• * 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from /
  +{
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2565,12 +2830,10 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */
• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */
• struct group group; / Group */

/*
@@ -2602,7 +2865,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2626,8 +2889,6 @@
  if (linenum == 0)
  return (0);
  }

• else if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!_cups_strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -2771,10 +3032,10 @@

  BrowseLocalProtocols = protocols;
  }

• else if (!_cups_strcasecmp(line, "default_auth_type") && value)

• else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)
  {
  /*

•  \* default_auth_type {basic,digest,basicdigest,negotiate}
  

•  * DefaultAuthType {basic,digest,basicdigest,negotiate}
  

  */

  if (!_cups_strcasecmp(value, "none"))
  @@ -2823,81 +3084,6 @@
  }
  }
  #endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring.",
  

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -2976,22 +3162,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3118,181 +3288,158 @@
  }
  #endif /* HAVE_SSL */
  else

• {

• /*
  

•  \* Find a simple variable in the list...
  

•  */
  

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!_cups_strcasecmp(line, var->name))
  

• break;
  

• return (1);
  +}

•  if (i == 0)
  

•  {
  

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

•  }
  

  +/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.

• */

•  switch (var->type)
  

•  {
  

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Bad integer value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

•     char  _units;     /_ Units _/
  

  +static int /_ O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{

• int linenum; /* Current line number */

• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

•          n = strtol(value, &units, 0);
  

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d.",
  

•             line, linenum);
  

•     break;
  

•   }
  

•     }
  

• /*

• * Loop through each line in the file...

• */

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• linenum = 0;

•    case CUPSD_VARTYPE_TIME :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&
  

•            (!_cups_strcasecmp(value, "true") ||
  

•         !_cups_strcasecmp(value, "on") ||
  

•         !_cups_strcasecmp(value, "enabled") ||
  

•         !_cups_strcasecmp(value, "yes")))
  

•     *((int *)var->ptr) = INT_MAX;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•            !_cups_strcasecmp(value, "disabled") ||
  

•            !_cups_strcasecmp(value, "no"))
  

•     *((int *)var->ptr) = 0;
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     double    n;      /\* Number */
  

•     char  _units;     /_ Units */
  

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!_cups_strcasecmp(line, "Group") && value)

• {

• /*
  

•  \* Group ID to run as...
  

•  */
  

•          n = strtod(value, &units);
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

• group = getgrnam(value);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•       else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d.", line, linenum);
  

•     break;
  

•   }
  

•     }
  

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }

•  }
  

• }

• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)

• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•          if (n < 0.0 || n > INT_MAX)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad time value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = (int)n;
  

•   }
  

•   break;
  

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d.",
  

•             line, linenum);
  

•        else if (!_cups_strcasecmp(value, "true") ||
  

•            !_cups_strcasecmp(value, "on") ||
  

•        !_cups_strcasecmp(value, "enabled") ||
  

•        !_cups_strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•        !_cups_strcasecmp(value, "disabled") ||
  

•        !_cups_strcasecmp(value, "no") ||
  

•        !_cups_strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d.",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist.", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);

  Index: scheduler/conf.h

  --- scheduler/conf.h (revision 10708)
  +++ scheduler/conf.h (working copy)
  @@ -96,7 +96,9 @@
  */

  VAR char *ConfigurationFile VALUE(NULL),

•               /\* Configuration file to use */
  

•               /\* cupsd.conf file to use */
  

•       *CupsFilesFile      VALUE(NULL),
  

•               /\* cups-files.conf file to use _/
      *ServerName     VALUE(NULL),
              /_ FQDN for server */
      *ServerAdmin        VALUE(NULL),
  

  Index: scheduler/client.c

  --- scheduler/client.c (revision 10708)
  +++ scheduler/client.c (working copy)
  @@ -32,7 +32,7 @@

  • compare_clients() - Compare two client connections.
  • data_ready() - Check whether data is available from a client.
  • get_file() - Get a filename and state info.

• * install_conf_file() - Install a configuration file.

• • install_cupsd_conf() - Install a configuration file.
  • is_cgi() - Is the resource a CGI script/program?
  • is_path_absolute() - Is a path absolute and free of relative elements

  •           (i.e. "..").
    

    @@ -95,7 +95,7 @@
    static int data_ready(cupsd_client_t *con);
    static char *get_file(cupsd_client_t *con, struct stat *filestats,
    char *filename, int len);
    -static http_status_t install_conf_file(cupsd_client_t *con);
    +static http_status_t install_cupsd_conf(cupsd_client_t *con);
    static int is_cgi(cupsd_client_t *con, const char *filename,
    struct stat *filestats, mime_type_t *type);
    static int is_path_absolute(const char *path);
    @@ -1666,17 +1666,14 @@
    • Validate the resource name...
      */

•        if (strncmp(con->uri, "/admin/conf/", 12) ||
  

•       strchr(con->uri + 12, '/') ||
  

•   strlen(con->uri) == 12)
  

•        if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
  {
   /*
  

•     \* PUT can only be done to configuration files under
  

•     \* /admin/conf...
  

•     * PUT can only be done to the cupsd.conf file...
    */
  
    cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "[Client %d] Request for subdirectory \"%s\".",
  

•             "[Client %d] Disallowed PUT request for \"%s\".",
            con->http.fd, con->uri);
  
    if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
  

  @@ -2044,7 +2041,7 @@

  • Install the configuration file...
    */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3301,14 +3298,13 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  char filename[1024]; / Configuration filename */

• mode_t mode; /* Permissions /
  cups_file_t *in, / Input file /
  *out; / Output file /
  char buffer[16384]; / Copy buffer */
  @@ -3330,13 +3326,8 @@

• Open the new config file...
  */

• snprintf(filename, sizeof(filename), "%s%s", ServerRoot, con->uri + 11);

• if (!strcmp(con->uri, "/admin/conf/printers.conf"))

• mode = ConfigFilePerm & 0600;

• else

- mode = ConfigFilePerm;

• if ((out = cupsdCreateConfFile(filename, mode)) == NULL)
• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);
• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  @@ -3381,14 +3372,10 @@
  cupsdClearString(&con->filename);

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*

Index: scheduler/main.c

--- scheduler/main.c (revision 10708)
+++ scheduler/main.c (working copy)
@@ -212,7 +212,6 @@

         char *current;     /* Current directory */

       /*
        * Allocate a buffer for the current working directory to
    * reduce run-time stack usage; this approximates the

@@ -238,6 +237,35 @@
cupsdSetStringf(&ConfigurationFile, "%s/%s", current, argv[i]);
free(current);
}
+

•     if (!CupsFilesFile)
  

•     {
  

•       char    _filename,  /_ Copy of cupsd.conf filename */
  

•       _slash;     /_ Final slash in cupsd.conf filename */
  

•   size_t  len;        /\* Size of buffer */
  

•   len = strlen(ConfigurationFile) + 15;
  

•   if ((filename = malloc(len)) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(filename, ConfigurationFile, len);
  

•   if ((slash = strrchr(filename, '/')) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(slash, "/cups-files.conf", len - (slash - filename));
  

•   cupsdSetString(&CupsFilesFile, filename);
  

•   free(filename);
  

•     }
    break;
  
     case 'f' : /* Run in foreground... */
  

  @@ -276,6 +304,29 @@
  UseProfiles = 0;
  break;

•      case 's' : /* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "

[michaelrsweet]

"str4223p2.patch":

Index: scheduler/conf.c

--- scheduler/conf.c (revision 10710)
+++ scheduler/conf.c (working copy)
@@ -3286,6 +3286,39 @@
"line %d.", value, linenum);
}
#endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "AccessLog") ||

•         !_cups_strcasecmp(line, "CacheDir") ||
  

•         !_cups_strcasecmp(line, "ConfigFilePerm") ||
  

•         !_cups_strcasecmp(line, "DataDir") ||
  

•         !_cups_strcasecmp(line, "DocumentRoot") ||
  

•         !_cups_strcasecmp(line, "ErrorLog") ||
  

•         !_cups_strcasecmp(line, "FatalErrors") ||
  

•         !_cups_strcasecmp(line, "FileDevice") ||
  

•         !_cups_strcasecmp(line, "FontPath") ||
  

•         !_cups_strcasecmp(line, "Group") ||
  

•         !_cups_strcasecmp(line, "LogFilePerm") ||
  

•         !_cups_strcasecmp(line, "LPDConfigFile") ||
  

•         !_cups_strcasecmp(line, "PageLog") ||
  

•         !_cups_strcasecmp(line, "Printcap") ||
  

•         !_cups_strcasecmp(line, "PrintcapFormat") ||
  

•         !_cups_strcasecmp(line, "RequestRoot") ||
  

•         !_cups_strcasecmp(line, "ServerBin") ||
  

•         !_cups_strcasecmp(line, "ServerCertificate") ||
  

•         !_cups_strcasecmp(line, "ServerKey") ||
  

•         !_cups_strcasecmp(line, "ServerRoot") ||
  

•         !_cups_strcasecmp(line, "SMBConfigFile") ||
  

•         !_cups_strcasecmp(line, "StateDir") ||
  

•         !_cups_strcasecmp(line, "SystemGroup") ||
  

•         !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
  

•         !_cups_strcasecmp(line, "TempDir") ||
  

•    !_cups_strcasecmp(line, "User"))
  

• {

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "Please move \"%s%s%s\" on line %d of %s to the %s file; "
  

•         "this will become an error in a future release.",
  

•         line, value ? " " : "", value ? value : "", linenum,
  

•         ConfigurationFile, CupsFilesFile);
  

• }
  else
  parse_variable(ConfigurationFile, linenum, line, value,
  sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);

[michaelrsweet]

"cups-str4223-set-default.patch":

--- cups-1.5.4/scheduler/main.c 2012-11-27 13:36:54.518147854 +0000
+++ cups-1.5.4/scheduler/main.c 2012-11-28 11:41:13.992801205 +0000
@@ -369,6 +369,9 @@
if (!ConfigurationFile)
cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");

• if (!CupsFilesFile)
• cupsdSetString(&CupsFilesFile, CUPS_SERVERROOT "/cups-files.conf");

/*

• If the user hasn't specified "-f", run in the background...
  */

[michaelrsweet]

"small-fixes.patch":

diff -Naur cups-1.6.x.ori/conf/cups-files.conf.in cups-1.6.x/conf/cups-files.conf.in
--- cups-1.6.x.ori/conf/cups-files.conf.in 2012-11-28 11:40:24.806996579 -0500
+++ cups-1.6.x/conf/cups-files.conf.in 2012-11-28 15:18:49.679332130 -0500
@@ -39,7 +39,7 @@
#DataDir @CUPS_DATADIR@

Location of the static web content served by the scheduler...

-#DocRoot @CUPS_DOCROOT@
+#DocumentRoot @CUPS_DOCROOT@

Location of the file logging all messages produced by the scheduler and any

helper programs; may be the name "syslog". If not an absolute path, the value

diff -Naur cups-1.6.x.ori/scheduler/conf.c cups-1.6.x/scheduler/conf.c
--- cups-1.6.x.ori/scheduler/conf.c 2012-11-28 11:40:41.774997013 -0500
+++ cups-1.6.x/scheduler/conf.c 2012-11-28 15:19:18.503332868 -0500
@@ -140,7 +140,6 @@
{ "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
{ "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
{ "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },

• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_TIME },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
  @@ -163,6 +162,7 @@
  { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
  { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  @@ -3302,6 +3302,7 @@
  !_cups_strcasecmp(line, "PageLog") ||
  !_cups_strcasecmp(line, "Printcap") ||
  !_cups_strcasecmp(line, "PrintcapFormat") ||

•         !_cups_strcasecmp(line, "RemoteRoot") ||
        !_cups_strcasecmp(line, "RequestRoot") ||
        !_cups_strcasecmp(line, "ServerBin") ||
        !_cups_strcasecmp(line, "ServerCertificate") ||
  

[michaelrsweet]

"defaultauthtype.patch":

diff -Naur cups-1.6.x.ori/scheduler/conf.c cups-1.6.x/scheduler/conf.c
--- cups-1.6.x.ori/scheduler/conf.c 2012-11-28 11:40:41.774997013 -0500
+++ cups-1.6.x/scheduler/conf.c 2012-11-29 07:46:39.864849742 -0500
@@ -705,7 +705,7 @@
AccessLogLevel = CUPSD_ACCESSLOG_ACTIONS;
ConfigFilePerm = CUPS_DEFAULT_CONFIG_FILE_PERM;
FatalErrors = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS);

• default_auth_type = CUPSD_AUTH_BASIC;

• default_auth_type = CUPSD_AUTH_BASIC;
  #ifdef HAVE_SSL
  DefaultEncryption = HTTP_ENCRYPT_REQUIRED;
  SSLOptions = CUPSD_SSL_NONE;
  @@ -3032,35 +3032,6 @@

  BrowseLocalProtocols = protocols;
  }

• else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)

• {

• /*
  

•  \* DefaultAuthType {basic,digest,basicdigest,negotiate}
  

- */

•  if (!_cups_strcasecmp(value, "none"))
  

• default_auth_type = CUPSD_AUTH_NONE;

•  else if (!_cups_strcasecmp(value, "basic"))
  

• default_auth_type = CUPSD_AUTH_BASIC;

•  else if (!_cups_strcasecmp(value, "digest"))
  

• default_auth_type = CUPSD_AUTH_DIGEST;

•  else if (!_cups_strcasecmp(value, "basicdigest"))
  

• default_auth_type = CUPSD_AUTH_BASICDIGEST;
  -#ifdef HAVE_GSSAPI

•  else if (!_cups_strcasecmp(value, "negotiate"))
  

•    default_auth_type = CUPSD_AUTH_NEGOTIATE;
  

  -#endif /* HAVE_GSSAPI */

•  else if (!_cups_strcasecmp(value, "auto"))
  

•    default_auth_type = CUPSD_AUTH_AUTO;
  

•  else
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_WARN,

•               "Unknown default authorization type %s on line %d.",
  

•               value, linenum);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)

• return (0);
  

•  }
  

• }
  #ifdef HAVE_SSL
  else if (!_cups_strcasecmp(line, "DefaultEncryption"))
  {
  @@ -3291,6 +3262,7 @@
  !_cups_strcasecmp(line, "CacheDir") ||
  !_cups_strcasecmp(line, "ConfigFilePerm") ||
  !_cups_strcasecmp(line, "DataDir") ||

•         !_cups_strcasecmp(line, "DefaultAuthType") ||
        !_cups_strcasecmp(line, "DocumentRoot") ||
        !_cups_strcasecmp(line, "ErrorLog") ||
        !_cups_strcasecmp(line, "FatalErrors") ||
  

  @@ -3468,6 +3440,35 @@
  }
  }
  }
• else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)
• {

• /*
  

•  \* DefaultAuthType {basic,digest,basicdigest,negotiate}
  

•  */
  

•  if (!_cups_strcasecmp(value, "none"))
  

• default_auth_type = CUPSD_AUTH_NONE;

•  else if (!_cups_strcasecmp(value, "basic"))
  

• default_auth_type = CUPSD_AUTH_BASIC;

•  else if (!_cups_strcasecmp(value, "digest"))
  

• default_auth_type = CUPSD_AUTH_DIGEST;

•  else if (!_cups_strcasecmp(value, "basicdigest"))
  

• default_auth_type = CUPSD_AUTH_BASICDIGEST;
  +#ifdef HAVE_GSSAPI

•  else if (!_cups_strcasecmp(value, "negotiate"))
  

•    default_auth_type = CUPSD_AUTH_NEGOTIATE;
  

  +#endif /* HAVE_GSSAPI */

•  else if (!_cups_strcasecmp(value, "auto"))
  

•    default_auth_type = CUPSD_AUTH_AUTO;
  

•  else
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_WARN,

•               "Unknown default authorization type %s on line %d.",
  

•               value, linenum);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)

• return (0);
  

•  }
  

• }
  else if (!parse_variable(CupsFilesFile, linenum, line, value,
  sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  cupsfiles_vars) &&

[michaelrsweet]

"split-configuration-files-STR4223.patch":

Description: Move file, directory, user, and group configuration to a
separate file. Also warn about directives that have moved and set
default cups-files.conf.

Author: Michael Sweet msweet@apple.com
Origin: http://svn.cups.org/public/cups/branches/branch-1.6@10710
Origin: http://svn.cups.org/public/cups/branches/branch-1.6@10713

Author: Marc Deslauriers marc.deslauriers@canonical.com
Origin: https://www.cups.org/strfiles/4223/small-fixes.patch

Bug-Upstream: https://www.cups.org/strfiles/4223/small-fixes.patch
Bug-Debian: http://bugs.debian.org/692791
Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519

--- a/conf/Makefile
+++ b/conf/Makefile
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

--- /dev/null
+++ b/conf/cups-files.conf.in
@@ -0,0 +1,98 @@
+#
+# "$Id$"
+#
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.
+#
+
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@
+
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
+SystemGroup @CUPS_SYSTEM_GROUPS@
+@CUPS_SYSTEM_AUTHKEY@
+
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot
+
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No
+
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@
+
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log
+
+# Location of cache files used by the scheduler...
+#CacheDir @CUPS_CACHEDIR@
+
+# Location of data files used by the scheduler...
+#DataDir @CUPS_DATADIR@
+
+# Location of the static web content served by the scheduler...
+#DocumentRoot @CUPS_DOCROOT@
+
+# Location of the file logging all messages produced by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "LogLevel"
+# directive in cupsd.conf.
+ErrorLog @CUPS_LOGDIR@/error_log
+
+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@
+
+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@
+
+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log
+
+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@
+
+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris
+
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@
+
+# Location of helper programs...
+#ServerBin @CUPS_SERVERBIN@
+
+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@
+
+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@
+
+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@
+
+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@
+
+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@
+
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp
+
+#
+# End of "$Id$".
+#
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -9,10 +9,6 @@

for troubleshooting...

LogLevel @CUPS_LOG_LEVEL@

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@
--- a/config-scripts/cups-defaults.m4
+++ b/config-scripts/cups-defaults.m4
@@ -367,6 +367,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -388,6 +389,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],
--- a/config-scripts/cups-ssl.m4
+++ b/config-scripts/cups-ssl.m4
@@ -27,6 +27,8 @@
SSLFLAGS=""
SSLLIBS=""
have_ssl=0
+CUPS_SERVERCERT=""
+CUPS_SERVERKEY=""

if test x$enable_ssl != xno; then
dnl Look for CDSA...
@@ -36,6 +38,7 @@
have_ssl=1
AC_DEFINE(HAVE_SSL)
AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecureTransportPriv.h,
  

  @@ -112,6 +115,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -149,6 +155,9 @@
  $libcrypto)

  if test "x${SSLLIBS}" != "x"; then
  

•       CUPS_SERVERCERT="ssl/server.crt"
  

•       CUPS_SERVERKEY="ssl/server.key"
  

  •   LIBS="$SAVELIBS $SSLLIBS"
      AC_CHECK_FUNC(SSL_set_tlsext_host_name,
      AC_DEFINE(HAVE_SSL_SET_TLSEXT_HOST_NAME))
    

  @@ -169,6 +178,8 @@
  AC_MSG_ERROR([Unable to enable SSL support.])
  fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(IPPALIASES)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)
--- a/configure.in
+++ b/configure.in
@@ -65,6 +65,7 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs

• conf/cups-files.conf
  

  conf/cupsd.conf
  conf/mime.convs
  conf/pam.std
  @@ -78,6 +79,7 @@
  man/client.conf.man
  man/cups-deviced.man
  man/cups-driverd.man

• man/cups-files.conf.man
  

  man/cups-lpd.man
  man/cupsaddsmb.man
  man/cupsd.conf.man
  --- a/doc/Makefile
  +++ b/doc/Makefile
  @@ -3,7 +3,7 @@

  Documentation makefile for CUPS.

  -# Copyright 2007-2011 by Apple Inc.
  +# Copyright 2007-2012 by Apple Inc.

  Copyright 1997-2007 by Easy Software Products.

  These coded instructions, statements, and computer programs are the

  --- /dev/null
  +++ b/doc/help/ref-cups-files-conf.html.in
  @@ -0,0 +1,531 @@
  +
  +
  +
• <TITLE>cups-files.conf</TITLE>

+
+
+
+

cups-files.conf

+
+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

+
+

AccessLog

+
+

Examples

+
+

+AccessLog /var/log/cups/access_log

+AccessLog /var/log/cups/access_log-%s

+AccessLog syslog

+

+
+

Description

+
+

The AccessLog directive sets the name of the
+access log file. If the filename is not absolute then it is
+assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+access log file is stored in "common log format" and can be used
+by any web access reporting tool to generate a report on CUPS
+server activity.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the access
+information to the system log instead of a plain file.

+
+

The default access log file is
+@CUPS_LOGDIR@/access_log.

+
+
+

CUPS 1.1.15ConfigFilePerm

+
+

Examples

+
+

+ConfigFilePerm 0644

+ConfigFilePerm 0640

+

+
+

Description

+
+

The ConfigFilePerm directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.

+
+

Note:
+
+

The permissions for the printers.conf file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

+
+

+
+
+

DataDir

+
+

Examples

+
+

+DataDir /usr/share/cups

+

+
+

Description

+
+

The DataDir directive sets the directory to use
+for data files.

+
+
+

CUPS 1.2/OS X 10.5DefaultAuthType

+
+

Examples

+
+

+DefaultAuthType Basic

+DefaultAuthType BasicDigest

+DefaultAuthType Digest

+DefaultAuthType Negotiate

+

+
+

Description

+
+

The DefaultAuthType directive specifies the type
+of authentication to use for IPP operations that require a
+username. The default is Basic.

+
+
+

DocumentRoot

+
+

Examples

+
+

+DocumentRoot /usr/share/doc/cups

+DocumentRoot /foo/bar/doc/cups

+

+
+

Description

+
+

The DocumentRoot directive specifies the location
+of web content for the HTTP server in CUPS. If an absolute path
+is not specified then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default directory is @CUPS_DOCROOT@.

+
+

Documents are first looked up in a sub-directory for the
+primary language requested by the client (e.g.
+@CUPS_DOCROOT@/fr/...) and then directly under
+the DocumentRoot directory (e.g.
+@CUPS_DOCROOT@/...), so it is possible to
+localize the web content by providing subdirectories for each
+language needed.

+
+
+

ErrorLog

+
+

Examples

+
+

+ErrorLog /var/log/cups/error_log

+ErrorLog /var/log/cups/error_log-%s

+ErrorLog syslog

+

+
+

Description

+
+

The ErrorLog directive sets the name of the error
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default error log file is @CUPS_LOGDIR@/error_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the error
+information to the system log instead of a plain file.

+
+
+

CUPS 1.4/OS X 10.6FatalErrors

+
+

Examples

+
+

+FatalErrors none

+FatalErrors all

+FatalErrors browse

+FatalErrors config

+FatalErrors listen

+FatalErrors log

+FatalErrors permissions

+FatalErrors all -permissions

+FatalErrors config permissions log

+

+
+

Description

+
+

The FatalErrors directive determines whether certain kinds of
+errors are fatal. The following kinds of errors are currently recognized:

+
+

+
• none - No errors are fatal
• all - All of the errors below are fatal
• browse - Browsing initialization errors are fatal,
• for example failed binding to the CUPS browse port or failed connections
• to LDAP servers
• config - Configuration file syntax errors are
• fatal
• listen - Listen or Port errors are fatal, except for
• IPv6 failures on the loopback or "any" addresses
• log - Log file creation or write errors are fatal
• permissions - Bad startup file permissions are
• fatal, for example shared SSL certificate and key files with world-
• read permissions

+

+
+

Multiple errors can be listed, and the form "-kind" can be used with
+all to remove specific kinds of errors. The default setting is
+@CUPS_FATAL_ERRORS@.

+
+
+

CUPS 1.1.18FileDevice

+
+

Examples

+
+

+FileDevice Yes

+FileDevice No

+

+
+

Description

+
+

The FileDevice directive determines whether the
+scheduler allows new printers to be added using device URIs of
+the form file:/filename. File devices are most often
+used to test new printer drivers and do not support raw file
+printing.

+
+

The default setting is No.

+
+

Note:
+
+

File devices are managed by the scheduler. Since the
+scheduler normally runs as the root user, file devices
+can be used to overwrite system files and potentially
+gain unauthorized access to the system. If you must
+create printers using file devices, we recommend that
+you set the FileDevice directive to
+Yes for only as long as you need to add the
+printers to the system, and then reset the directive to
+No.

+
+

+
+
+

CUPS 1.1.3FontPath

+
+

Examples

+
+

+FontPath /foo/bar/fonts

+FontPath /usr/share/cups/fonts:/foo/bar/fonts

+

+
+

Description

+
+

The FontPath directive specifies the font path to
+use when searching for fonts. The default font path is
+/usr/share/cups/fonts.

+
+
+

Group

+
+

Examples

+
+

+Group lp

+Group nobody

+

+
+

Description

+
+

The Group directive specifies the UNIX group that
+filter and CGI programs run as. The default group is
+system-specific but is usually lp or
+nobody.

+
+
+

CUPS 1.1.15LogFilePerm

+
+

Examples

+
+

+LogFilePerm 0644

+LogFilePerm 0600

+

+
+

Description

+
+

The LogFilePerm directive specifies the
+permissions to use when writing log files. The default
+is @CUPS_LOG_FILE_PERM@.

+
+
+

PageLog

+
+

Examples

+
+

+PageLog /var/log/cups/page_log

+PageLog /var/log/cups/page_log-%s

+PageLog syslog

+

+
+

Description

+
+

The PageLog directive sets the name of the page
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default page log file is @CUPS_LOGDIR@/page_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the page
+information to the system log instead of a plain file.

+
+
+

Printcap

+
+

Examples

+
+

+Printcap

+Printcap /etc/printcap

+Printcap /etc/printers.conf

+Printcap /Library/Preferences/org.cups.printers.plist

+

+
+

Description

+
+

The Printcap directive controls whether or not a
+printcap file is automatically generated and updated with a list
+of available printers. If specified with no value, then no
+printcap file will be generated. The default is to generate a
+file named @CUPS_DEFAULT_PRINTCAP@.

+
+

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
+the printcap file is written whenever a printer is added or
+removed. The printcap file can then be used by applications that
+are hardcoded to look at the printcap file for the available
+printers.

+
+
+

PrintcapFormat

+
+

Examples

+
+

+PrintcapFormat BSD

+PrintcapFormat Solaris

+PrintcapFormat plist

+

+
+

Description

+
+

The PrintcapFormat directive controls the output format of the
+printcap file. The default is to generate the plist format on OS X, the
+Solaris format on Solaris, and the BSD format on other operating systems.

+
+
+

CUPS 1.1.3RemoteRoot

+
+

Examples

+
+

+RemoteRoot remroot

+RemoteRoot root

+

+
+

Description

+
+

The RemoteRoot directive sets the username for
+unauthenticated root requests from remote hosts. The default
+username is remroot. Setting RemoteRoot
+to root effectively disables this security
+mechanism.

+
+
+

RequestRoot

+
+

Examples

+
+

+RequestRoot /var/spool/cups

+RequestRoot /foo/bar/spool/cups

+

+
+

Description

+
+

The RequestRoot directive sets the directory for
+incoming IPP requests and HTML forms. If an absolute path is not
+provided then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default request directory is @CUPS_REQUESTS@.

+
+
+

ServerBin

+
+

Examples

+
+

+ServerBin /usr/lib/cups

+ServerBin /foo/bar/lib/cups

+

+
+

Description

+
+

The ServerBin directive sets the directory for
+server-run executables. If an absolute path is not provided then
+it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default executable directory is /usr/lib/cups,
+/usr/lib32/cups, or /usr/libexec/cups
+depending on the operating system.

+
+
+

ServerCertificate

+
+

Examples

+
+

+ServerCertificate /etc/cups/ssl/server.crt

+

+
+

Description

+
+

The ServerCertificate directive specifies the
+location of the SSL certificate file used by the server when
+negotiating encrypted connections. The certificate must not be
+encrypted (password protected) since the scheduler normally runs
+in the background and will be unable to ask for a password.

+
+

The default certificate file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerKey

+
+

Examples

+
+

+ServerKey /etc/cups/ssl/server.key

+

+
+

Description

+
+

The ServerKey directive specifies the location of
+the SSL private key file used by the server when negotiating
+encrypted connections.

+
+

The default key file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerRoot

+
+

Examples

+
+

+ServerRoot /etc/cups

+ServerRoot /foo/bar/cups

+

+
+

Description

+
+

The ServerRoot directive specifies the absolute
+path to the server configuration and state files. It is also used
+to resolve relative paths in the cupsd.conf file. The
+default server directory is /etc/cups.

+
+
+

SystemGroup

+
+

Examples

+
+

+SystemGroup lpadmin

+SystemGroup sys

+SystemGroup system

+SystemGroup root

+SystemGroup root lpadmin

+

+
+

Description

+
+

The SystemGroup directive specifies the system
+administration group for System authentication.
+Multiple groups can be listed, separated with spaces. The default
+group list is @CUPS_SYSTEM_GROUPS@.

+
+
+

TempDir

+
+

Examples

+
+

+TempDir /var/tmp

+TempDir /foo/bar/tmp

+

+
+

Description

+
+

The TempDir directive specifies an absolute path
+for the directory to use for temporary files. The default
+directory is @CUPS_REQUESTS@/tmp.

+
+

Temporary directories must be world-writable and should have
+the "sticky" permission bit enabled so that other users cannot
+delete filter temporary files. The following commands will create
+an appropriate temporary directory called
+/foo/bar/tmp:

+
+

+mkdir /foo/bar/tmp

+chmod a+rwxt /foo/bar/tmp

+

+
+
+

User

+
+

Examples

+
+

+User lp

+User guest

+

+
+

Description

+
+

The User directive specifies the UNIX user that
+filter and CGI programs run as. The default user is
+@CUPS_USER@.

+
+

Note:
+
+

You may not use user root, as that would expose
+the system to unacceptable security risks. The scheduler will
+automatically choose user nobody if you specify a
+user whose ID is 0.

+
+

+
+
+
+
--- a/doc/help/ref-cupsd-conf.html.in
+++ b/doc/help/ref-cupsd-conf.html.in
@@ -191,82 +191,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2544,65 +2468,6 @@
files as soon as each job is completed, canceled, or aborted.

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on Mac OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

-

CUPS 1.1.13PrintcapGUI

-

Examples

-

-PrintGUI /usr/bin/glpoptions

-

-

Description

-

The PrintcapGUI directive sets the program to
-associate with the IRIX printer GUI interface script which is
-used by IRIX applications to display printer-specific options.

-There is no default program.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2619,42 +2484,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2806,64 +2635,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2880,23 +2651,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -3075,53 +2829,6 @@ HREF="#Policy">Policy section.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -3138,53 +2845,6 @@ default timeout is 300 seconds.

-

CUPS 1.2/Mac OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

CUPS 1.5WebInterface

Examples

--- a/man/Makefile +++ b/man/Makefile @@ -39,6 +39,7 @@ ppdpo.$(MAN1EXT) MAN5 = classes.conf.$(MAN5EXT) \ client.conf.$(MAN5EXT) \ - cups-files.conf.$(MAN5EXT) \ cups-snmp.conf.$(MAN5EXT) \ cupsd.conf.$(MAN5EXT) \ ipptoolfile.$(MAN5EXT) \ --- /dev/null +++ b/man/cups-files.conf.man.in @@ -0,0 +1,146 @@ +.\" +.\" "$Id$" +.\" +.\" cupsd.conf man page for CUPS. +.\" +.\" Copyright 2007-2012 by Apple Inc. +.\" Copyright 1997-2006 by Easy Software Products. +.\" +.\" These coded instructions, statements, and computer programs are the +.\" property of Apple Inc. and are protected by Federal copyright +.\" law. Distribution and use rights are outlined in the file "LICENSE.txt" +.\" which should have been included with this file. If this file is +.\" file is missing or damaged, see the license at "http://www.cups.org/". +.\" +.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc." +.SH NAME +cups-files.conf - file and directory configuration file for cups +.SH DESCRIPTION +The \fIcups-file.conf\fR file configures the files and directories used by the +CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the +\fI@CUPS_SERVERROOT@\fR directory. +.LP +Each line in the file can be a configuration directive, a blank line, +or a comment. Comment lines start with the # character. +.SH DIRECTIVES +The following directives are understood by \fIcupsd(8)\fR. Consult the +on-line help for detailed descriptions: +.TP 5 +AccessLog filename +.TP 5 +AccessLog syslog +.br +Defines the access log filename. +.TP 5 +ConfigFilePerm mode +.br +Specifies the permissions for all configuration files that the scheduler +writes. +.TP 5 +DataDir path +.br +Specified the directory where data files can be found. +.TP 5 +DocumentRoot directory +.br +Specifies the root directory for the internal web server documents. +.TP 5 +ErrorLog filename +.TP 5 +ErrorLog syslog +.br +Specifies the error log filename. +.TP 5 +FatalErrors none +.TP 5 +FatalErrors all -kind [... -kind] +.TP 5 +FatalErrors kind [... kind] +.br +Specifies which errors are fatal, causing the scheduler to exit. "Kind" is +"browse", "config", "listen", "log", or "permissions". +.TP 5 +FileDevice Yes +.TP 5 +FileDevice No +.br +Specifies whether the file pseudo-device can be used for new +printer queues. +.TP 5 +FontPath directory[:directory:...] +.br +Specifies the search path for fonts. +.TP 5 +Group group-name-or-number +.br +Specifies the group name or ID that will be used when executing +external programs. +.TP 5 +LogFilePerm mode +.br +Specifies the permissions for all log files that the scheduler writes. +.TP 5 +PageLog filename +.TP 5 +PageLog syslog +.br +Specifies the page log filename. +.TP 5 +Printcap +.TP 5 +Printcap filename +.br +Specifies the filename for a printcap file that is updated +automatically with a list of available printers (needed for +legacy applications); specifying Printcap with no filename +disables printcap generation. +.TP 5 +RemoteRoot user-name +.br +Specifies the username that is associated with unauthenticated root +accesses. +.TP 5 +RequestRoot directory +.br +Specifies the directory to store print jobs and other HTTP request +data. +.TP 5 +ServerBin directory +.br +Specifies the directory where backends, CGIs, daemons, and filters may +be found. +.TP 5 +ServerCertificate filename +.br +Specifies the encryption certificate to use. +.TP 5 +ServerKey filename +.br +Specifies the encryption key to use. +.TP 5 +ServerRoot directory +.br +Specifies the directory where the server configuration files can be found. +.TP 5 +SystemGroup group-name [group-name ...] +.br +Specifies the group(s) to use for System class authentication. +.TP 5 +TempDir directory +.br +Specifies the directory where temporary files are stored. +.TP 5 +User user-name +.br +Specifies the user name or ID that is used when running external programs. +.SH SEE ALSO +\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR, +\fImime.types(5)\fR, \fIprinters.conf(5)\fR, +\fIsubscriptions.conf(5)\fR, +.br +http://localhost:631/help +.SH COPYRIGHT +Copyright 2007-2012 by Apple Inc. +.\" +.\" End of "$Id$". +.\" --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in @@ -12,13 +12,16 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cupsd.conf 5 "CUPS" "18 May 2011" "Apple Inc." +.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc." .SH NAME cupsd.conf - server configuration file for cups .SH DESCRIPTION The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It -is normally located in the \fI@CUPS_SERVERROOT@\fR directory. -.LP +is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR +File, directory, and user configuration directives that used to be allowed in +the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead +in order to prevent certain types of privilege escalation attacks. +LP Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the @@ -27,12 +30,6 @@ The following directives are understood by \fIcupsd(8)\fR. Consult the on-line help for detailed descriptions: .TP 5 -AccessLog filename -.TP 5 -AccessLog syslog -.br -Defines the access log filename. -.TP 5 AccessLogLevel config .TP 5 AccessLogLevel actions @@ -61,20 +58,6 @@ .br Allows access from the named hosts or addresses. .TP 5 -AuthClass User -.TP 5 -AuthClass Group -.TP 5 -AuthClass System -.br -Specifies the authentication class (User, Group, System) - -\fBthis directive is deprecated\fR. -.TP 5 -AuthGroupName group-name -.br -Specifies the authentication group - \fBthis directive is -deprecated\fR. -.TP 5 AuthType None .TP 5 AuthType Basic @@ -220,7 +203,7 @@ .TP 5 Browsing No .br -Specifies whether or not remote printer browsing should be enabled. +Specifies whether or not shared printers should be advertised. .TP 5 Classification banner .br @@ -233,15 +216,6 @@ Specifies whether to allow users to override the classification of individual print jobs. .TP 5 -ConfigFilePerm mode -.br -Specifies the permissions for all configuration files that the scheduler -writes. -.TP 5 -DataDir path -.br -Specified the directory where data files can be found. -.TP 5 DefaultAuthType Basic .TP 5 DefaultAuthType BasicDigest @@ -309,10 +283,6 @@ causes the update to happen as soon as possible, typically within a few milliseconds. .TP 5 -DocumentRoot directory -.br -Specifies the root directory for the internal web server documents. -.TP 5 Encryption IfRequested .TP 5 Encryption Never @@ -322,28 +292,6 @@ Specifies the level of encryption that is required for a particular location. .TP 5 -ErrorLog filename -.TP 5 -ErrorLog syslog -.br -Specifies the error log filename. -.TP 5 -FatalErrors none -.TP 5 -FatalErrors all -kind [... -kind] -.TP 5 -FatalErrors kind [... kind] -.br -Specifies which errors are fatal, causing the scheduler to exit. "Kind" is -"browse", "config", "listen", "log", or "permissions". -.TP 5 -FileDevice Yes -.TP 5 -FileDevice No -.br -Specifies whether the file pseudo-device can be used for new -printer queues. -.TP 5 FilterLimit limit .br Specifies the maximum cost of filters that are run concurrently. @@ -353,15 +301,6 @@ Specifies the scheduling priority ("nice" value) of filters that are run to print a job. .TP 5 -FontPath directory[:directory:...] -.br -Specifies the search path for fonts. -.TP 5 -Group group-name-or-number -.br -Specifies the group name or ID that will be used when executing -external programs. -.TP 5 HideImplicitMembers Yes .TP 5 HideImplicitMembers No @@ -469,10 +408,6 @@ Specifies the number of debugging messages that are logged when an error occurs in a print job. .TP 5 -LogFilePerm mode -.br -Specifies the permissions for all log files that the scheduler writes. -.TP 5 LogLevel alert .TP 5 LogLevel crit @@ -546,12 +481,6 @@ .br Specifies the order of HTTP access control (allow,deny or deny,allow) .TP 5 -PageLog filename -.TP 5 -PageLog syslog -.br -Specifies the page log filename. -.TP 5 PageLogFormat format string .br Specifies the format of page log lines. @@ -581,15 +510,6 @@ Specifies whether or not to preserve the job history after they are printed. .TP 5 -Printcap -.TP 5 -Printcap filename -.br -Specifies the filename for a printcap file that is updated -automatically with a list of available printers (needed for -legacy applications); specifying Printcap with no filename -disables printcap generation. -.TP 5 PrintcapFormat bsd .TP 5 PrintcapFormat plist @@ -598,29 +518,11 @@ .br Specifies the format of the printcap file. .TP 5 -PrintcapGUI -.TP 5 -PrintcapGUI gui-program-filename -.br -Specifies whether to generate option panel definition files on -some operating systems. When provided with no program filename, -disables option panel definition files. -.TP 5 ReloadTimeout seconds .br Specifies the amount of time to wait for job completion before restarting the scheduler. .TP 5 -RemoteRoot user-name -.br -Specifies the username that is associated with unauthenticated root -accesses. -.TP 5 -RequestRoot directory -.br -Specifies the directory to store print jobs and other HTTP request -data. -.TP 5 Require group group-name-list .TP 5 Require user user-name-list @@ -652,27 +554,10 @@ Specifies an alternate name that the server is known by. The special name "*" allows any name to be used. .TP 5 -ServerBin directory -.br -Specifies the directory where backends, CGIs, daemons, and filters may -be found. -.TP 5 -ServerCertificate filename -.br -Specifies the encryption certificate to use. -.TP 5 -ServerKey filename -.br -Specifies the encryption key to use. -.TP 5 ServerName hostname-or-ip-address .br Specifies the fully-qualified hostname of the server. .TP 5 -ServerRoot directory -.br -Specifies the directory where the server configuration files can be found. -.TP 5 ServerTokens Full .TP 5 ServerTokens Major @@ -729,29 +614,17 @@ "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data". .TP 5 -SystemGroup group-name [group-name ...] -.br -Specifies the group(s) to use for System class authentication. -.TP 5 -TempDir directory -.br -Specifies the directory where temporary files are stored. -.TP 5 Timeout seconds .br Specifies the HTTP request timeout in seconds. .TP 5 -User user-name -.br -Specifies the user name or ID that is used when running external programs. -.TP 5 WebInterface yes .TP 5 WebInterface no Specifies whether the web interface is enabled. .SH SEE ALSO -\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR, -\fImime.types(5)\fR, \fIprinters.conf(5)\fR, +\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR, +\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR, \fIsubscriptions.conf(5)\fR, .br http://localhost:631/help --- a/scheduler/client.c +++ b/scheduler/client.c @@ -35,7 +35,7 @@ - data_ready() - Check whether data is available from a client. - encrypt_client() - Enable encryption for the client... - get_file() - Get a filename and state info. - \* install_conf_file() - Install a configuration file. - - install_cupsd_conf() - Install a configuration file. - is_cgi() - Is the resource a CGI script/program? - is_path_absolute() - Is a path absolute and free of relative elements - (i.e. ".."). @@ -75,7 +75,7 @@ #endif /\* HAVE_SSL */ static char *get_file(cupsd_client_t *con, struct stat *filestats, char *filename, int len); -static http_status_t install_conf_file(cupsd_client_t *con); +static http_status_t install_cupsd_conf(cupsd_client_t *con); static int is_cgi(cupsd_client_t *con, const char *filename, struct stat *filestats, mime_type_t *type); static int is_path_absolute(const char *path); @@ -1685,17 +1685,14 @@ - Validate the resource name... */ - ``` if (strncmp(con->uri, "/admin/conf/", 12) || ``` - strchr(con->uri + 12, '/') || - strlen(con->uri) == 12) - if (strcmp(con->uri, "/admin/conf/cupsd.conf")) { /* - \* PUT can only be done to configuration files under - \* /admin/conf... - ``` * PUT can only be done to the cupsd.conf file... */

cupsdLogMessage(CUPSD_LOG_ERROR,

-                 "Request for subdirectory \"%s\"!", con->uri);
- ```
            "Disallowed PUT request for \"%s\"!", con->uri);

  if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
  {

@@ -2059,7 +2056,7 @@

• Install the configuration file...
  */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3814,14 +3811,13 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  char filename[1024]; / Configuration filename */

• mode_t mode; /* Permissions /
  cups_file_t *in, / Input file /
  *out; / Output file /
  char buffer[16384]; / Copy buffer */
  @@ -3843,13 +3839,8 @@

• Open the new config file...
  */

• snprintf(filename, sizeof(filename), "%s%s", ServerRoot, con->uri + 11);

• if (!strcmp(con->uri, "/admin/conf/printers.conf"))

• mode = ConfigFilePerm & 0600;

• else

- mode = ConfigFilePerm;

• if ((out = cupsdCreateConfFile(filename, mode)) == NULL)
• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);
• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  @@ -3894,14 +3885,10 @@
  cupsdClearString(&con->filename);

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -25,11 +25,13 @@

• parse_aaa() - Parse authentication, authorization, and access

•                          control lines.
  

• parse_fatal_errors() - Parse FatalErrors values in a string.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * read_configuration() - Read a configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * parse_variable() - Parse a variable line.
• * read_cupsd_conf() - Read the cupsd.conf configuration file.
• * read_cups_files_conf() - Read the cups-files.conf configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
  • set_policy_defaults() - Set default policy values as needed.
    */

@@ -81,9 +83,8 @@

• Local globals...
  */

-static const cupsd_var_t variables[] =
+static const cupsd_var_t cupsd_vars[] =
{

• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
  #ifdef HAVE_DNSSD
  { "BrowseDNSSDRegType", &DNSSDRegType, CUPSD_VARTYPE_STRING },
  @@ -105,24 +106,17 @@
  { "BrowseTimeout", &BrowseTimeout, CUPSD_VARTYPE_INTEGER },
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_INTEGER },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_INTEGER },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  { "HideImplicitMembers", &HideImplicitMembers, CUPSD_VARTYPE_BOOLEAN },
  { "ImplicitClasses", &ImplicitClasses, CUPSD_VARTYPE_BOOLEAN },
  { "ImplicitAnyClasses", &ImplicitAnyClasses, CUPSD_VARTYPE_BOOLEAN },
  @@ -137,8 +131,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -155,15 +147,10 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_INTEGER },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_BOOLEAN },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_BOOLEAN },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "PrintcapGUI", &PrintcapGUI, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_INTEGER },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_INTEGER },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
  @@ -181,13 +168,41 @@
  #ifdef HAVE_AUTHORIZATION_H
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
  { "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },
  { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN },
  { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  };
  -#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

+static const cupsd_var_t cupsfiles_vars[] =
+{

• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
• { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  +#ifdef HAVE_SSL
• { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  +# if defined(HAVE_LIBSSL) || defined(HAVE_GNUTLS)
• { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },
  +# endif /* HAVE_LIBSSL || HAVE_GNUTLS /
  +#endif / HAVE_SSL */
• { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
• { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
• { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
  +#ifdef HAVE_AUTHORIZATION_H
• { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  +#endif /* HAVE_AUTHORIZATION_H */
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
  +};

static const unsigned ones[4] =
{
@@ -212,7 +227,12 @@
static int parse_fatal_errors(const char *s);
static int parse_groups(const char *s);
static int parse_protocols(const char *s);
-static int read_configuration(cups_file_t *fp);
+static int parse_variable(const char *filename, int linenum,

•                      const char *line, const char *value,
  

•                      size_t num_vars,
  

•                      const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);
  static void set_policy_defaults(cupsd_policy_t *pol);
  @@ -705,22 +725,48 @@
  cupsdInitEnv();

  /*

• * Read the configuration file...

• * Read the cups-files.conf file...

• */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)
• {
• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)

•  return (0);
  

• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*

• • Read the cupsd.conf file...
    */

  if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {

• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);

• }

• status = read_configuration(fp);

• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)
return (0);

• if (!ErrorLog)

- cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

RunUser = getuid();

cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
@@ -2504,13 +2550,174 @@

/*

• * 'read_configuration()' - Read a configuration file.

• • 'parse_variable()' - Parse a variable line.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from */
  +parse_variable(

• const char filename, / I - Name of configuration file */

• int linenum, /* I - Line in configuration file */

• const char line, / I - Line from configuration file */

• const char value, / I - Value from configuration file */

• size_t num_vars, /* I - Number of variables */

• const cupsd_var_t vars) / I - Variables */
  +{

• size_t i; /* Looping var */

• const cupsd_var_t var; / Variables */

• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!_cups_strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strcasecmp(value, "true") ||

•    !_cups_strcasecmp(value, "on") ||
  

•    !_cups_strcasecmp(value, "enabled") ||
  

•    !_cups_strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no") ||
  

•    !_cups_strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• * 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from */
  {
• int i; /* Looping var /
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2520,7 +2727,6 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */
• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  unsigned ip[4], / Address value /
  @@ -2530,7 +2736,6 @@
  cupsd_location_t *location; / Browse location /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */
• struct group group; / Group */

/*
@@ -2562,7 +2767,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2586,8 +2791,6 @@
  if (linenum == 0)
  return (0);
  }
• else if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!_cups_strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -3246,81 +3449,6 @@
  }
  }
  #endif /* HAVE_SSL */
• else if (!_cups_strcasecmp(line, "User") && value)
• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring.",
  

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -3399,22 +3527,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

[michaelrsweet]

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3540,117 +3652,192 @@
  "line %d.", value, linenum);
  }
  #endif /* HAVE_SSL */
• else if (!_cups_strcasecmp(line, "AccessLog") ||

•         !_cups_strcasecmp(line, "CacheDir") ||
  

•         !_cups_strcasecmp(line, "ConfigFilePerm") ||
  

•         !_cups_strcasecmp(line, "DataDir") ||
  

•         !_cups_strcasecmp(line, "DocumentRoot") ||
  

•         !_cups_strcasecmp(line, "ErrorLog") ||
  

•         !_cups_strcasecmp(line, "FatalErrors") ||
  

•         !_cups_strcasecmp(line, "FileDevice") ||
  

•         !_cups_strcasecmp(line, "FontPath") ||
  

•         !_cups_strcasecmp(line, "Group") ||
  

•         !_cups_strcasecmp(line, "LogFilePerm") ||
  

•         !_cups_strcasecmp(line, "LPDConfigFile") ||
  

•         !_cups_strcasecmp(line, "PageLog") ||
  

•         !_cups_strcasecmp(line, "Printcap") ||
  

•         !_cups_strcasecmp(line, "PrintcapFormat") ||
  

•         !_cups_strcasecmp(line, "RemoteRoot") ||
  

•         !_cups_strcasecmp(line, "RequestRoot") ||
  

•         !_cups_strcasecmp(line, "ServerBin") ||
  

•         !_cups_strcasecmp(line, "ServerCertificate") ||
  

•         !_cups_strcasecmp(line, "ServerKey") ||
  

•         !_cups_strcasecmp(line, "ServerRoot") ||
  

•         !_cups_strcasecmp(line, "SMBConfigFile") ||
  

•         !_cups_strcasecmp(line, "StateDir") ||
  

•         !_cups_strcasecmp(line, "SystemGroup") ||
  

•         !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
  

•         !_cups_strcasecmp(line, "TempDir") ||
  

•    !_cups_strcasecmp(line, "User"))
  

• {

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "Please move \"%s%s%s\" on line %d of %s to the %s file; "
  

•         "this will become an error in a future release.",
  

•         line, value ? " " : "", value ? value : "", linenum,
  

•         ConfigurationFile, CupsFilesFile);
  

• }
  else

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

• return (1);
  +}

+/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{
• int linenum; /* Current line number */
• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

• /*
• * Loop through each line in the file...
• */

• linenum = 0;

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!_cups_strcasecmp(line, "Group") && value)
  {
  /*

•  \* Find a simple variable in the list...
  

•  * Group ID to run as...
  

  */

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!_cups_strcasecmp(line, var->name))
  

- break;

•  if (i == 0)
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

  {

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    endgrent();
  

• group = getgrnam(value);

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• if (group != NULL)

• Group = group->gr_gid;
  

  else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }
  }
• }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•  switch (var->type)
  

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

  {

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

- char units; / Units */

- n = strtol(value, &units, 0);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

- }

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d.",
  

•             line, linenum);
  

•        else if (!_cups_strcasecmp(value, "true") ||
  

•            !_cups_strcasecmp(value, "on") ||
  

•        !_cups_strcasecmp(value, "enabled") ||
  

•        !_cups_strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•        !_cups_strcasecmp(value, "disabled") ||
  

•        !_cups_strcasecmp(value, "no") ||
  

•        !_cups_strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d.",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist.", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);
  --- a/scheduler/conf.h
  +++ b/scheduler/conf.h
  @@ -96,7 +96,9 @@
  */

  VAR char *ConfigurationFile VALUE(NULL),

•               /\* Configuration file to use */
  

•               /\* cupsd.conf file to use */
  

•       *CupsFilesFile      VALUE(NULL),
  

•               /\* cups-files.conf file to use _/
      *ServerName     VALUE(NULL),
              /_ FQDN for server */
      *ServerAdmin        VALUE(NULL),
  

  --- a/scheduler/main.c
  +++ b/scheduler/main.c
  @@ -234,6 +234,35 @@
  cupsdSetStringf(&ConfigurationFile, "%s/%s", current, argv[i]);
  free(current);
  }
  +

•     if (!CupsFilesFile)
  

•     {
  

•       char    _filename,  /_ Copy of cupsd.conf filename */
  

•       _slash;     /_ Final slash in cupsd.conf filename */
  

•   size_t  len;        /\* Size of buffer */
  

•   len = strlen(ConfigurationFile) + 15;
  

•   if ((filename = malloc(len)) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(filename, ConfigurationFile, len);
  

•   if ((slash = strrchr(filename, '/')) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(slash, "/cups-files.conf", len - (slash - filename));
  

•   cupsdSetString(&CupsFilesFile, filename);
  

•   free(filename);
  

•     }
    break;
  
     case 'f' : /* Run in foreground... */
  

  @@ -272,6 +301,29 @@
  UseProfiles = 0;
  break;

•      case 's' : /* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "
  @@ -299,7 +351,10 @@
  }

  if (!ConfigurationFile)

• {
  cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");

• cupsdSetString(&CupsFilesFile, CUPS_SERVERROOT "/cups-files.conf");

• }

/*

• If the user hasn't specified "-f", run in the background...
  --- a/test/run-stp-tests.sh
  +++ b/test/run-stp-tests.sh
  @@ -337,25 +337,10 @@

cat >/tmp/cups-$user/cupsd.conf <<EOF
Browsing Off
-FileDevice yes
-Printcap
Listen 127.0.0.1:$port
-User $user
-ServerRoot /tmp/cups-$user
-StateDir /tmp/cups-$user
-ServerBin /tmp/cups-$user/bin
-CacheDir /tmp/cups-$user/share
-DataDir /tmp/cups-$user/share
-FontPath /tmp/cups-$user/share/fonts
PassEnv LOCALEDIR
-DocumentRoot $root/doc
-RequestRoot /tmp/cups-$user/spool
-TempDir /tmp/cups-$user/spool/temp
MaxSubscriptions 3
MaxLogSize 0
-AccessLog /tmp/cups-$user/log/access_log
-ErrorLog /tmp/cups-$user/log/error_log
-PageLog /tmp/cups-$user/log/page_log
AccessLogLevel actions
LogLevel debug2
LogTimeFormat usecs
@@ -370,6 +355,24 @@

EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

[michaelrsweet]

"str4223v2.patch":

Index: conf/cups-files.conf.in

--- conf/cups-files.conf.in (revision 0)
+++ conf/cups-files.conf.in (revision 10714)
@@ -0,0 +1,98 @@
+#
+# "$Id$"
+#
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.
+#
+
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@
+
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
+SystemGroup @CUPS_SYSTEM_GROUPS@
+@CUPS_SYSTEM_AUTHKEY@
+
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot
+
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No
+
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@
+
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log
+
+# Location of cache files used by the scheduler...
+#CacheDir @CUPS_CACHEDIR@
+
+# Location of data files used by the scheduler...
+#DataDir @CUPS_DATADIR@
+
+# Location of the static web content served by the scheduler...
+#DocumentRoot @CUPS_DOCROOT@
+
+# Location of the file logging all messages produced by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "LogLevel"
+# directive in cupsd.conf.
+ErrorLog @CUPS_LOGDIR@/error_log
+
+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@
+
+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@
+
+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log
+
+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@
+
+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris
+
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@
+
+# Location of helper programs...
+#ServerBin @CUPS_SERVERBIN@
+
+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@
+
+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@
+
+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@
+
+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@
+
+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@
+
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp
+
+#
+# End of "$Id$".
+#

Property changes on: conf/cups-files.conf.in

---

Added: svn:keywords

• author date id revision
  Added: svn:eol-style
• native

Index: conf/cupsd.conf.in

--- conf/cupsd.conf.in (revision 10708)
+++ conf/cupsd.conf.in (working copy)
@@ -9,10 +9,6 @@

for troubleshooting...

LogLevel @CUPS_LOG_LEVEL@

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@

Index: conf/Makefile

--- conf/Makefile (revision 10708)
+++ conf/Makefile (working copy)
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

Property changes on: conf

---

Modified: svn:ignore

• cupsd.conf
  mime.convs
  pam.std
  snmp.conf
• cupsd.conf
  cups-files.conf
  mime.convs
  pam.std
  snmp.conf

Index: scheduler/conf.c

--- scheduler/conf.c (revision 10708)
+++ scheduler/conf.c (working copy)
@@ -14,23 +14,25 @@
*

• Contents:
  *
  • * cupsdAddAlias() - Add a host alias.
  • * cupsdAddAlias() - Add a host alias.
• cupsdCheckPermissions() - Fix the mode and ownership of a file or
• * directory.
• * directory.
• cupsdDefaultAuthType() - Get the default AuthType.
• cupsdFreeAliases() - Free all of the alias entries.
• cupsdReadConfiguration() - Read the cupsd.conf file.
• * get_address() - Get an address + port number from a line.
• * get_address() - Get an address + port number from a line.
• get_addr_and_mask() - Get an IP address and netmask.
• * mime_error_cb() - Log a MIME error.
• * parse_aaa() - Parse authentication, authorization, and access
• * control lines.
• * mime_error_cb() - Log a MIME error.
• * parse_aaa() - Parse authentication, authorization, and access
• * control lines.
• parse_fatal_errors() - Parse FatalErrors values in a string.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * read_configuration() - Read a configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * parse_variable() - Parse a variable line.
• * read_cupsd_conf() - Read the cupsd.conf configuration file.
• * read_cups_files_conf() - Read the cups-files.conf configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
• set_policy_defaults() - Set default policy values as needed.
  */

@@ -83,35 +85,25 @@

• Local globals...
  */

-static int default_auth_type = CUPSD_AUTH_AUTO;

•               /\* Default AuthType, if not specified */
  

  -static const cupsd_var_t variables[] =
  +static const cupsd_var_t cupsd_vars[] =
  {
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
  #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_DNSSD || HAVE_AVAHI */
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_TIME },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_TIME },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  #ifdef HAVE_GSSAPI
  { "GSSServiceName", &GSSServiceName, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_GSSAPI */
  @@ -126,8 +118,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -146,17 +136,34 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_TIME },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  +};
  +static const cupsd_var_t cupsfiles_vars[] =
  +{
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  @@ -164,20 +171,17 @@
  { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },

endif /* HAVE_LIBSSL || HAVE_GNUTLS _/

#endif /_ HAVE_SSL */

• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
  { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
  { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
  { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
  #ifdef HAVE_AUTHORIZATION_H
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME }
  };
  -#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

+static int default_auth_type = CUPSD_AUTH_AUTO;

•               /* Default AuthType, if not specified */
  

  static const unsigned ones[4] =
  {
  @@ -202,7 +206,12 @@
  static int parse_fatal_errors(const char *s);
  static int parse_groups(const char *s);
  static int parse_protocols(const char *s);
  -static int read_configuration(cups_file_t *fp);
  +static int parse_variable(const char *filename, int linenum,

•                      const char *line, const char *value,
  

•                      size_t num_vars,
  

•                      const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);
  static void set_policy_defaults(cupsd_policy_t *pol);
  @@ -778,22 +787,48 @@
  cupsdInitEnv();

  /*

• * Read the configuration file...

• • Read the cups-files.conf file...
    */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)

• {

• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)

•  return (0);
  

• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*
• * Read the cupsd.conf file...
• */

if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);
• }
• status = read_configuration(fp);
• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)
return (0);

• if (!ErrorLog)

- cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

RunUser = getuid();

cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
@@ -906,6 +941,13 @@
}

/*

• * Make sure ConfigFilePerm and LogFilePerm have sane values...
• */

• ConfigFilePerm &= 0664;
• LogFilePerm &= 0664;

• /*
  • Open the system log for cupsd if necessary...
    */

@@ -2548,13 +2590,244 @@

/*

• * 'read_configuration()' - Read a configuration file.

• • 'parse_variable()' - Parse a variable line.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from */
  +parse_variable(

• const char filename, / I - Name of configuration file */

• int linenum, /* I - Line in configuration file */

• const char line, / I - Line from configuration file */

• const char value, / I - Value from configuration file */

• size_t num_vars, /* I - Number of variables */

• const cupsd_var_t vars) / I - Variables */
  {

• int i; /* Looping var */

• size_t i; /* Looping var */

• const cupsd_var_t var; / Variables */

• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!_cups_strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_TIME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&

•    (!_cups_strcasecmp(value, "true") ||
  

•     !_cups_strcasecmp(value, "on") ||
  

•     !_cups_strcasecmp(value, "enabled") ||
  

•     !_cups_strcasecmp(value, "yes")))
  

• {

• *((int *)var->ptr) = INT_MAX;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no"))
  

• {

• *((int *)var->ptr) = 0;
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• double    n;      /\* Number */
  

• char      _units;     /_ Units */
  

• n = strtod(value, &units);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d of %s.", line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0.0 || n > INT_MAX)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad time value for %s on line %d of %s.",
  

•           line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = (int)n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strcasecmp(value, "true") ||

•    !_cups_strcasecmp(value, "on") ||
  

•    !_cups_strcasecmp(value, "enabled") ||
  

•    !_cups_strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no") ||
  

•    !_cups_strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• * 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from /
  +{
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2563,12 +2836,10 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */
• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */
• struct group group; / Group */

/*
@@ -2600,7 +2871,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2624,8 +2895,6 @@
  if (linenum == 0)
  return (0);
  }

• else if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!_cups_strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -2769,10 +3038,10 @@

  BrowseLocalProtocols = protocols;
  }

• else if (!_cups_strcasecmp(line, "default_auth_type") && value)

• else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)
  {
  /*

•  \* default_auth_type {basic,digest,basicdigest,negotiate}
  

•  * DefaultAuthType {basic,digest,basicdigest,negotiate}
  

  */

  if (!_cups_strcasecmp(value, "none"))
  @@ -2821,81 +3090,6 @@
  }
  }
  #endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring.",
  

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -2974,22 +3168,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3115,182 +3293,193 @@
  "line %d.", value, linenum);
  }
  #endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "AccessLog") ||

•         !_cups_strcasecmp(line, "CacheDir") ||
  

•         !_cups_strcasecmp(line, "ConfigFilePerm") ||
  

•         !_cups_strcasecmp(line, "DataDir") ||
  

•         !_cups_strcasecmp(line, "DocumentRoot") ||
  

•         !_cups_strcasecmp(line, "ErrorLog") ||
  

•         !_cups_strcasecmp(line, "FatalErrors") ||
  

•         !_cups_strcasecmp(line, "FileDevice") ||
  

•         !_cups_strcasecmp(line, "FontPath") ||
  

•         !_cups_strcasecmp(line, "Group") ||
  

•         !_cups_strcasecmp(line, "LogFilePerm") ||
  

•         !_cups_strcasecmp(line, "LPDConfigFile") ||
  

•         !_cups_strcasecmp(line, "PageLog") ||
  

•         !_cups_strcasecmp(line, "Printcap") ||
  

•         !_cups_strcasecmp(line, "PrintcapFormat") ||
  

•         !_cups_strcasecmp(line, "RemoteRoot") ||
  

•         !_cups_strcasecmp(line, "RequestRoot") ||
  

•         !_cups_strcasecmp(line, "ServerBin") ||
  

•         !_cups_strcasecmp(line, "ServerCertificate") ||
  

•         !_cups_strcasecmp(line, "ServerKey") ||
  

•         !_cups_strcasecmp(line, "ServerRoot") ||
  

•         !_cups_strcasecmp(line, "SMBConfigFile") ||
  

•         !_cups_strcasecmp(line, "StateDir") ||
  

•         !_cups_strcasecmp(line, "SystemGroup") ||
  

•         !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
  

•         !_cups_strcasecmp(line, "TempDir") ||
  

•    !_cups_strcasecmp(line, "User"))
  

• {

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "Please move \"%s%s%s\" on line %d of %s to the %s file; "
  

•         "this will become an error in a future release.",
  

•         line, value ? " " : "", value ? value : "", linenum,
  

•         ConfigurationFile, CupsFilesFile);
  

• }
  else

• {

• /*
  

•  \* Find a simple variable in the list...
  

•  */
  

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!_cups_strcasecmp(line, var->name))
  

• break;
  

• return (1);
  +}

•  if (i == 0)
  

•  {
  

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

•  }
  

  +/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.

• */

•  switch (var->type)
  

•  {
  

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Bad integer value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

•     char  _units;     /_ Units _/
  

  +static int /_ O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{

• int linenum; /* Current line number */

• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

•          n = strtol(value, &units, 0);
  

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d.",
  

•             line, linenum);
  

•     break;
  

•   }
  

•     }
  

• /*

• * Loop through each line in the file...

• */

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• linenum = 0;

•    case CUPSD_VARTYPE_TIME :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&
  

•            (!_cups_strcasecmp(value, "true") ||
  

•         !_cups_strcasecmp(value, "on") ||
  

•         !_cups_strcasecmp(value, "enabled") ||
  

•         !_cups_strcasecmp(value, "yes")))
  

•     *((int *)var->ptr) = INT_MAX;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•            !_cups_strcasecmp(value, "disabled") ||
  

•            !_cups_strcasecmp(value, "no"))
  

•     *((int *)var->ptr) = 0;
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     double    n;      /\* Number */
  

•     char  _units;     /_ Units */
  

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!_cups_strcasecmp(line, "Group") && value)

• {

• /*
  

•  \* Group ID to run as...
  

•  */
  

•          n = strtod(value, &units);
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

• group = getgrnam(value);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•       else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d.", line, linenum);
  

•     break;
  

•   }
  

•     }
  

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }

•  }
  

• }

• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)

• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•          if (n < 0.0 || n > INT_MAX)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad time value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = (int)n;
  

•   }
  

•   break;
  

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d.",
  

•             line, linenum);
  

•        else if (!_cups_strcasecmp(value, "true") ||
  

•            !_cups_strcasecmp(value, "on") ||
  

•        !_cups_strcasecmp(value, "enabled") ||
  

•        !_cups_strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•        !_cups_strcasecmp(value, "disabled") ||
  

•        !_cups_strcasecmp(value, "no") ||
  

•        !_cups_strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d.",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist.", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);

  Index: scheduler/main.c

  --- scheduler/main.c (revision 10708)
  +++ scheduler/main.c (working copy)
  @@ -208,7 +208,6 @@

           char *current;     /* Current directory */
  

       /*
        * Allocate a buffer for the current working directory to
    * reduce run-time stack usage; this approximates the

@@ -272,6 +271,29 @@
UseProfiles = 0;
break;

•      case 's' : /\* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "
  @@ -301,6 +323,35 @@
  if (!ConfigurationFile)
  cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");

• if (!CupsFilesFile)

• {

• char filename, / Copy of cupsd.conf filename */

•   _slash;         /_ Final slash in cupsd.conf filename */
  

• size_t len; /* Size of buffer */

• len = strlen(ConfigurationFile) + 15;
• if ((filename = malloc(len)) == NULL)
• {

•  _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•  return (1);
  

• }

• strlcpy(filename, ConfigurationFile, len);
• if ((slash = strrchr(filename, '/')) == NULL)
• {

•  _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•  return (1);
  

• }

• strlcpy(slash, "/cups-files.conf", len - (slash - filename));
• cupsdSetString(&CupsFilesFile, filename);
• free(filename);
• }

/*

• If the user hasn't specified "-f", run in the background...
  */
  Index: scheduler/conf.h

  --- scheduler/conf.h (revision 10708)
  +++ scheduler/conf.h (working copy)
  @@ -97,7 +97,9 @@
  */

VAR char *ConfigurationFile VALUE(NULL),

•               /\* Configuration file to use */
  

•               /\* cupsd.conf file to use */
  

•       *CupsFilesFile      VALUE(NULL),
  

•               /\* cups-files.conf file to use _/
      *ServerName     VALUE(NULL),
              /_ FQDN for server */
      *ServerAdmin        VALUE(NULL),
  

  Index: scheduler/client.c

  --- scheduler/client.c (revision 10708)
  +++ scheduler/client.c (working copy)
  @@ -32,7 +32,7 @@

  • compare_clients() - Compare two client connections.
  • data_ready() - Check whether data is available from a client.
  • get_file() - Get a filename and state info.

• * install_conf_file() - Install a configuration file.

• • install_cupsd_conf() - Install a configuration file.
  • is_cgi() - Is the resource a CGI script/program?
  • is_path_absolute() - Is a path absolute and free of relative elements

  •           (i.e. "..").
    

    @@ -98,7 +98,7 @@
    static int data_ready(cupsd_client_t *con);
    static char *get_file(cupsd_client_t *con, struct stat *filestats,
    char *filename, int len);
    -static http_status_t install_conf_file(cupsd_client_t *con);
    +static http_status_t install_cupsd_conf(cupsd_client_t *con);
    static int is_cgi(cupsd_client_t *con, const char *filename,
    struct stat *filestats, mime_type_t *type);
    static int is_path_absolute(const char *path);
    @@ -1670,17 +1670,14 @@
    • Validate the resource name...
      */

•        if (strncmp(con->uri, "/admin/conf/", 12) ||
  

•       strchr(con->uri + 12, '/') ||
  

•   strlen(con->uri) == 12)
  

•        if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
  {
   /*
  

•     \* PUT can only be done to configuration files under
  

•     \* /admin/conf...
  

•     * PUT can only be done to the cupsd.conf file...
    */
  
    cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "[Client %d] Request for subdirectory \"%s\".",
  

•             "[Client %d] Disallowed PUT request for \"%s\".",
            con->http.fd, con->uri);
  
    if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
  

  @@ -2052,7 +2049,7 @@

  • Install the configuration file...
    */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3311,14 +3308,13 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  char filename[1024]; / Configuration filename */

• mode_t mode; /* Permissions /
  cups_file_t *in, / Input file /
  *out; / Output file /
  char buffer[16384]; / Copy buffer */
  @@ -3340,13 +3336,8 @@

• Open the new config file...
  */

• snprintf(filename, sizeof(filename), "%s%s", ServerRoot, con->uri + 11);

• if (!strcmp(con->uri, "/admin/conf/printers.conf"))

• mode = ConfigFilePerm & 0600;

• else

- mode = ConfigFilePerm;

• if ((out = cupsdCreateConfFile(filename, mode)) == NULL)
• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);
• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  @@ -3391,14 +3382,10 @@
  cupsdClearString(&con->filename);

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*

Index: packaging/cups.spec.in

--- packaging/cups.spec.in (revision 10708)
+++ packaging/cups.spec.in (working copy)
@@ -135,6 +135,7 @@
%defattr(-,root,root)
%dir /etc/cups
%config(noreplace) /etc/cups/*.conf
+/etc/cups/cups-files.conf.default
/etc/cups/cupsd.conf.default
%dir /etc/cups/interfaces
%dir /etc/cups/ppd

Index: packaging/cups.list.in

--- packaging/cups.list.in (revision 10708)
+++ packaging/cups.list.in (working copy)
@@ -528,6 +528,8 @@
d 0755 root $CUPS_GROUP $SERVERROOT/interfaces -
d 0755 root $CUPS_GROUP $SERVERROOT/ppd -
d 0700 root $CUPS_GROUP $SERVERROOT/ssl -
+c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf conf/cups-files.conf
+f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf.default conf/cups-files.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf conf/cupsd.conf
f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf.default conf/cupsd.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/snmp.conf conf/snmp.conf

Index: CHANGES-1.6.txt

--- CHANGES-1.6.txt (revision 10708)
+++ CHANGES-1.6.txt (working copy)
@@ -4,6 +4,9 @@
CHANGES IN CUPS V1.6.2

• Documentation fixes

• • Security: All file, directory, user, and group settings are now stored

• in a separate cups-files.conf configuration file that cannot be set
  

• through the CUPS web interface or APIs (STR #4223)
  

  • The SNMP backend now tries to work around broken printers that use a
    newline to separate key/value pairs.

  • The IPP backend did not send a cancel request to printers when a job
    Index: config-scripts/cups-ssl.m4

    --- config-scripts/cups-ssl.m4 (revision 10708)
    +++ config-scripts/cups-ssl.m4 (working copy)
    @@ -27,6 +27,8 @@
    SSLFLAGS=""
    SSLLIBS=""
    have_ssl=0
    +CUPS_SERVERCERT=""
    +CUPS_SERVERKEY=""

  if test x$enable_ssl != xno; then
  dnl Look for CDSA...
  @@ -36,6 +38,7 @@
  have_ssl=1
  AC_DEFINE(HAVE_SSL)
  AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecureTransportPriv.h,
  

  @@ -106,6 +109,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -148,6 +154,9 @@
  done

  if test "x${SSLLIBS}" != "x"; then
  

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  • LIBS="$SAVELIBS $SSLLIBS"
    AC_CHECK_FUNCS(SSL_set_tlsext_host_name)
    fi
    @@ -165,6 +174,8 @@
    AC_MSG_ERROR([Unable to enable SSL support.])
    fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(IPPALIASES)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 10708)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -305,6 +305,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -326,6 +327,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],

Index: doc/help/ref-cups-files-conf.html.in

--- doc/help/ref-cups-files-conf.html.in (revision 0)
+++ doc/help/ref-cups-files-conf.html.in (revision 10713)
@@ -0,0 +1,531 @@
+
+
+

• <TITLE>cups-files.conf</TITLE>

+
+
+
+

cups-files.conf

+
+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

+
+

AccessLog

+
+

Examples

+
+

+AccessLog /var/log/cups/access_log

+AccessLog /var/log/cups/access_log-%s

+AccessLog syslog

+

+
+

Description

+
+

The AccessLog directive sets the name of the
+access log file. If the filename is not absolute then it is
+assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+access log file is stored in "common log format" and can be used
+by any web access reporting tool to generate a report on CUPS
+server activity.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the access
+information to the system log instead of a plain file.

+
+

The default access log file is
+@CUPS_LOGDIR@/access_log.

+
+
+

CUPS 1.1.15ConfigFilePerm

+
+

Examples

+
+

+ConfigFilePerm 0644

+ConfigFilePerm 0640

+

+
+

Description

+
+

The ConfigFilePerm directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.

+
+

Note:
+
+

The permissions for the printers.conf file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

+
+

+
+
+

DataDir

+
+

Examples

+
+

+DataDir /usr/share/cups

+

+
+

Description

+
+

The DataDir directive sets the directory to use
+for data files.

+
+
+

CUPS 1.2/OS X 10.5DefaultAuthType

+
+

Examples

+
+

+DefaultAuthType Basic

+DefaultAuthType BasicDigest

+DefaultAuthType Digest

+DefaultAuthType Negotiate

+

+
+

Description

+
+

The DefaultAuthType directive specifies the type
+of authentication to use for IPP operations that require a
+username. The default is Basic.

+
+
+

DocumentRoot

+
+

Examples

+
+

+DocumentRoot /usr/share/doc/cups

+DocumentRoot /foo/bar/doc/cups

+

+
+

Description

+
+

The DocumentRoot directive specifies the location
+of web content for the HTTP server in CUPS. If an absolute path
+is not specified then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default directory is @CUPS_DOCROOT@.

+
+

Documents are first looked up in a sub-directory for the
+primary language requested by the client (e.g.
+@CUPS_DOCROOT@/fr/...) and then directly under
+the DocumentRoot directory (e.g.
+@CUPS_DOCROOT@/...), so it is possible to
+localize the web content by providing subdirectories for each
+language needed.

+
+
+

ErrorLog

+
+

Examples

+
+

+ErrorLog /var/log/cups/error_log

+ErrorLog /var/log/cups/error_log-%s

+ErrorLog syslog

+

+
+

Description

+
+

The ErrorLog directive sets the name of the error
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default error log file is @CUPS_LOGDIR@/error_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the error
+information to the system log instead of a plain file.

+
+
+

CUPS 1.4/OS X 10.6FatalErrors

+
+

Examples

+
+

+FatalErrors none

+FatalErrors all

+FatalErrors browse

+FatalErrors config

+FatalErrors listen

+FatalErrors log

+FatalErrors permissions

+FatalErrors all -permissions

+FatalErrors config permissions log

+

+
+

Description

+
+

The FatalErrors directive determines whether certain kinds of
+errors are fatal. The following kinds of errors are currently recognized:

+
+

+
• none - No errors are fatal
• all - All of the errors below are fatal
• browse - Browsing initialization errors are fatal,
• for example failed binding to the CUPS browse port or failed connections
• to LDAP servers
• config - Configuration file syntax errors are
• fatal
• listen - Listen or Port errors are fatal, except for
• IPv6 failures on the loopback or "any" addresses
• log - Log file creation or write errors are fatal
• permissions - Bad startup file permissions are
• fatal, for example shared SSL certificate and key files with world-
• read permissions

+

+
+

Multiple errors can be listed, and the form "-kind" can be used with
+all to remove specific kinds of errors. The default setting is
+@CUPS_FATAL_ERRORS@.

+
+
+

CUPS 1.1.18FileDevice

+
+

Examples

+
+

+FileDevice Yes

+FileDevice No

+

+
+

Description

+
+

The FileDevice directive determines whether the
+scheduler allows new printers to be added using device URIs of
+the form file:/filename. File devices are most often
+used to test new printer drivers and do not support raw file
+printing.

+
+

The default setting is No.

+
+

Note:
+
+

File devices are managed by the scheduler. Since the
+scheduler normally runs as the root user, file devices
+can be used to overwrite system files and potentially
+gain unauthorized access to the system. If you must
+create printers using file devices, we recommend that
+you set the FileDevice directive to
+Yes for only as long as you need to add the
+printers to the system, and then reset the directive to
+No.

+
+

+
+
+

CUPS 1.1.3FontPath

+
+

Examples

+
+

+FontPath /foo/bar/fonts

+FontPath /usr/share/cups/fonts:/foo/bar/fonts

+

+
+

Description

+
+

The FontPath directive specifies the font path to
+use when searching for fonts. The default font path is
+/usr/share/cups/fonts.

+
+
+

Group

+
+

Examples

+
+

+Group lp

+Group nobody

+

+
+

Description

+
+

The Group directive specifies the UNIX group that
+filter and CGI programs run as. The default group is
+system-specific but is usually lp or
+nobody.

+
+
+

CUPS 1.1.15LogFilePerm

+
+

Examples

+
+

+LogFilePerm 0644

+LogFilePerm 0600

+

+
+

Description

+
+

The LogFilePerm directive specifies the
+permissions to use when writing log files. The default
+is @CUPS_LOG_FILE_PERM@.

+
+
+

PageLog

+
+

Examples

+
+

+PageLog /var/log/cups/page_log

+PageLog /var/log/cups/page_log-%s

+PageLog syslog

+

+
+

Description

+
+

The PageLog directive sets the name of the page
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default page log file is @CUPS_LOGDIR@/page_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the page
+information to the system log instead of a plain file.

+
+
+

Printcap

+
+

Examples

+
+

+Printcap

+Printcap /etc/printcap

+Printcap /etc/printers.conf

+Printcap /Library/Preferences/org.cups.printers.plist

+

+
+

Description

+
+

The Printcap directive controls whether or not a
+printcap file is automatically generated and updated with a list
+of available printers. If specified with no value, then no
+printcap file will be generated. The default is to generate a
+file named @CUPS_DEFAULT_PRINTCAP@.

+
+

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
+the printcap file is written whenever a printer is added or
+removed. The printcap file can then be used by applications that
+are hardcoded to look at the printcap file for the available
+printers.

+
+
+

PrintcapFormat

+
+

Examples

+
+

+PrintcapFormat BSD

+PrintcapFormat Solaris

+PrintcapFormat plist

+

+
+

Description

+
+

The PrintcapFormat directive controls the output format of the
+printcap file. The default is to generate the plist format on OS X, the
+Solaris format on Solaris, and the BSD format on other operating systems.

+
+
+

CUPS 1.1.3RemoteRoot

+
+

Examples

+
+

+RemoteRoot remroot

+RemoteRoot root

+

+
+

Description

+
+

The RemoteRoot directive sets the username for
+unauthenticated root requests from remote hosts. The default
+username is remroot. Setting RemoteRoot
+to root effectively disables this security
+mechanism.

+
+
+

RequestRoot

+
+

Examples

+
+

+RequestRoot /var/spool/cups

+RequestRoot /foo/bar/spool/cups

+

+
+

Description

+
+

The RequestRoot directive sets the directory for
+incoming IPP requests and HTML forms. If an absolute path is not
+provided then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default request directory is @CUPS_REQUESTS@.

+
+
+

ServerBin

+
+

Examples

+
+

+ServerBin /usr/lib/cups

+ServerBin /foo/bar/lib/cups

+

+
+

Description

+
+

The ServerBin directive sets the directory for
+server-run executables. If an absolute path is not provided then
+it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default executable directory is /usr/lib/cups,
+/usr/lib32/cups, or /usr/libexec/cups
+depending on the operating system.

+
+
+

ServerCertificate

+
+

Examples

+
+

+ServerCertificate /etc/cups/ssl/server.crt

+

+
+

Description

+
+

The ServerCertificate directive specifies the
+location of the SSL certificate file used by the server when
+negotiating encrypted connections. The certificate must not be
+encrypted (password protected) since the scheduler normally runs
+in the background and will be unable to ask for a password.

+
+

The default certificate file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerKey

+
+

Examples

+
+

+ServerKey /etc/cups/ssl/server.key

+

+
+

Description

+
+

The ServerKey directive specifies the location of
+the SSL private key file used by the server when negotiating
+encrypted connections.

+
+

The default key file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerRoot

+
+

Examples

+
+

+ServerRoot /etc/cups

+ServerRoot /foo/bar/cups

+

+
+

Description

+
+

The ServerRoot directive specifies the absolute
+path to the server configuration and state files. It is also used
+to resolve relative paths in the cupsd.conf file. The
+default server directory is /etc/cups.

+
+
+

SystemGroup

+
+

Examples

+
+

+SystemGroup lpadmin

+SystemGroup sys

+SystemGroup system

+SystemGroup root

+SystemGroup root lpadmin

+

+
+

Description

+
+

The SystemGroup directive specifies the system
+administration group for System authentication.
+Multiple groups can be listed, separated with spaces. The default
+group list is @CUPS_SYSTEM_GROUPS@.

+
+
+

TempDir

+
+

Examples

+
+

+TempDir /var/tmp

+TempDir /foo/bar/tmp

+

+
+

Description

+
+

The TempDir directive specifies an absolute path
+for the directory to use for temporary files. The default
+directory is @CUPS_REQUESTS@/tmp.

+
+

Temporary directories must be world-writable and should have
+the "sticky" permission bit enabled so that other users cannot
+delete filter temporary files. The following commands will create
+an appropriate temporary directory called
+/foo/bar/tmp:

+
+

+mkdir /foo/bar/tmp

+chmod a+rwxt /foo/bar/tmp

+

+
+
+

User

+
+

Examples

+
+

+User lp

+User guest

+

+
+

Description

+
+

The User directive specifies the UNIX user that
+filter and CGI programs run as. The default user is
+@CUPS_USER@.

+
+

Note:
+
+

You may not use user root, as that would expose
+the system to unacceptable security risks. The scheduler will
+automatically choose user nobody if you specify a
+user whose ID is 0.

+
+

+
+
+
+

Property changes on: doc/help/ref-cups-files-conf.html.in

---

Added: svn:mime-type

• text/html
  Added: svn:keywords
• Id
  Added: svn:eol-style
• native

Index: doc/help/ref-cupsd-conf.html.in

--- doc/help/ref-cupsd-conf.html.in (revision 10708)
+++ doc/help/ref-cupsd-conf.html.in (working copy)
@@ -197,82 +197,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2096,49 +2020,6 @@

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

[michaelrsweet]

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2155,42 +2036,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2343,64 +2188,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2417,23 +2204,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -2629,53 +2399,6 @@ HREF="#Policy">Policy section.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -2696,53 +2419,6 @@

The default timeout is 5m (five minutes).

-

CUPS 1.2/OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

CUPS 1.5WebInterface

Examples

Index: doc/Makefile

--- doc/Makefile (revision 10708)
+++ doc/Makefile (working copy)
@@ -3,7 +3,7 @@

Documentation makefile for CUPS.

-# Copyright 2007-2011 by Apple Inc.
+# Copyright 2007-2012 by Apple Inc.

Copyright 1997-2007 by Easy Software Products.

These coded instructions, statements, and computer programs are the

Index: man/cups-files.conf.man.in

--- man/cups-files.conf.man.in (revision 0)
+++ man/cups-files.conf.man.in (revision 10713)
@@ -0,0 +1,146 @@
+."
+." "$Id$"
+."
+." cupsd.conf man page for CUPS.
+."
+." Copyright 2007-2012 by Apple Inc.
+." Copyright 1997-2006 by Easy Software Products.
+."
+." These coded instructions, statements, and computer programs are the
+." property of Apple Inc. and are protected by Federal copyright
+." law. Distribution and use rights are outlined in the file "LICENSE.txt"
+." which should have been included with this file. If this file is
+." file is missing or damaged, see the license at "http://www.cups.org/".
+."
+.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc."
+.SH NAME
+cups-files.conf - file and directory configuration file for cups
+.SH DESCRIPTION
+The \fIcups-file.conf\fR file configures the files and directories used by the
+CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the
+\fI@CUPS_SERVERROOT@\fR directory.
+.LP
+Each line in the file can be a configuration directive, a blank line,
+or a comment. Comment lines start with the # character.
+.SH DIRECTIVES
+The following directives are understood by \fIcupsd(8)\fR. Consult the
+on-line help for detailed descriptions:
+.TP 5
+AccessLog filename
+.TP 5
+AccessLog syslog
+.br
+Defines the access log filename.
+.TP 5
+ConfigFilePerm mode
+.br
+Specifies the permissions for all configuration files that the scheduler
+writes.
+.TP 5
+DataDir path
+.br
+Specified the directory where data files can be found.
+.TP 5
+DocumentRoot directory
+.br
+Specifies the root directory for the internal web server documents.
+.TP 5
+ErrorLog filename
+.TP 5
+ErrorLog syslog
+.br
+Specifies the error log filename.
+.TP 5
+FatalErrors none
+.TP 5
+FatalErrors all -kind [... -kind]
+.TP 5
+FatalErrors kind [... kind]
+.br
+Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
+"browse", "config", "listen", "log", or "permissions".
+.TP 5
+FileDevice Yes
+.TP 5
+FileDevice No
+.br
+Specifies whether the file pseudo-device can be used for new
+printer queues.
+.TP 5
+FontPath directory[:directory:...]
+.br
+Specifies the search path for fonts.
+.TP 5
+Group group-name-or-number
+.br
+Specifies the group name or ID that will be used when executing
+external programs.
+.TP 5
+LogFilePerm mode
+.br
+Specifies the permissions for all log files that the scheduler writes.
+.TP 5
+PageLog filename
+.TP 5
+PageLog syslog
+.br
+Specifies the page log filename.
+.TP 5
+Printcap
+.TP 5
+Printcap filename
+.br
+Specifies the filename for a printcap file that is updated
+automatically with a list of available printers (needed for
+legacy applications); specifying Printcap with no filename
+disables printcap generation.
+.TP 5
+RemoteRoot user-name
+.br
+Specifies the username that is associated with unauthenticated root
+accesses.
+.TP 5
+RequestRoot directory
+.br
+Specifies the directory to store print jobs and other HTTP request
+data.
+.TP 5
+ServerBin directory
+.br
+Specifies the directory where backends, CGIs, daemons, and filters may
+be found.
+.TP 5
+ServerCertificate filename
+.br
+Specifies the encryption certificate to use.
+.TP 5
+ServerKey filename
+.br
+Specifies the encryption key to use.
+.TP 5
+ServerRoot directory
+.br
+Specifies the directory where the server configuration files can be found.
+.TP 5
+SystemGroup group-name [group-name ...]
+.br
+Specifies the group(s) to use for System class authentication.
+.TP 5
+TempDir directory
+.br
+Specifies the directory where temporary files are stored.
+.TP 5
+User user-name
+.br
+Specifies the user name or ID that is used when running external programs.
+.SH SEE ALSO
+\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR,
+\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIsubscriptions.conf(5)\fR,
+.br
+http://localhost:631/help
+.SH COPYRIGHT
+Copyright 2007-2012 by Apple Inc.
+."
+." End of "$Id$".
+."

Property changes on: man/cups-files.conf.man.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: man/cupsd.conf.man.in

--- man/cupsd.conf.man.in (revision 10708)
+++ man/cupsd.conf.man.in (working copy)
@@ -12,12 +12,15 @@
." which should have been included with this file. If this file is
." file is missing or damaged, see the license at "http://www.cups.org/".
."
-.TH cupsd.conf 5 "CUPS" "18 May 2012" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc."
.SH NAME
cupsd.conf - server configuration file for cups
.SH DESCRIPTION
The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
-is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
+is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR
+File, directory, and user configuration directives that used to be allowed in
+the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead
+in order to prevent certain types of privilege escalation attacks.
.LP
Each line in the file can be a configuration directive, a blank line,
or a comment. Comment lines start with the # character. The
@@ -27,12 +30,6 @@
The following directives are understood by \fIcupsd(8)\fR. Consult the
on-line help for detailed descriptions:
.TP 5
-AccessLog filename
-.TP 5
-AccessLog syslog
-.br
-Defines the access log filename.
-.TP 5
AccessLogLevel config
.TP 5
AccessLogLevel actions
@@ -61,20 +58,6 @@
.br
Allows access from the named hosts or addresses.
.TP 5
-AuthClass User
-.TP 5
-AuthClass Group
-.TP 5
-AuthClass System
-.br
-Specifies the authentication class (User, Group, System) -
-\fBthis directive is deprecated\fR.
-.TP 5
-AuthGroupName group-name
-.br
-Specifies the authentication group - \fBthis directive is
-deprecated\fR.
-.TP 5
AuthType None
.TP 5
AuthType Basic
@@ -108,7 +91,7 @@
.TP 5
Browsing No
.br
-Specifies whether or not remote printer browsing should be enabled.
+Specifies whether or not shared printers should be advertised.
.TP 5
Classification banner
.br
@@ -121,15 +104,6 @@
Specifies whether to allow users to override the classification
of individual print jobs.
.TP 5
-ConfigFilePerm mode
-.br
-Specifies the permissions for all configuration files that the scheduler
-writes.
-.TP 5
-DataDir path
-.br
-Specified the directory where data files can be found.
-.TP 5
DefaultAuthType Basic
.TP 5
DefaultAuthType BasicDigest
@@ -197,10 +171,6 @@
causes the update to happen as soon as possible, typically within a few
milliseconds.
.TP 5
-DocumentRoot directory
-.br
-Specifies the root directory for the internal web server documents.
-.TP 5
Encryption IfRequested
.TP 5
Encryption Never
@@ -210,28 +180,6 @@
Specifies the level of encryption that is required for a particular
location.
.TP 5
-ErrorLog filename
-.TP 5
-ErrorLog syslog
-.br
-Specifies the error log filename.
-.TP 5
-FatalErrors none
-.TP 5
-FatalErrors all -kind [... -kind]
-.TP 5
-FatalErrors kind [... kind]
-.br
-Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
-"browse", "config", "listen", "log", or "permissions".
-.TP 5
-FileDevice Yes
-.TP 5
-FileDevice No
-.br
-Specifies whether the file pseudo-device can be used for new
-printer queues.
-.TP 5
FilterLimit limit
.br
Specifies the maximum cost of filters that are run concurrently.
@@ -241,15 +189,6 @@
Specifies the scheduling priority ("nice" value) of filters that
are run to print a job.
.TP 5
-FontPath directory[:directory:...]
-.br
-Specifies the search path for fonts.
-.TP 5
-Group group-name-or-number
-.br
-Specifies the group name or ID that will be used when executing
-external programs.
-.TP 5
GSSServiceName name
.br
Specifies the service name when using Kerberos authentication. The default
@@ -341,10 +280,6 @@
Specifies the number of debugging messages that are logged when an error
occurs in a print job.
.TP 5
-LogFilePerm mode
-.br
-Specifies the permissions for all log files that the scheduler writes.
-.TP 5
LogLevel alert
.TP 5
LogLevel crit
@@ -429,12 +364,6 @@
.br
Specifies the order of HTTP access control (allow,deny or deny,allow)
.TP 5
-PageLog filename
-.TP 5
-PageLog syslog
-.br
-Specifies the page log filename.
-.TP 5
PageLogFormat format string
.br
Specifies the format of page log lines.
@@ -464,15 +393,6 @@
Specifies whether or not to preserve the job history after they are
printed.
.TP 5
-Printcap
-.TP 5
-Printcap filename
-.br
-Specifies the filename for a printcap file that is updated
-automatically with a list of available printers (needed for
-legacy applications); specifying Printcap with no filename
-disables printcap generation.
-.TP 5
PrintcapFormat bsd
.TP 5
PrintcapFormat plist
@@ -481,29 +401,11 @@
.br
Specifies the format of the printcap file.
.TP 5
-PrintcapGUI
-.TP 5
-PrintcapGUI gui-program-filename
-.br
-Specifies whether to generate option panel definition files on
-some operating systems. When provided with no program filename,
-disables option panel definition files.
-.TP 5
ReloadTimeout seconds
.br
Specifies the amount of time to wait for job completion before
restarting the scheduler.
.TP 5
-RemoteRoot user-name
-.br
-Specifies the username that is associated with unauthenticated root
-accesses.
-.TP 5
-RequestRoot directory
-.br
-Specifies the directory to store print jobs and other HTTP request
-data.
-.TP 5
Require group group-name-list
.TP 5
Require user user-name-list
@@ -535,27 +437,10 @@
Specifies an alternate name that the server is known by. The special name "*"
allows any name to be used.
.TP 5
-ServerBin directory
-.br
-Specifies the directory where backends, CGIs, daemons, and filters may
-be found.
-.TP 5
-ServerCertificate filename
-.br
-Specifies the encryption certificate to use.
-.TP 5
-ServerKey filename
-.br
-Specifies the encryption key to use.
-.TP 5
ServerName hostname-or-ip-address
.br
Specifies the fully-qualified hostname of the server.
.TP 5
-ServerRoot directory
-.br
-Specifies the directory where the server configuration files can be found.
-.TP 5
ServerTokens Full
.TP 5
ServerTokens Major
@@ -619,29 +504,17 @@
"notify-events", "notify-pull-method", "notify-recipient-uri",
"notify-subscriber-user-name", and "notify-user-data".
.TP 5
-SystemGroup group-name [group-name ...]
-.br
-Specifies the group(s) to use for System class authentication.
-.TP 5
-TempDir directory
-.br
-Specifies the directory where temporary files are stored.
-.TP 5
Timeout seconds
.br
Specifies the HTTP request timeout in seconds.
.TP 5
-User user-name
-.br
-Specifies the user name or ID that is used when running external programs.
-.TP 5
WebInterface yes
.TP 5
WebInterface no
Specifies whether the web interface is enabled.
.SH SEE ALSO
-\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
-\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR,
+\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR,
\fIsubscriptions.conf(5)\fR,
.br
http://localhost:631/help

Index: man/Makefile

--- man/Makefile (revision 10708)
+++ man/Makefile (working copy)
@@ -39,6 +39,7 @@
ppdpo.$(MAN1EXT)
MAN5 = classes.conf.$(MAN5EXT)
client.conf.$(MAN5EXT) \

•   cups-files.conf.$(MAN5EXT) \
  cups-snmp.conf.$(MAN5EXT) \
  cupsd.conf.$(MAN5EXT) \
  ipptoolfile.$(MAN5EXT) \
  

Property changes on: man

---

Modified: svn:ignore

• *.0
  *.1
  *.1m
  *.3
  *.5
  *.7
  *.8
  *.gz
  *.z
  client.conf.man
  cups-deviced.man
  cups-driverd.man
  cups-lpd.man
  cups-snmp.man
  cupsaddsmb.man
  cupsd.conf.man
  cupsd.man
  lpoptions.man
  mantohtml
• *.0
  *.1
  *.1m
  *.3
  *.5
  *.7
  *.8
  *.gz
  *.z
  client.conf.man
  cups-deviced.man
  cups-driverd.man
  cups-files.conf.man
  cups-lpd.man
  cups-snmp.man
  cupsaddsmb.man
  cupsd.conf.man
  cupsd.man
  lpoptions.man
  mantohtml

Index: test/run-stp-tests.sh

--- test/run-stp-tests.sh (revision 10708)
+++ test/run-stp-tests.sh (working copy)
@@ -390,26 +390,11 @@
cat >/tmp/cups-$user/cupsd.conf <<EOF
StrictConformance Yes
Browsing Off
-FileDevice yes
-Printcap
Listen localhost:$port
-User $user
-ServerRoot /tmp/cups-$user
-StateDir /tmp/cups-$user
-ServerBin /tmp/cups-$user/bin
-CacheDir /tmp/cups-$user/share
-DataDir /tmp/cups-$user/share
-FontPath /tmp/cups-$user/share/fonts
PassEnv LOCALEDIR
PassEnv DYLD_INSERT_LIBRARIES
-DocumentRoot $root/doc
-RequestRoot /tmp/cups-$user/spool
-TempDir /tmp/cups-$user/spool/temp
MaxSubscriptions 3
MaxLogSize 0
-AccessLog /tmp/cups-$user/log/access_log
-ErrorLog /tmp/cups-$user/log/error_log
-PageLog /tmp/cups-$user/log/page_log
AccessLogLevel actions
LogLevel debug2
LogTimeFormat usecs
@@ -422,6 +407,24 @@

EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

Index: configure.in

--- configure.in (revision 10708)
+++ configure.in (working copy)
@@ -60,6 +60,7 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs

• conf/cups-files.conf
  

  conf/cupsd.conf
  conf/mime.convs
  conf/pam.std
  @@ -73,6 +74,7 @@
  man/client.conf.man
  man/cups-deviced.man
  man/cups-driverd.man

• man/cups-files.conf.man
  

  man/cups-lpd.man
  man/cups-snmp.man
  man/cupsaddsmb.man

[michaelrsweet]

"str4223v2-1.6.patch":

Index: packaging/cups.spec.in

--- packaging/cups.spec.in (revision 10708)
+++ packaging/cups.spec.in (working copy)
@@ -135,6 +135,7 @@
%defattr(-,root,root)
%dir /etc/cups
%config(noreplace) /etc/cups/*.conf
+/etc/cups/cups-files.conf.default
/etc/cups/cupsd.conf.default
%dir /etc/cups/interfaces
%dir /etc/cups/ppd

Index: packaging/cups.list.in

--- packaging/cups.list.in (revision 10708)
+++ packaging/cups.list.in (working copy)
@@ -528,6 +528,8 @@
d 0755 root $CUPS_GROUP $SERVERROOT/interfaces -
d 0755 root $CUPS_GROUP $SERVERROOT/ppd -
d 0700 root $CUPS_GROUP $SERVERROOT/ssl -
+c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf conf/cups-files.conf
+f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cups-files.conf.default conf/cups-files.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf conf/cupsd.conf
f $CUPS_PERM root $CUPS_GROUP $SERVERROOT/cupsd.conf.default conf/cupsd.conf
c $CUPS_PERM root $CUPS_GROUP $SERVERROOT/snmp.conf conf/snmp.conf

Index: conf/cups-files.conf.in

--- conf/cups-files.conf.in (revision 0)
+++ conf/cups-files.conf.in (revision 10714)
@@ -0,0 +1,98 @@
+#
+# "$Id$"
+#
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.
+#
+
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@
+
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
+SystemGroup @CUPS_SYSTEM_GROUPS@
+@CUPS_SYSTEM_AUTHKEY@
+
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot
+
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No
+
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@
+
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log
+
+# Location of cache files used by the scheduler...
+#CacheDir @CUPS_CACHEDIR@
+
+# Location of data files used by the scheduler...
+#DataDir @CUPS_DATADIR@
+
+# Location of the static web content served by the scheduler...
+#DocumentRoot @CUPS_DOCROOT@
+
+# Location of the file logging all messages produced by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "LogLevel"
+# directive in cupsd.conf.
+ErrorLog @CUPS_LOGDIR@/error_log
+
+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@
+
+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@
+
+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log
+
+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@
+
+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris
+
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@
+
+# Location of helper programs...
+#ServerBin @CUPS_SERVERBIN@
+
+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@
+
+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@
+
+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@
+
+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@
+
+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@
+
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp
+
+#
+# End of "$Id$".
+#

Property changes on: conf/cups-files.conf.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: conf/cupsd.conf.in

--- conf/cupsd.conf.in (revision 10708)
+++ conf/cupsd.conf.in (working copy)
@@ -9,10 +9,6 @@

for troubleshooting...

LogLevel @CUPS_LOG_LEVEL@

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@

Index: conf/Makefile

--- conf/Makefile (revision 10708)
+++ conf/Makefile (working copy)
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

Index: config-scripts/cups-ssl.m4

--- config-scripts/cups-ssl.m4 (revision 10708)
+++ config-scripts/cups-ssl.m4 (working copy)
@@ -27,6 +27,8 @@
SSLFLAGS=""
SSLLIBS=""
have_ssl=0
+CUPS_SERVERCERT=""
+CUPS_SERVERKEY=""

if test x$enable_ssl != xno; then
dnl Look for CDSA...
@@ -36,6 +38,7 @@
have_ssl=1
AC_DEFINE(HAVE_SSL)
AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecureTransportPriv.h,
  

  @@ -106,6 +109,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -148,6 +154,9 @@
  done

  if test "x${SSLLIBS}" != "x"; then
  

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  • LIBS="$SAVELIBS $SSLLIBS"
    AC_CHECK_FUNCS(SSL_set_tlsext_host_name)
    fi
    @@ -165,6 +174,8 @@
    AC_MSG_ERROR([Unable to enable SSL support.])
    fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(IPPALIASES)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 10708)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -305,6 +305,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -326,6 +327,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],

Index: doc/help/ref-cups-files-conf.html.in

--- doc/help/ref-cups-files-conf.html.in (revision 0)
+++ doc/help/ref-cups-files-conf.html.in (revision 10714)
@@ -0,0 +1,531 @@
+
+
+

• <TITLE>cups-files.conf</TITLE>

+
+
+
+

cups-files.conf

+
+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

+
+

AccessLog

+
+

Examples

+
+

+AccessLog /var/log/cups/access_log

+AccessLog /var/log/cups/access_log-%s

+AccessLog syslog

+

+
+

Description

+
+

The AccessLog directive sets the name of the
+access log file. If the filename is not absolute then it is
+assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+access log file is stored in "common log format" and can be used
+by any web access reporting tool to generate a report on CUPS
+server activity.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the access
+information to the system log instead of a plain file.

+
+

The default access log file is
+@CUPS_LOGDIR@/access_log.

+
+
+

CUPS 1.1.15ConfigFilePerm

+
+

Examples

+
+

+ConfigFilePerm 0644

+ConfigFilePerm 0640

+

+
+

Description

+
+

The ConfigFilePerm directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.

+
+

Note:
+
+

The permissions for the printers.conf file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

+
+

+
+
+

DataDir

+
+

Examples

+
+

+DataDir /usr/share/cups

+

+
+

Description

+
+

The DataDir directive sets the directory to use
+for data files.

+
+
+

CUPS 1.2/OS X 10.5DefaultAuthType

+
+

Examples

+
+

+DefaultAuthType Basic

+DefaultAuthType BasicDigest

+DefaultAuthType Digest

+DefaultAuthType Negotiate

+

+
+

Description

+
+

The DefaultAuthType directive specifies the type
+of authentication to use for IPP operations that require a
+username. The default is Basic.

+
+
+

DocumentRoot

+
+

Examples

+
+

+DocumentRoot /usr/share/doc/cups

+DocumentRoot /foo/bar/doc/cups

+

+
+

Description

+
+

The DocumentRoot directive specifies the location
+of web content for the HTTP server in CUPS. If an absolute path
+is not specified then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default directory is @CUPS_DOCROOT@.

+
+

Documents are first looked up in a sub-directory for the
+primary language requested by the client (e.g.
+@CUPS_DOCROOT@/fr/...) and then directly under
+the DocumentRoot directory (e.g.
+@CUPS_DOCROOT@/...), so it is possible to
+localize the web content by providing subdirectories for each
+language needed.

+
+
+

ErrorLog

+
+

Examples

+
+

+ErrorLog /var/log/cups/error_log

+ErrorLog /var/log/cups/error_log-%s

+ErrorLog syslog

+

+
+

Description

+
+

The ErrorLog directive sets the name of the error
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default error log file is @CUPS_LOGDIR@/error_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the error
+information to the system log instead of a plain file.

+
+
+

CUPS 1.4/OS X 10.6FatalErrors

+
+

Examples

+
+

+FatalErrors none

+FatalErrors all

+FatalErrors browse

+FatalErrors config

+FatalErrors listen

+FatalErrors log

+FatalErrors permissions

+FatalErrors all -permissions

+FatalErrors config permissions log

+

+
+

Description

+
+

The FatalErrors directive determines whether certain kinds of
+errors are fatal. The following kinds of errors are currently recognized:

+
+

+
• none - No errors are fatal
• all - All of the errors below are fatal
• browse - Browsing initialization errors are fatal,
• for example failed binding to the CUPS browse port or failed connections
• to LDAP servers
• config - Configuration file syntax errors are
• fatal
• listen - Listen or Port errors are fatal, except for
• IPv6 failures on the loopback or "any" addresses
• log - Log file creation or write errors are fatal
• permissions - Bad startup file permissions are
• fatal, for example shared SSL certificate and key files with world-
• read permissions

+

+
+

Multiple errors can be listed, and the form "-kind" can be used with
+all to remove specific kinds of errors. The default setting is
+@CUPS_FATAL_ERRORS@.

+
+
+

CUPS 1.1.18FileDevice

+
+

Examples

+
+

+FileDevice Yes

+FileDevice No

+

+
+

Description

+
+

The FileDevice directive determines whether the
+scheduler allows new printers to be added using device URIs of
+the form file:/filename. File devices are most often
+used to test new printer drivers and do not support raw file
+printing.

+
+

The default setting is No.

+
+

Note:
+
+

File devices are managed by the scheduler. Since the
+scheduler normally runs as the root user, file devices
+can be used to overwrite system files and potentially
+gain unauthorized access to the system. If you must
+create printers using file devices, we recommend that
+you set the FileDevice directive to
+Yes for only as long as you need to add the
+printers to the system, and then reset the directive to
+No.

+
+

+
+
+

CUPS 1.1.3FontPath

+
+

Examples

+
+

+FontPath /foo/bar/fonts

+FontPath /usr/share/cups/fonts:/foo/bar/fonts

+

+
+

Description

+
+

The FontPath directive specifies the font path to
+use when searching for fonts. The default font path is
+/usr/share/cups/fonts.

+
+
+

Group

+
+

Examples

+
+

+Group lp

+Group nobody

+

+
+

Description

+
+

The Group directive specifies the UNIX group that
+filter and CGI programs run as. The default group is
+system-specific but is usually lp or
+nobody.

+
+
+

CUPS 1.1.15LogFilePerm

+
+

Examples

+
+

+LogFilePerm 0644

+LogFilePerm 0600

+

+
+

Description

+
+

The LogFilePerm directive specifies the
+permissions to use when writing log files. The default
+is @CUPS_LOG_FILE_PERM@.

+
+
+

PageLog

+
+

Examples

+
+

+PageLog /var/log/cups/page_log

+PageLog /var/log/cups/page_log-%s

+PageLog syslog

+

+
+

Description

+
+

The PageLog directive sets the name of the page
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default page log file is @CUPS_LOGDIR@/page_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the page
+information to the system log instead of a plain file.

+
+
+

Printcap

+
+

Examples

+
+

+Printcap

+Printcap /etc/printcap

+Printcap /etc/printers.conf

+Printcap /Library/Preferences/org.cups.printers.plist

+

+
+

Description

+
+

The Printcap directive controls whether or not a
+printcap file is automatically generated and updated with a list
+of available printers. If specified with no value, then no
+printcap file will be generated. The default is to generate a
+file named @CUPS_DEFAULT_PRINTCAP@.

+
+

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
+the printcap file is written whenever a printer is added or
+removed. The printcap file can then be used by applications that
+are hardcoded to look at the printcap file for the available
+printers.

+
+
+

PrintcapFormat

+
+

Examples

+
+

+PrintcapFormat BSD

+PrintcapFormat Solaris

+PrintcapFormat plist

+

+
+

Description

+
+

The PrintcapFormat directive controls the output format of the
+printcap file. The default is to generate the plist format on OS X, the
+Solaris format on Solaris, and the BSD format on other operating systems.

+
+
+

CUPS 1.1.3RemoteRoot

+
+

Examples

+
+

+RemoteRoot remroot

+RemoteRoot root

+

+
+

Description

+
+

The RemoteRoot directive sets the username for
+unauthenticated root requests from remote hosts. The default
+username is remroot. Setting RemoteRoot
+to root effectively disables this security
+mechanism.

+
+
+

RequestRoot

+
+

Examples

+
+

+RequestRoot /var/spool/cups

+RequestRoot /foo/bar/spool/cups

+

+
+

Description

+
+

The RequestRoot directive sets the directory for
+incoming IPP requests and HTML forms. If an absolute path is not
+provided then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default request directory is @CUPS_REQUESTS@.

+
+
+

ServerBin

+
+

Examples

+
+

+ServerBin /usr/lib/cups

+ServerBin /foo/bar/lib/cups

+

+
+

Description

+
+

The ServerBin directive sets the directory for
+server-run executables. If an absolute path is not provided then
+it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default executable directory is /usr/lib/cups,
+/usr/lib32/cups, or /usr/libexec/cups
+depending on the operating system.

+
+
+

ServerCertificate

+
+

Examples

+
+

+ServerCertificate /etc/cups/ssl/server.crt

+

+
+

Description

+
+

The ServerCertificate directive specifies the
+location of the SSL certificate file used by the server when
+negotiating encrypted connections. The certificate must not be
+encrypted (password protected) since the scheduler normally runs
+in the background and will be unable to ask for a password.

+
+

The default certificate file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerKey

+
+

Examples

+
+

+ServerKey /etc/cups/ssl/server.key

+

+
+

Description

+
+

The ServerKey directive specifies the location of
+the SSL private key file used by the server when negotiating
+encrypted connections.

+
+

The default key file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerRoot

+
+

Examples

+
+

+ServerRoot /etc/cups

+ServerRoot /foo/bar/cups

+

+
+

Description

+
+

The ServerRoot directive specifies the absolute
+path to the server configuration and state files. It is also used
+to resolve relative paths in the cupsd.conf file. The
+default server directory is /etc/cups.

+
+
+

SystemGroup

+
+

Examples

+
+

+SystemGroup lpadmin

+SystemGroup sys

+SystemGroup system

+SystemGroup root

+SystemGroup root lpadmin

+

+
+

Description

+
+

The SystemGroup directive specifies the system
+administration group for System authentication.
+Multiple groups can be listed, separated with spaces. The default
+group list is @CUPS_SYSTEM_GROUPS@.

+
+
+

TempDir

+
+

Examples

+
+

+TempDir /var/tmp

+TempDir /foo/bar/tmp

+

+
+

Description

+
+

The TempDir directive specifies an absolute path
+for the directory to use for temporary files. The default
+directory is @CUPS_REQUESTS@/tmp.

+
+

Temporary directories must be world-writable and should have
+the "sticky" permission bit enabled so that other users cannot
+delete filter temporary files. The following commands will create
+an appropriate temporary directory called
+/foo/bar/tmp:

+
+

+mkdir /foo/bar/tmp

+chmod a+rwxt /foo/bar/tmp

+

+
+
+

User

+
+

Examples

+
+

+User lp

+User guest

+

+
+

Description

+
+

The User directive specifies the UNIX user that
+filter and CGI programs run as. The default user is
+@CUPS_USER@.

+
+

Note:
+
+

You may not use user root, as that would expose
+the system to unacceptable security risks. The scheduler will
+automatically choose user nobody if you specify a
+user whose ID is 0.

+
+

+
+
+
+

Property changes on: doc/help/ref-cups-files-conf.html.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: doc/help/ref-cupsd-conf.html.in

--- doc/help/ref-cupsd-conf.html.in (revision 10708)
+++ doc/help/ref-cupsd-conf.html.in (working copy)
@@ -197,82 +197,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2096,65 +2020,6 @@

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

-

CUPS 1.1.13PrintcapGUI

-

Examples

-

-PrintGUI /usr/bin/glpoptions

-

-

Description

-

The PrintcapGUI directive sets the program to
-associate with the IRIX printer GUI interface script which is
-used by IRIX applications to display printer-specific options.

-There is no default program.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2171,42 +2036,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2359,64 +2188,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2433,23 +2204,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -2645,53 +2399,6 @@ HREF="#Policy">Policy section.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -2712,53 +2419,6 @@

The default timeout is 5m (five minutes).

-

CUPS 1.2/OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

CUPS 1.5WebInterface

Examples

Index: doc/Makefile

--- doc/Makefile (revision 10708)
+++ doc/Makefile (working copy)
@@ -3,7 +3,7 @@

Documentation makefile for CUPS.

-# Copyright 2007-2011 by Apple Inc.
+# Copyright 2007-2012 by Apple Inc.

Copyright 1997-2007 by Easy Software Products.

These coded instructions, statements, and computer programs are the

Index: man/cups-files.conf.man.in

--- man/cups-files.conf.man.in (revision 0)
+++ man/cups-files.conf.man.in (revision 10714)
@@ -0,0 +1,146 @@
+."
+." "$Id$"
+."
+." cupsd.conf man page for CUPS.
+."
+." Copyright 2007-2012 by Apple Inc.
+." Copyright 1997-2006 by Easy Software Products.
+."
+." These coded instructions, statements, and computer programs are the
+." property of Apple Inc. and are protected by Federal copyright
+." law. Distribution and use rights are outlined in the file "LICENSE.txt"
+." which should have been included with this file. If this file is
+." file is missing or damaged, see the license at "http://www.cups.org/".
+."
+.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc."
+.SH NAME
+cups-files.conf - file and directory configuration file for cups
+.SH DESCRIPTION
+The \fIcups-file.conf\fR file configures the files and directories used by the
+CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the
+\fI@CUPS_SERVERROOT@\fR directory.
+.LP
+Each line in the file can be a configuration directive, a blank line,
+or a comment. Comment lines start with the # character.
+.SH DIRECTIVES
+The following directives are understood by \fIcupsd(8)\fR. Consult the
+on-line help for detailed descriptions:
+.TP 5
+AccessLog filename
+.TP 5
+AccessLog syslog
+.br
+Defines the access log filename.
+.TP 5
+ConfigFilePerm mode
+.br
+Specifies the permissions for all configuration files that the scheduler
+writes.
+.TP 5
+DataDir path
+.br
+Specified the directory where data files can be found.
+.TP 5
+DocumentRoot directory
+.br
+Specifies the root directory for the internal web server documents.
+.TP 5
+ErrorLog filename
+.TP 5
+ErrorLog syslog
+.br
+Specifies the error log filename.
+.TP 5
+FatalErrors none
+.TP 5
+FatalErrors all -kind [... -kind]
+.TP 5
+FatalErrors kind [... kind]
+.br
+Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
+"browse", "config", "listen", "log", or "permissions".
+.TP 5
+FileDevice Yes
+.TP 5
+FileDevice No
+.br
+Specifies whether the file pseudo-device can be used for new
+printer queues.
+.TP 5
+FontPath directory[:directory:...]
+.br
+Specifies the search path for fonts.
+.TP 5
+Group group-name-or-number
+.br
+Specifies the group name or ID that will be used when executing
+external programs.
+.TP 5
+LogFilePerm mode
+.br
+Specifies the permissions for all log files that the scheduler writes.
+.TP 5
+PageLog filename
+.TP 5
+PageLog syslog
+.br
+Specifies the page log filename.
+.TP 5
+Printcap
+.TP 5
+Printcap filename
+.br
+Specifies the filename for a printcap file that is updated
+automatically with a list of available printers (needed for
+legacy applications); specifying Printcap with no filename
+disables printcap generation.
+.TP 5
+RemoteRoot user-name
+.br
+Specifies the username that is associated with unauthenticated root
+accesses.
+.TP 5
+RequestRoot directory
+.br
+Specifies the directory to store print jobs and other HTTP request
+data.
+.TP 5
+ServerBin directory
+.br
+Specifies the directory where backends, CGIs, daemons, and filters may
+be found.
+.TP 5
+ServerCertificate filename
+.br
+Specifies the encryption certificate to use.
+.TP 5
+ServerKey filename
+.br
+Specifies the encryption key to use.
+.TP 5
+ServerRoot directory
+.br
+Specifies the directory where the server configuration files can be found.
+.TP 5
+SystemGroup group-name [group-name ...]
+.br
+Specifies the group(s) to use for System class authentication.
+.TP 5
+TempDir directory
+.br
+Specifies the directory where temporary files are stored.
+.TP 5
+User user-name
+.br
+Specifies the user name or ID that is used when running external programs.
+.SH SEE ALSO
+\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR,
+\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIsubscriptions.conf(5)\fR,
+.br
+http://localhost:631/help
+.SH COPYRIGHT
+Copyright 2007-2012 by Apple Inc.
+."
+." End of "$Id$".
+."

Property changes on: man/cups-files.conf.man.in

---

Added: svn:keywords

• Id
  Added: svn:eol-style
• native

Index: man/cupsd.conf.man.in

--- man/cupsd.conf.man.in (revision 10708)
+++ man/cupsd.conf.man.in (working copy)
@@ -12,12 +12,15 @@
." which should have been included with this file. If this file is
." file is missing or damaged, see the license at "http://www.cups.org/".
."
-.TH cupsd.conf 5 "CUPS" "18 May 2012" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc."
.SH NAME
cupsd.conf - server configuration file for cups
.SH DESCRIPTION
The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
-is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
+is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR
+File, directory, and user configuration directives that used to be allowed in
+the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead
+in order to prevent certain types of privilege escalation attacks.
.LP
Each line in the file can be a configuration directive, a blank line,
or a comment. Comment lines start with the # character. The
@@ -27,12 +30,6 @@
The following directives are understood by \fIcupsd(8)\fR. Consult the
on-line help for detailed descriptions:
.TP 5
-AccessLog filename
-.TP 5
-AccessLog syslog
-.br
-Defines the access log filename.
-.TP 5
AccessLogLevel config
.TP 5
AccessLogLevel actions
@@ -61,20 +58,6 @@
.br
Allows access from the named hosts or addresses.
.TP 5
-AuthClass User
-.TP 5
-AuthClass Group
-.TP 5
-AuthClass System
-.br
-Specifies the authentication class (User, Group, System) -
-\fBthis directive is deprecated\fR.
-.TP 5
-AuthGroupName group-name
-.br
-Specifies the authentication group - \fBthis directive is
-deprecated\fR.
-.TP 5
AuthType None
.TP 5
AuthType Basic
@@ -108,7 +91,7 @@
.TP 5
Browsing No
.br
-Specifies whether or not remote printer browsing should be enabled.
+Specifies whether or not shared printers should be advertised.
.TP 5
Classification banner
.br
@@ -121,15 +104,6 @@
Specifies whether to allow users to override the classification
of individual print jobs.
.TP 5
-ConfigFilePerm mode
-.br
-Specifies the permissions for all configuration files that the scheduler
-writes.
-.TP 5
-DataDir path
-.br
-Specified the directory where data files can be found.
-.TP 5
DefaultAuthType Basic
.TP 5
DefaultAuthType BasicDigest
@@ -197,10 +171,6 @@
causes the update to happen as soon as possible, typically within a few
milliseconds.
.TP 5
-DocumentRoot directory
-.br
-Specifies the root directory for the internal web server documents.
-.TP 5
Encryption IfRequested
.TP 5
Encryption Never
@@ -210,28 +180,6 @@
Specifies the level of encryption that is required for a particular
location.
.TP 5
-ErrorLog filename
-.TP 5
-ErrorLog syslog
-.br
-Specifies the error log filename.
-.TP 5
-FatalErrors none
-.TP 5
-FatalErrors all -kind [... -kind]
-.TP 5
-FatalErrors kind [... kind]
-.br
-Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
-"browse", "config", "listen", "log", or "permissions".
-.TP 5
-FileDevice Yes
-.TP 5
-FileDevice No
-.br
-Specifies whether the file pseudo-device can be used for new
-printer queues.
-.TP 5
FilterLimit limit
.br
Specifies the maximum cost of filters that are run concurrently.
@@ -241,15 +189,6 @@
Specifies the scheduling priority ("nice" value) of filters that
are run to print a job.
.TP 5
-FontPath directory[:directory:...]
-.br
-Specifies the search path for fonts.
-.TP 5
-Group group-name-or-number
-.br
-Specifies the group name or ID that will be used when executing
-external programs.
-.TP 5
GSSServiceName name
.br
Specifies the service name when using Kerberos authentication. The default
@@ -341,10 +280,6 @@
Specifies the number of debugging messages that are logged when an error
occurs in a print job.
.TP 5
-LogFilePerm mode
-.br
-Specifies the permissions for all log files that the scheduler writes.
-.TP 5
LogLevel alert
.TP 5
LogLevel crit
@@ -429,12 +364,6 @@
.br
Specifies the order of HTTP access control (allow,deny or deny,allow)
.TP 5
-PageLog filename
-.TP 5
-PageLog syslog
-.br
-Specifies the page log filename.
-.TP 5
PageLogFormat format string
.br
Specifies the format of page log lines.
@@ -464,15 +393,6 @@
Specifies whether or not to preserve the job history after they are
printed.
.TP 5
-Printcap
-.TP 5
-Printcap filename
-.br
-Specifies the filename for a printcap file that is updated
-automatically with a list of available printers (needed for
-legacy applications); specifying Printcap with no filename
-disables printcap generation.
-.TP 5
PrintcapFormat bsd
.TP 5
PrintcapFormat plist
@@ -481,29 +401,11 @@
.br
Specifies the format of the printcap file.
.TP 5
-PrintcapGUI
-.TP 5
-PrintcapGUI gui-program-filename
-.br
-Specifies whether to generate option panel definition files on
-some operating systems. When provided with no program filename,
-disables option panel definition files.
-.TP 5
ReloadTimeout seconds
.br
Specifies the amount of time to wait for job completion before
restarting the scheduler.
.TP 5
-RemoteRoot user-name
-.br
-Specifies the username that is associated with unauthenticated root
-accesses.
-.TP 5
-RequestRoot directory
-.br
-Specifies the directory to store print jobs and other HTTP request
-data.
-.TP 5
Require group group-name-list
.TP 5
Require user user-name-list
@@ -535,27 +437,10 @@
Specifies an alternate name that the server is known by. The special name "*"
allows any name to be used.
.TP 5
-ServerBin directory
-.br
-Specifies the directory where backends, CGIs, daemons, and filters may
-be found.
-.TP 5
-ServerCertificate filename
-.br
-Specifies the encryption certificate to use.
-.TP 5
-ServerKey filename
-.br
-Specifies the encryption key to use.
-.TP 5
ServerName hostname-or-ip-address
.br
Specifies the fully-qualified hostname of the server.
.TP 5
-ServerRoot directory
-.br
-Specifies the directory where the server configuration files can be found.
-.TP 5
ServerTokens Full
.TP 5
ServerTokens Major
@@ -619,29 +504,17 @@
"notify-events", "notify-pull-method", "notify-recipient-uri",
"notify-subscriber-user-name", and "notify-user-data".
.TP 5
-SystemGroup group-name [group-name ...]
-.br
-Specifies the group(s) to use for System class authentication.
-.TP 5
-TempDir directory
-.br
-Specifies the directory where temporary files are stored.
-.TP 5
Timeout seconds
.br
Specifies the HTTP request timeout in seconds.
.TP 5
-User user-name
-.br
-Specifies the user name or ID that is used when running external programs.
-.TP 5
WebInterface yes
.TP 5
WebInterface no
Specifies whether the web interface is enabled.
.SH SEE ALSO
-\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
-\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
+\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR,
+\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR,
\fIsubscriptions.conf(5)\fR,
.br
http://localhost:631/help

Index: man/Makefile

--- man/Makefile (revision 10708)
+++ man/Makefile (working copy)
@@ -39,6 +39,7 @@
ppdpo.$(MAN1EXT)
MAN5 = classes.conf.$(MAN5EXT)
client.conf.$(MAN5EXT) \

•   cups-files.conf.$(MAN5EXT) \
  cups-snmp.conf.$(MAN5EXT) \
  cupsd.conf.$(MAN5EXT) \
  ipptoolfile.$(MAN5EXT) \
  

  Index: test/run-stp-tests.sh

  --- test/run-stp-tests.sh (revision 10708)
  +++ test/run-stp-tests.sh (working copy)
  @@ -390,26 +390,11 @@
  cat >/tmp/cups-$user/cupsd.conf <<EOF
  StrictConformance Yes
  Browsing Off
  -FileDevice yes
  -Printcap
  Listen localhost:$port
  -User $user
  -ServerRoot /tmp/cups-$user
  -StateDir /tmp/cups-$user
  -ServerBin /tmp/cups-$user/bin
  -CacheDir /tmp/cups-$user/share
  -DataDir /tmp/cups-$user/share
  -FontPath /tmp/cups-$user/share/fonts
  PassEnv LOCALEDIR
  PassEnv DYLD_INSERT_LIBRARIES
  -DocumentRoot $root/doc
  -RequestRoot /tmp/cups-$user/spool
  -TempDir /tmp/cups-$user/spool/temp
  MaxSubscriptions 3
  MaxLogSize 0
  -AccessLog /tmp/cups-$user/log/access_log
  -ErrorLog /tmp/cups-$user/log/error_log
  -PageLog /tmp/cups-$user/log/page_log
  AccessLogLevel actions
  LogLevel debug2
  LogTimeFormat usecs
  @@ -422,6 +407,24 @@
  
  EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

Index: configure.in

--- configure.in (revision 10708)
+++ configure.in (working copy)
@@ -60,6 +60,7 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs

• conf/cups-files.conf
  

  conf/cupsd.conf
  conf/mime.convs
  conf/pam.std
  @@ -73,6 +74,7 @@
  man/client.conf.man
  man/cups-deviced.man
  man/cups-driverd.man

• man/cups-files.conf.man
  

  man/cups-lpd.man
  man/cups-snmp.man
  man/cupsaddsmb.man

  Index: CHANGES.txt

  --- CHANGES.txt (revision 10708)
  +++ CHANGES.txt (working copy)
  @@ -1,10 +1,13 @@
  -CHANGES.txt - 1.6.2 - 2012-11-08

  +CHANGES.txt - 1.6.2 - 2012-11-26

  CHANGES IN CUPS V1.6.2

  • Documentation fixes
• • Security: All file, directory, user, and group settings are now stored

• in a separate cups-files.conf configuration file that cannot be set
  

• through the CUPS web interface or APIs (STR #4223)
  

  • The SNMP backend now tries to work around broken printers that use a
    newline to separate key/value pairs.

  • The IPP backend did not send a cancel request to printers when a job
    Index: scheduler/conf.c

    --- scheduler/conf.c (revision 10708)
    +++ scheduler/conf.c (working copy)
    @@ -14,23 +14,25 @@
    *
  • Contents:
    *

• * cupsdAddAlias() - Add a host alias.

• * cupsdAddAlias() - Add a host alias.

  • cupsdCheckPermissions() - Fix the mode and ownership of a file or

• * directory.

• * directory.

  • cupsdDefaultAuthType() - Get the default AuthType.
  • cupsdFreeAliases() - Free all of the alias entries.
  • cupsdReadConfiguration() - Read the cupsd.conf file.

• * get_address() - Get an address + port number from a line.

• * get_address() - Get an address + port number from a line.

  • get_addr_and_mask() - Get an IP address and netmask.

• * mime_error_cb() - Log a MIME error.

• * parse_aaa() - Parse authentication, authorization, and access

• * control lines.

• * mime_error_cb() - Log a MIME error.

• * parse_aaa() - Parse authentication, authorization, and access

• * control lines.

  • parse_fatal_errors() - Parse FatalErrors values in a string.

• * parse_groups() - Parse system group names in a string.

• * parse_protocols() - Parse browse protocols in a string.

• * read_configuration() - Read a configuration file.

• * read_location() - Read a definition.

• * read_policy() - Read a definition.

• * parse_groups() - Parse system group names in a string.

• * parse_protocols() - Parse browse protocols in a string.

• * parse_variable() - Parse a variable line.

• * read_cupsd_conf() - Read the cupsd.conf configuration file.

• * read_cups_files_conf() - Read the cups-files.conf configuration file.

• * read_location() - Read a definition.

• * read_policy() - Read a definition.

  • set_policy_defaults() - Set default policy values as needed.
    */

@@ -83,35 +85,25 @@

• Local globals...
  */

-static int default_auth_type = CUPSD_AUTH_AUTO;

•               /\* Default AuthType, if not specified */
  

  -static const cupsd_var_t variables[] =
  +static const cupsd_var_t cupsd_vars[] =
  {
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
  #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_DNSSD || HAVE_AVAHI */
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_TIME },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_TIME },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  #ifdef HAVE_GSSAPI
  { "GSSServiceName", &GSSServiceName, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_GSSAPI */
  @@ -126,8 +118,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -146,18 +136,34 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "PrintcapGUI", &PrintcapGUI, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_TIME },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  +};
  +static const cupsd_var_t cupsfiles_vars[] =
  +{
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  @@ -165,20 +171,17 @@
  { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },

endif /* HAVE_LIBSSL || HAVE_GNUTLS _/

#endif /_ HAVE_SSL */

• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
  { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
  { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
  { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
• { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
  #ifdef HAVE_AUTHORIZATION_H
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
• { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
• { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME }
  };
  -#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

+static int default_auth_type = CUPSD_AUTH_AUTO;

•               /* Default AuthType, if not specified */
  

  static const unsigned ones[4] =
  {
  @@ -203,7 +206,12 @@
  static int parse_fatal_errors(const char *s);
  static int parse_groups(const char *s);
  static int parse_protocols(const char *s);
  -static int read_configuration(cups_file_t *fp);
  +static int parse_variable(const char *filename, int linenum,

•                      const char *line, const char *value,
  

•                      size_t num_vars,
  

•                      const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);
  static void set_policy_defaults(cupsd_policy_t *pol);
  @@ -780,22 +788,48 @@
  cupsdInitEnv();

  /*

• * Read the configuration file...

• • Read the cups-files.conf file...
    */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)

• {

• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)

•  return (0);
  

• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*
• * Read the cupsd.conf file...
• */

if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);
• }
• status = read_configuration(fp);
• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)
return (0);

• if (!ErrorLog)

- cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

RunUser = getuid();

cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
@@ -908,6 +942,13 @@
}

/*

• * Make sure ConfigFilePerm and LogFilePerm have sane values...
• */

• ConfigFilePerm &= 0664;
• LogFilePerm &= 0664;

• /*
  • Open the system log for cupsd if necessary...
    */

@@ -2550,13 +2591,244 @@

/*

• * 'read_configuration()' - Read a configuration file.

• • 'parse_variable()' - Parse a variable line.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from */
  +parse_variable(

• const char filename, / I - Name of configuration file */

• int linenum, /* I - Line in configuration file */

• const char line, / I - Line from configuration file */

• const char value, / I - Value from configuration file */

• size_t num_vars, /* I - Number of variables */

• const cupsd_var_t vars) / I - Variables */
  {

• int i; /* Looping var */

• size_t i; /* Looping var */

• const cupsd_var_t var; / Variables */

• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!_cups_strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_TIME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&

•    (!_cups_strcasecmp(value, "true") ||
  

•     !_cups_strcasecmp(value, "on") ||
  

•     !_cups_strcasecmp(value, "enabled") ||
  

•     !_cups_strcasecmp(value, "yes")))
  

• {

• *((int *)var->ptr) = INT_MAX;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no"))
  

• {

• *((int *)var->ptr) = 0;
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown time interval value for %s on line %d of "
  

•         "%s.", line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• double    n;      /\* Number */
  

• char      _units;     /_ Units */
  

• n = strtod(value, &units);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d of %s.", line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0.0 || n > INT_MAX)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad time value for %s on line %d of %s.",
  

•           line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = (int)n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strcasecmp(value, "true") ||

•    !_cups_strcasecmp(value, "on") ||
  

•    !_cups_strcasecmp(value, "enabled") ||
  

•    !_cups_strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no") ||
  

•    !_cups_strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

[michaelrsweet]

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• * 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from /
  +{
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2565,12 +2837,10 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */
• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */
• struct group group; / Group */

/*
@@ -2602,7 +2872,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2626,8 +2896,6 @@
  if (linenum == 0)
  return (0);
  }

• else if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!_cups_strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -2771,10 +3039,10 @@

  BrowseLocalProtocols = protocols;
  }

• else if (!_cups_strcasecmp(line, "default_auth_type") && value)

• else if (!_cups_strcasecmp(line, "DefaultAuthType") && value)
  {
  /*

•  \* default_auth_type {basic,digest,basicdigest,negotiate}
  

•  * DefaultAuthType {basic,digest,basicdigest,negotiate}
  

  */

  if (!_cups_strcasecmp(value, "none"))
  @@ -2823,81 +3091,6 @@
  }
  }
  #endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring.",
  

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -2976,22 +3169,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3117,182 +3294,193 @@
  "line %d.", value, linenum);
  }
  #endif /* HAVE_SSL */

• else if (!_cups_strcasecmp(line, "AccessLog") ||

•         !_cups_strcasecmp(line, "CacheDir") ||
  

•         !_cups_strcasecmp(line, "ConfigFilePerm") ||
  

•         !_cups_strcasecmp(line, "DataDir") ||
  

•         !_cups_strcasecmp(line, "DocumentRoot") ||
  

•         !_cups_strcasecmp(line, "ErrorLog") ||
  

•         !_cups_strcasecmp(line, "FatalErrors") ||
  

•         !_cups_strcasecmp(line, "FileDevice") ||
  

•         !_cups_strcasecmp(line, "FontPath") ||
  

•         !_cups_strcasecmp(line, "Group") ||
  

•         !_cups_strcasecmp(line, "LogFilePerm") ||
  

•         !_cups_strcasecmp(line, "LPDConfigFile") ||
  

•         !_cups_strcasecmp(line, "PageLog") ||
  

•         !_cups_strcasecmp(line, "Printcap") ||
  

•         !_cups_strcasecmp(line, "PrintcapFormat") ||
  

•         !_cups_strcasecmp(line, "RemoteRoot") ||
  

•         !_cups_strcasecmp(line, "RequestRoot") ||
  

•         !_cups_strcasecmp(line, "ServerBin") ||
  

•         !_cups_strcasecmp(line, "ServerCertificate") ||
  

•         !_cups_strcasecmp(line, "ServerKey") ||
  

•         !_cups_strcasecmp(line, "ServerRoot") ||
  

•         !_cups_strcasecmp(line, "SMBConfigFile") ||
  

•         !_cups_strcasecmp(line, "StateDir") ||
  

•         !_cups_strcasecmp(line, "SystemGroup") ||
  

•         !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
  

•         !_cups_strcasecmp(line, "TempDir") ||
  

•    !_cups_strcasecmp(line, "User"))
  

• {

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "Please move \"%s%s%s\" on line %d of %s to the %s file; "
  

•         "this will become an error in a future release.",
  

•         line, value ? " " : "", value ? value : "", linenum,
  

•         ConfigurationFile, CupsFilesFile);
  

• }
  else

• {

• /*
  

•  \* Find a simple variable in the list...
  

•  */
  

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!_cups_strcasecmp(line, var->name))
  

• break;
  

• return (1);
  +}

•  if (i == 0)
  

•  {
  

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

•  }
  

  +/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.

• */

•  switch (var->type)
  

•  {
  

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Bad integer value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

•     char  _units;     /_ Units _/
  

  +static int /_ O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{

• int linenum; /* Current line number */

• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

•          n = strtol(value, &units, 0);
  

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d.",
  

•             line, linenum);
  

•     break;
  

•   }
  

•     }
  

• /*

• * Loop through each line in the file...

• */

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• linenum = 0;

•    case CUPSD_VARTYPE_TIME :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else if (!_cups_strncasecmp(line, "PreserveJob", 11) &&
  

•            (!_cups_strcasecmp(value, "true") ||
  

•         !_cups_strcasecmp(value, "on") ||
  

•         !_cups_strcasecmp(value, "enabled") ||
  

•         !_cups_strcasecmp(value, "yes")))
  

•     *((int *)var->ptr) = INT_MAX;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•            !_cups_strcasecmp(value, "disabled") ||
  

•            !_cups_strcasecmp(value, "no"))
  

•     *((int *)var->ptr) = 0;
  

•   else if (!isdigit(*value & 255))
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown time interval value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     double    n;      /\* Number */
  

•     char  _units;     /_ Units */
  

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!_cups_strcasecmp(line, "Group") && value)

• {

• /*
  

•  \* Group ID to run as...
  

•  */
  

•          n = strtod(value, &units);
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

• group = getgrnam(value);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'w')
  

•     n *= 7 \* 24 \* 60 \* 60;
  

•       else if (tolower(units[0] & 255) == 'd')
  

•     n *= 24 \* 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'h')
  

•     n *= 60 \* 60;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 60;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown time interval value for %s on line "
  

•             "%d.", line, linenum);
  

•     break;
  

•   }
  

•     }
  

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }

•  }
  

• }

• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)

• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•          if (n < 0.0 || n > INT_MAX)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad time value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = (int)n;
  

•   }
  

•   break;
  

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d.",
  

•             line, linenum);
  

•        else if (!_cups_strcasecmp(value, "true") ||
  

•            !_cups_strcasecmp(value, "on") ||
  

•        !_cups_strcasecmp(value, "enabled") ||
  

•        !_cups_strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•        !_cups_strcasecmp(value, "disabled") ||
  

•        !_cups_strcasecmp(value, "no") ||
  

•        !_cups_strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d.",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist.", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);

  Index: scheduler/conf.h

  --- scheduler/conf.h (revision 10708)
  +++ scheduler/conf.h (working copy)
  @@ -96,7 +96,9 @@
  */

  VAR char *ConfigurationFile VALUE(NULL),

•               /\* Configuration file to use */
  

•               /\* cupsd.conf file to use */
  

•       *CupsFilesFile      VALUE(NULL),
  

•               /\* cups-files.conf file to use _/
      *ServerName     VALUE(NULL),
              /_ FQDN for server */
      *ServerAdmin        VALUE(NULL),
  

  Index: scheduler/client.c

  --- scheduler/client.c (revision 10708)
  +++ scheduler/client.c (working copy)
  @@ -32,7 +32,7 @@

  • compare_clients() - Compare two client connections.
  • data_ready() - Check whether data is available from a client.
  • get_file() - Get a filename and state info.

• * install_conf_file() - Install a configuration file.

• • install_cupsd_conf() - Install a configuration file.
  • is_cgi() - Is the resource a CGI script/program?
  • is_path_absolute() - Is a path absolute and free of relative elements

  •           (i.e. "..").
    

    @@ -95,7 +95,7 @@
    static int data_ready(cupsd_client_t *con);
    static char *get_file(cupsd_client_t *con, struct stat *filestats,
    char *filename, int len);
    -static http_status_t install_conf_file(cupsd_client_t *con);
    +static http_status_t install_cupsd_conf(cupsd_client_t *con);
    static int is_cgi(cupsd_client_t *con, const char *filename,
    struct stat *filestats, mime_type_t *type);
    static int is_path_absolute(const char *path);
    @@ -1666,17 +1666,14 @@
    • Validate the resource name...
      */

•        if (strncmp(con->uri, "/admin/conf/", 12) ||
  

•       strchr(con->uri + 12, '/') ||
  

•   strlen(con->uri) == 12)
  

•        if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
  {
   /*
  

•     \* PUT can only be done to configuration files under
  

•     \* /admin/conf...
  

•     * PUT can only be done to the cupsd.conf file...
    */
  
    cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "[Client %d] Request for subdirectory \"%s\".",
  

•             "[Client %d] Disallowed PUT request for \"%s\".",
            con->http.fd, con->uri);
  
    if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
  

  @@ -2044,7 +2041,7 @@

  • Install the configuration file...
    */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3301,14 +3298,13 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  char filename[1024]; / Configuration filename */

• mode_t mode; /* Permissions /
  cups_file_t *in, / Input file /
  *out; / Output file /
  char buffer[16384]; / Copy buffer */
  @@ -3330,13 +3326,8 @@

• Open the new config file...
  */

• snprintf(filename, sizeof(filename), "%s%s", ServerRoot, con->uri + 11);

• if (!strcmp(con->uri, "/admin/conf/printers.conf"))

• mode = ConfigFilePerm & 0600;

• else

- mode = ConfigFilePerm;

• if ((out = cupsdCreateConfFile(filename, mode)) == NULL)
• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);
• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  @@ -3381,14 +3372,10 @@
  cupsdClearString(&con->filename);

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*

Index: scheduler/main.c

--- scheduler/main.c (revision 10708)
+++ scheduler/main.c (working copy)
@@ -212,7 +212,6 @@

         char *current;     /* Current directory */

       /*
        * Allocate a buffer for the current working directory to
    * reduce run-time stack usage; this approximates the

@@ -276,6 +275,29 @@
UseProfiles = 0;
break;

•      case 's' : /\* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "
  @@ -303,8 +325,40 @@
  }

  if (!ConfigurationFile)

• {
  cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");

• cupsdSetString(&CupsFilesFile, CUPS_SERVERROOT "/cups-files.conf");

• }

• if (!CupsFilesFile)

• {

• char filename, / Copy of cupsd.conf filename */

•   _slash;         /_ Final slash in cupsd.conf filename */
  

• size_t len; /* Size of buffer */

• len = strlen(ConfigurationFile) + 15;
• if ((filename = malloc(len)) == NULL)
• {

•  _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•  return (1);
  

• }

• strlcpy(filename, ConfigurationFile, len);
• if ((slash = strrchr(filename, '/')) == NULL)
• {

•  _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•  return (1);
  

• }

• strlcpy(slash, "/cups-files.conf", len - (slash - filename));
• cupsdSetString(&CupsFilesFile, filename);
• free(filename);
• }

/*

• If the user hasn't specified "-f", run in the background...
  */

[michaelrsweet]

"str4223v2-1.5.3.patch":

Description: Move file, directory, user, and group configuration to a
separate file. Also warn about directives that have moved and set
default cups-files.conf.

Author: Michael Sweet msweet@apple.com
Origin: http://svn.cups.org/public/cups/branches/branch-1.6@10710
Origin: http://svn.cups.org/public/cups/branches/branch-1.6@10713

Author: Marc Deslauriers marc.deslauriers@canonical.com
Origin: https://www.cups.org/strfiles/4223/small-fixes.patch

Bug-Upstream: https://www.cups.org/strfiles/4223/small-fixes.patch
Bug-Debian: http://bugs.debian.org/692791
Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519

--- a/conf/Makefile
+++ b/conf/Makefile
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

--- /dev/null
+++ b/conf/cups-files.conf.in
@@ -0,0 +1,98 @@
+#
+# "$Id$"
+#
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.
+#
+
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@
+
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
+SystemGroup @CUPS_SYSTEM_GROUPS@
+@CUPS_SYSTEM_AUTHKEY@
+
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot
+
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No
+
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@
+
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log
+
+# Location of cache files used by the scheduler...
+#CacheDir @CUPS_CACHEDIR@
+
+# Location of data files used by the scheduler...
+#DataDir @CUPS_DATADIR@
+
+# Location of the static web content served by the scheduler...
+#DocumentRoot @CUPS_DOCROOT@
+
+# Location of the file logging all messages produced by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "LogLevel"
+# directive in cupsd.conf.
+ErrorLog @CUPS_LOGDIR@/error_log
+
+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@
+
+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@
+
+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log
+
+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@
+
+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris
+
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@
+
+# Location of helper programs...
+#ServerBin @CUPS_SERVERBIN@
+
+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@
+
+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@
+
+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@
+
+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@
+
+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@
+
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp
+
+#
+# End of "$Id$".
+#
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -9,10 +9,6 @@

for troubleshooting...

LogLevel @CUPS_LOG_LEVEL@

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@
--- a/config-scripts/cups-defaults.m4
+++ b/config-scripts/cups-defaults.m4
@@ -367,6 +367,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -388,6 +389,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],
--- a/config-scripts/cups-ssl.m4
+++ b/config-scripts/cups-ssl.m4
@@ -27,6 +27,8 @@
SSLFLAGS=""
SSLLIBS=""
have_ssl=0
+CUPS_SERVERCERT=""
+CUPS_SERVERKEY=""

if test x$enable_ssl != xno; then
dnl Look for CDSA...
@@ -36,6 +38,7 @@
have_ssl=1
AC_DEFINE(HAVE_SSL)
AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecureTransportPriv.h,
  

  @@ -112,6 +115,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -149,6 +155,9 @@
  $libcrypto)

  if test "x${SSLLIBS}" != "x"; then
  

•       CUPS_SERVERCERT="ssl/server.crt"
  

•       CUPS_SERVERKEY="ssl/server.key"
  

  •   LIBS="$SAVELIBS $SSLLIBS"
      AC_CHECK_FUNC(SSL_set_tlsext_host_name,
      AC_DEFINE(HAVE_SSL_SET_TLSEXT_HOST_NAME))
    

  @@ -169,6 +178,8 @@
  AC_MSG_ERROR([Unable to enable SSL support.])
  fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(IPPALIASES)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)
--- a/configure.in
+++ b/configure.in
@@ -65,6 +65,7 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs

• conf/cups-files.conf
  

  conf/cupsd.conf
  conf/mime.convs
  conf/pam.std
  @@ -78,6 +79,7 @@
  man/client.conf.man
  man/cups-deviced.man
  man/cups-driverd.man

• man/cups-files.conf.man
  

  man/cups-lpd.man
  man/cupsaddsmb.man
  man/cupsd.conf.man
  --- a/doc/Makefile
  +++ b/doc/Makefile
  @@ -3,7 +3,7 @@

  Documentation makefile for CUPS.

  -# Copyright 2007-2011 by Apple Inc.
  +# Copyright 2007-2012 by Apple Inc.

  Copyright 1997-2007 by Easy Software Products.

  These coded instructions, statements, and computer programs are the

  --- /dev/null
  +++ b/doc/help/ref-cups-files-conf.html.in
  @@ -0,0 +1,531 @@
  +
  +
  +
• <TITLE>cups-files.conf</TITLE>

+
+
+
+

cups-files.conf

+
+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

+
+

AccessLog

+
+

Examples

+
+

+AccessLog /var/log/cups/access_log

+AccessLog /var/log/cups/access_log-%s

+AccessLog syslog

+

+
+

Description

+
+

The AccessLog directive sets the name of the
+access log file. If the filename is not absolute then it is
+assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+access log file is stored in "common log format" and can be used
+by any web access reporting tool to generate a report on CUPS
+server activity.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the access
+information to the system log instead of a plain file.

+
+

The default access log file is
+@CUPS_LOGDIR@/access_log.

+
+
+

CUPS 1.1.15ConfigFilePerm

+
+

Examples

+
+

+ConfigFilePerm 0644

+ConfigFilePerm 0640

+

+
+

Description

+
+

The ConfigFilePerm directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.

+
+

Note:
+
+

The permissions for the printers.conf file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

+
+

+
+
+

DataDir

+
+

Examples

+
+

+DataDir /usr/share/cups

+

+
+

Description

+
+

The DataDir directive sets the directory to use
+for data files.

+
+
+

CUPS 1.2/OS X 10.5DefaultAuthType

+
+

Examples

+
+

+DefaultAuthType Basic

+DefaultAuthType BasicDigest

+DefaultAuthType Digest

+DefaultAuthType Negotiate

+

+
+

Description

+
+

The DefaultAuthType directive specifies the type
+of authentication to use for IPP operations that require a
+username. The default is Basic.

+
+
+

DocumentRoot

+
+

Examples

+
+

+DocumentRoot /usr/share/doc/cups

+DocumentRoot /foo/bar/doc/cups

+

+
+

Description

+
+

The DocumentRoot directive specifies the location
+of web content for the HTTP server in CUPS. If an absolute path
+is not specified then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default directory is @CUPS_DOCROOT@.

+
+

Documents are first looked up in a sub-directory for the
+primary language requested by the client (e.g.
+@CUPS_DOCROOT@/fr/...) and then directly under
+the DocumentRoot directory (e.g.
+@CUPS_DOCROOT@/...), so it is possible to
+localize the web content by providing subdirectories for each
+language needed.

+
+
+

ErrorLog

+
+

Examples

+
+

+ErrorLog /var/log/cups/error_log

+ErrorLog /var/log/cups/error_log-%s

+ErrorLog syslog

+

+
+

Description

+
+

The ErrorLog directive sets the name of the error
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default error log file is @CUPS_LOGDIR@/error_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the error
+information to the system log instead of a plain file.

+
+
+

CUPS 1.4/OS X 10.6FatalErrors

+
+

Examples

+
+

+FatalErrors none

+FatalErrors all

+FatalErrors browse

+FatalErrors config

+FatalErrors listen

+FatalErrors log

+FatalErrors permissions

+FatalErrors all -permissions

+FatalErrors config permissions log

+

+
+

Description

+
+

The FatalErrors directive determines whether certain kinds of
+errors are fatal. The following kinds of errors are currently recognized:

+
+

+
• none - No errors are fatal
• all - All of the errors below are fatal
• browse - Browsing initialization errors are fatal,
• for example failed binding to the CUPS browse port or failed connections
• to LDAP servers
• config - Configuration file syntax errors are
• fatal
• listen - Listen or Port errors are fatal, except for
• IPv6 failures on the loopback or "any" addresses
• log - Log file creation or write errors are fatal
• permissions - Bad startup file permissions are
• fatal, for example shared SSL certificate and key files with world-
• read permissions

+

+
+

Multiple errors can be listed, and the form "-kind" can be used with
+all to remove specific kinds of errors. The default setting is
+@CUPS_FATAL_ERRORS@.

+
+
+

CUPS 1.1.18FileDevice

+
+

Examples

+
+

+FileDevice Yes

+FileDevice No

+

+
+

Description

+
+

The FileDevice directive determines whether the
+scheduler allows new printers to be added using device URIs of
+the form file:/filename. File devices are most often
+used to test new printer drivers and do not support raw file
+printing.

+
+

The default setting is No.

+
+

Note:
+
+

File devices are managed by the scheduler. Since the
+scheduler normally runs as the root user, file devices
+can be used to overwrite system files and potentially
+gain unauthorized access to the system. If you must
+create printers using file devices, we recommend that
+you set the FileDevice directive to
+Yes for only as long as you need to add the
+printers to the system, and then reset the directive to
+No.

+
+

+
+
+

CUPS 1.1.3FontPath

+
+

Examples

+
+

+FontPath /foo/bar/fonts

+FontPath /usr/share/cups/fonts:/foo/bar/fonts

+

+
+

Description

+
+

The FontPath directive specifies the font path to
+use when searching for fonts. The default font path is
+/usr/share/cups/fonts.

+
+
+

Group

+
+

Examples

+
+

+Group lp

+Group nobody

+

+
+

Description

+
+

The Group directive specifies the UNIX group that
+filter and CGI programs run as. The default group is
+system-specific but is usually lp or
+nobody.

+
+
+

CUPS 1.1.15LogFilePerm

+
+

Examples

+
+

+LogFilePerm 0644

+LogFilePerm 0600

+

+
+

Description

+
+

The LogFilePerm directive specifies the
+permissions to use when writing log files. The default
+is @CUPS_LOG_FILE_PERM@.

+
+
+

PageLog

+
+

Examples

+
+

+PageLog /var/log/cups/page_log

+PageLog /var/log/cups/page_log-%s

+PageLog syslog

+

+
+

Description

+
+

The PageLog directive sets the name of the page
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default page log file is @CUPS_LOGDIR@/page_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the page
+information to the system log instead of a plain file.

+
+
+

Printcap

+
+

Examples

+
+

+Printcap

+Printcap /etc/printcap

+Printcap /etc/printers.conf

+Printcap /Library/Preferences/org.cups.printers.plist

+

+
+

Description

+
+

The Printcap directive controls whether or not a
+printcap file is automatically generated and updated with a list
+of available printers. If specified with no value, then no
+printcap file will be generated. The default is to generate a
+file named @CUPS_DEFAULT_PRINTCAP@.

+
+

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
+the printcap file is written whenever a printer is added or
+removed. The printcap file can then be used by applications that
+are hardcoded to look at the printcap file for the available
+printers.

+
+
+

PrintcapFormat

+
+

Examples

+
+

+PrintcapFormat BSD

+PrintcapFormat Solaris

+PrintcapFormat plist

+

+
+

Description

+
+

The PrintcapFormat directive controls the output format of the
+printcap file. The default is to generate the plist format on OS X, the
+Solaris format on Solaris, and the BSD format on other operating systems.

+
+
+

CUPS 1.1.3RemoteRoot

+
+

Examples

+
+

+RemoteRoot remroot

+RemoteRoot root

+

+
+

Description

+
+

The RemoteRoot directive sets the username for
+unauthenticated root requests from remote hosts. The default
+username is remroot. Setting RemoteRoot
+to root effectively disables this security
+mechanism.

+
+
+

RequestRoot

+
+

Examples

+
+

+RequestRoot /var/spool/cups

+RequestRoot /foo/bar/spool/cups

+

+
+

Description

+
+

The RequestRoot directive sets the directory for
+incoming IPP requests and HTML forms. If an absolute path is not
+provided then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default request directory is @CUPS_REQUESTS@.

+
+
+

ServerBin

+
+

Examples

+
+

+ServerBin /usr/lib/cups

+ServerBin /foo/bar/lib/cups

+

+
+

Description

+
+

The ServerBin directive sets the directory for
+server-run executables. If an absolute path is not provided then
+it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default executable directory is /usr/lib/cups,
+/usr/lib32/cups, or /usr/libexec/cups
+depending on the operating system.

+
+
+

ServerCertificate

+
+

Examples

+
+

+ServerCertificate /etc/cups/ssl/server.crt

+

+
+

Description

+
+

The ServerCertificate directive specifies the
+location of the SSL certificate file used by the server when
+negotiating encrypted connections. The certificate must not be
+encrypted (password protected) since the scheduler normally runs
+in the background and will be unable to ask for a password.

+
+

The default certificate file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerKey

+
+

Examples

+
+

+ServerKey /etc/cups/ssl/server.key

+

+
+

Description

+
+

The ServerKey directive specifies the location of
+the SSL private key file used by the server when negotiating
+encrypted connections.

+
+

The default key file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerRoot

+
+

Examples

+
+

+ServerRoot /etc/cups

+ServerRoot /foo/bar/cups

+

+
+

Description

+
+

The ServerRoot directive specifies the absolute
+path to the server configuration and state files. It is also used
+to resolve relative paths in the cupsd.conf file. The
+default server directory is /etc/cups.

+
+
+

SystemGroup

+
+

Examples

+
+

+SystemGroup lpadmin

+SystemGroup sys

+SystemGroup system

+SystemGroup root

+SystemGroup root lpadmin

+

+
+

Description

+
+

The SystemGroup directive specifies the system
+administration group for System authentication.
+Multiple groups can be listed, separated with spaces. The default
+group list is @CUPS_SYSTEM_GROUPS@.

+
+
+

TempDir

+
+

Examples

+
+

+TempDir /var/tmp

+TempDir /foo/bar/tmp

+

+
+

Description

+
+

The TempDir directive specifies an absolute path
+for the directory to use for temporary files. The default
+directory is @CUPS_REQUESTS@/tmp.

+
+

Temporary directories must be world-writable and should have
+the "sticky" permission bit enabled so that other users cannot
+delete filter temporary files. The following commands will create
+an appropriate temporary directory called
+/foo/bar/tmp:

+
+

+mkdir /foo/bar/tmp

+chmod a+rwxt /foo/bar/tmp

+

+
+
+

User

+
+

Examples

+
+

+User lp

+User guest

+

+
+

Description

+
+

The User directive specifies the UNIX user that
+filter and CGI programs run as. The default user is
+@CUPS_USER@.

+
+

Note:
+
+

You may not use user root, as that would expose
+the system to unacceptable security risks. The scheduler will
+automatically choose user nobody if you specify a
+user whose ID is 0.

+
+

+
+
+
+
--- a/doc/help/ref-cupsd-conf.html.in
+++ b/doc/help/ref-cupsd-conf.html.in
@@ -191,82 +191,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2544,65 +2468,6 @@
files as soon as each job is completed, canceled, or aborted.

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on Mac OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

-

CUPS 1.1.13PrintcapGUI

-

Examples

-

-PrintGUI /usr/bin/glpoptions

-

-

Description

-

The PrintcapGUI directive sets the program to
-associate with the IRIX printer GUI interface script which is
-used by IRIX applications to display printer-specific options.

-There is no default program.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2619,42 +2484,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2806,64 +2635,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2880,23 +2651,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -3075,53 +2829,6 @@ HREF="#Policy">Policy section.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -3138,53 +2845,6 @@ default timeout is 300 seconds.

-

CUPS 1.2/Mac OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

CUPS 1.5WebInterface

Examples

--- a/man/Makefile +++ b/man/Makefile @@ -39,6 +39,7 @@ ppdpo.$(MAN1EXT) MAN5 = classes.conf.$(MAN5EXT) \ client.conf.$(MAN5EXT) \ - cups-files.conf.$(MAN5EXT) \ cups-snmp.conf.$(MAN5EXT) \ cupsd.conf.$(MAN5EXT) \ ipptoolfile.$(MAN5EXT) \ --- /dev/null +++ b/man/cups-files.conf.man.in @@ -0,0 +1,146 @@ +.\" +.\" "$Id$" +.\" +.\" cupsd.conf man page for CUPS. +.\" +.\" Copyright 2007-2012 by Apple Inc. +.\" Copyright 1997-2006 by Easy Software Products. +.\" +.\" These coded instructions, statements, and computer programs are the +.\" property of Apple Inc. and are protected by Federal copyright +.\" law. Distribution and use rights are outlined in the file "LICENSE.txt" +.\" which should have been included with this file. If this file is +.\" file is missing or damaged, see the license at "http://www.cups.org/". +.\" +.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc." +.SH NAME +cups-files.conf - file and directory configuration file for cups +.SH DESCRIPTION +The \fIcups-file.conf\fR file configures the files and directories used by the +CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the +\fI@CUPS_SERVERROOT@\fR directory. +.LP +Each line in the file can be a configuration directive, a blank line, +or a comment. Comment lines start with the # character. +.SH DIRECTIVES +The following directives are understood by \fIcupsd(8)\fR. Consult the +on-line help for detailed descriptions: +.TP 5 +AccessLog filename +.TP 5 +AccessLog syslog +.br +Defines the access log filename. +.TP 5 +ConfigFilePerm mode +.br +Specifies the permissions for all configuration files that the scheduler +writes. +.TP 5 +DataDir path +.br +Specified the directory where data files can be found. +.TP 5 +DocumentRoot directory +.br +Specifies the root directory for the internal web server documents. +.TP 5 +ErrorLog filename +.TP 5 +ErrorLog syslog +.br +Specifies the error log filename. +.TP 5 +FatalErrors none +.TP 5 +FatalErrors all -kind [... -kind] +.TP 5 +FatalErrors kind [... kind] +.br +Specifies which errors are fatal, causing the scheduler to exit. "Kind" is +"browse", "config", "listen", "log", or "permissions". +.TP 5 +FileDevice Yes +.TP 5 +FileDevice No +.br +Specifies whether the file pseudo-device can be used for new +printer queues. +.TP 5 +FontPath directory[:directory:...] +.br +Specifies the search path for fonts. +.TP 5 +Group group-name-or-number +.br +Specifies the group name or ID that will be used when executing +external programs. +.TP 5 +LogFilePerm mode +.br +Specifies the permissions for all log files that the scheduler writes. +.TP 5 +PageLog filename +.TP 5 +PageLog syslog +.br +Specifies the page log filename. +.TP 5 +Printcap +.TP 5 +Printcap filename +.br +Specifies the filename for a printcap file that is updated +automatically with a list of available printers (needed for +legacy applications); specifying Printcap with no filename +disables printcap generation. +.TP 5 +RemoteRoot user-name +.br +Specifies the username that is associated with unauthenticated root +accesses. +.TP 5 +RequestRoot directory +.br +Specifies the directory to store print jobs and other HTTP request +data. +.TP 5 +ServerBin directory +.br +Specifies the directory where backends, CGIs, daemons, and filters may +be found. +.TP 5 +ServerCertificate filename +.br +Specifies the encryption certificate to use. +.TP 5 +ServerKey filename +.br +Specifies the encryption key to use. +.TP 5 +ServerRoot directory +.br +Specifies the directory where the server configuration files can be found. +.TP 5 +SystemGroup group-name [group-name ...] +.br +Specifies the group(s) to use for System class authentication. +.TP 5 +TempDir directory +.br +Specifies the directory where temporary files are stored. +.TP 5 +User user-name +.br +Specifies the user name or ID that is used when running external programs. +.SH SEE ALSO +\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR, +\fImime.types(5)\fR, \fIprinters.conf(5)\fR, +\fIsubscriptions.conf(5)\fR, +.br +http://localhost:631/help +.SH COPYRIGHT +Copyright 2007-2012 by Apple Inc. +.\" +.\" End of "$Id$". +.\" --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in @@ -12,13 +12,16 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cupsd.conf 5 "CUPS" "18 May 2011" "Apple Inc." +.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc." .SH NAME cupsd.conf - server configuration file for cups .SH DESCRIPTION The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It -is normally located in the \fI@CUPS_SERVERROOT@\fR directory. -.LP +is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR +File, directory, and user configuration directives that used to be allowed in +the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead +in order to prevent certain types of privilege escalation attacks. +LP Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the @@ -27,12 +30,6 @@ The following directives are understood by \fIcupsd(8)\fR. Consult the on-line help for detailed descriptions: .TP 5 -AccessLog filename -.TP 5 -AccessLog syslog -.br -Defines the access log filename. -.TP 5 AccessLogLevel config .TP 5 AccessLogLevel actions @@ -61,20 +58,6 @@ .br Allows access from the named hosts or addresses. .TP 5 -AuthClass User -.TP 5 -AuthClass Group -.TP 5 -AuthClass System -.br -Specifies the authentication class (User, Group, System) - -\fBthis directive is deprecated\fR. -.TP 5 -AuthGroupName group-name -.br -Specifies the authentication group - \fBthis directive is -deprecated\fR. -.TP 5 AuthType None .TP 5 AuthType Basic @@ -220,7 +203,7 @@ .TP 5 Browsing No .br -Specifies whether or not remote printer browsing should be enabled. +Specifies whether or not shared printers should be advertised. .TP 5 Classification banner .br @@ -233,15 +216,6 @@ Specifies whether to allow users to override the classification of individual print jobs. .TP 5 -ConfigFilePerm mode -.br -Specifies the permissions for all configuration files that the scheduler -writes. -.TP 5 -DataDir path -.br -Specified the directory where data files can be found. -.TP 5 DefaultAuthType Basic .TP 5 DefaultAuthType BasicDigest @@ -309,10 +283,6 @@ causes the update to happen as soon as possible, typically within a few milliseconds. .TP 5 -DocumentRoot directory -.br -Specifies the root directory for the internal web server documents. -.TP 5 Encryption IfRequested .TP 5 Encryption Never @@ -322,28 +292,6 @@ Specifies the level of encryption that is required for a particular location. .TP 5 -ErrorLog filename -.TP 5 -ErrorLog syslog -.br -Specifies the error log filename. -.TP 5 -FatalErrors none -.TP 5 -FatalErrors all -kind [... -kind] -.TP 5 -FatalErrors kind [... kind] -.br -Specifies which errors are fatal, causing the scheduler to exit. "Kind" is -"browse", "config", "listen", "log", or "permissions". -.TP 5 -FileDevice Yes -.TP 5 -FileDevice No -.br -Specifies whether the file pseudo-device can be used for new -printer queues. -.TP 5 FilterLimit limit .br Specifies the maximum cost of filters that are run concurrently. @@ -353,15 +301,6 @@ Specifies the scheduling priority ("nice" value) of filters that are run to print a job. .TP 5 -FontPath directory[:directory:...] -.br -Specifies the search path for fonts. -.TP 5 -Group group-name-or-number -.br -Specifies the group name or ID that will be used when executing -external programs. -.TP 5 HideImplicitMembers Yes .TP 5 HideImplicitMembers No @@ -469,10 +408,6 @@ Specifies the number of debugging messages that are logged when an error occurs in a print job. .TP 5 -LogFilePerm mode -.br -Specifies the permissions for all log files that the scheduler writes. -.TP 5 LogLevel alert .TP 5 LogLevel crit @@ -546,12 +481,6 @@ .br Specifies the order of HTTP access control (allow,deny or deny,allow) .TP 5 -PageLog filename -.TP 5 -PageLog syslog -.br -Specifies the page log filename. -.TP 5 PageLogFormat format string .br Specifies the format of page log lines. @@ -581,15 +510,6 @@ Specifies whether or not to preserve the job history after they are printed. .TP 5 -Printcap -.TP 5 -Printcap filename -.br -Specifies the filename for a printcap file that is updated -automatically with a list of available printers (needed for -legacy applications); specifying Printcap with no filename -disables printcap generation. -.TP 5 PrintcapFormat bsd .TP 5 PrintcapFormat plist @@ -598,29 +518,11 @@ .br Specifies the format of the printcap file. .TP 5 -PrintcapGUI -.TP 5 -PrintcapGUI gui-program-filename -.br -Specifies whether to generate option panel definition files on -some operating systems. When provided with no program filename, -disables option panel definition files. -.TP 5 ReloadTimeout seconds .br Specifies the amount of time to wait for job completion before restarting the scheduler. .TP 5 -RemoteRoot user-name -.br -Specifies the username that is associated with unauthenticated root -accesses. -.TP 5 -RequestRoot directory -.br -Specifies the directory to store print jobs and other HTTP request -data. -.TP 5 Require group group-name-list .TP 5 Require user user-name-list @@ -652,27 +554,10 @@ Specifies an alternate name that the server is known by. The special name "*" allows any name to be used. .TP 5 -ServerBin directory -.br -Specifies the directory where backends, CGIs, daemons, and filters may -be found. -.TP 5 -ServerCertificate filename -.br -Specifies the encryption certificate to use. -.TP 5 -ServerKey filename -.br -Specifies the encryption key to use. -.TP 5 ServerName hostname-or-ip-address .br Specifies the fully-qualified hostname of the server. .TP 5 -ServerRoot directory -.br -Specifies the directory where the server configuration files can be found. -.TP 5 ServerTokens Full .TP 5 ServerTokens Major @@ -729,29 +614,17 @@ "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data". .TP 5 -SystemGroup group-name [group-name ...] -.br -Specifies the group(s) to use for System class authentication. -.TP 5 -TempDir directory -.br -Specifies the directory where temporary files are stored. -.TP 5 Timeout seconds .br Specifies the HTTP request timeout in seconds. .TP 5 -User user-name -.br -Specifies the user name or ID that is used when running external programs. -.TP 5 WebInterface yes .TP 5 WebInterface no Specifies whether the web interface is enabled. .SH SEE ALSO -\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR, -\fImime.types(5)\fR, \fIprinters.conf(5)\fR, +\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR, +\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR, \fIsubscriptions.conf(5)\fR, .br http://localhost:631/help --- a/scheduler/client.c +++ b/scheduler/client.c @@ -35,7 +35,7 @@ - data_ready() - Check whether data is available from a client. - encrypt_client() - Enable encryption for the client... - get_file() - Get a filename and state info. - \* install_conf_file() - Install a configuration file. - - install_cupsd_conf() - Install a configuration file. - is_cgi() - Is the resource a CGI script/program? - is_path_absolute() - Is a path absolute and free of relative elements - (i.e. ".."). @@ -75,7 +75,7 @@ #endif /\* HAVE_SSL */ static char *get_file(cupsd_client_t *con, struct stat *filestats, char *filename, int len); -static http_status_t install_conf_file(cupsd_client_t *con); +static http_status_t install_cupsd_conf(cupsd_client_t *con); static int is_cgi(cupsd_client_t *con, const char *filename, struct stat *filestats, mime_type_t *type); static int is_path_absolute(const char *path); @@ -1685,17 +1685,14 @@ - Validate the resource name... */ - ``` if (strncmp(con->uri, "/admin/conf/", 12) || ``` - strchr(con->uri + 12, '/') || - strlen(con->uri) == 12) - if (strcmp(con->uri, "/admin/conf/cupsd.conf")) { /* - \* PUT can only be done to configuration files under - \* /admin/conf... - ``` * PUT can only be done to the cupsd.conf file... */

cupsdLogMessage(CUPSD_LOG_ERROR,

-                 "Request for subdirectory \"%s\"!", con->uri);
- ```
            "Disallowed PUT request for \"%s\"!", con->uri);

  if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
  {

@@ -2059,7 +2056,7 @@

• Install the configuration file...
  */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3814,14 +3811,13 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  char filename[1024]; / Configuration filename */

• mode_t mode; /* Permissions /
  cups_file_t *in, / Input file /
  *out; / Output file /
  char buffer[16384]; / Copy buffer */
  @@ -3843,13 +3839,8 @@

• Open the new config file...
  */

• snprintf(filename, sizeof(filename), "%s%s", ServerRoot, con->uri + 11);

• if (!strcmp(con->uri, "/admin/conf/printers.conf"))

• mode = ConfigFilePerm & 0600;

• else

- mode = ConfigFilePerm;

• if ((out = cupsdCreateConfFile(filename, mode)) == NULL)
• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);
• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  @@ -3894,14 +3885,10 @@
  cupsdClearString(&con->filename);

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -25,11 +25,13 @@

• parse_aaa() - Parse authentication, authorization, and access

•                          control lines.
  

• parse_fatal_errors() - Parse FatalErrors values in a string.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * read_configuration() - Read a configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
• * parse_groups() - Parse system group names in a string.
• * parse_protocols() - Parse browse protocols in a string.
• * parse_variable() - Parse a variable line.
• * read_cupsd_conf() - Read the cupsd.conf configuration file.
• * read_cups_files_conf() - Read the cups-files.conf configuration file.
• * read_location() - Read a definition.
• * read_policy() - Read a definition.
  • set_policy_defaults() - Set default policy values as needed.
    */

@@ -81,9 +83,8 @@

• Local globals...
  */

-static const cupsd_var_t variables[] =
+static const cupsd_var_t cupsd_vars[] =
{

• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
  #ifdef HAVE_DNSSD
  { "BrowseDNSSDRegType", &DNSSDRegType, CUPSD_VARTYPE_STRING },
  @@ -105,24 +106,17 @@
  { "BrowseTimeout", &BrowseTimeout, CUPSD_VARTYPE_INTEGER },
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_INTEGER },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_INTEGER },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  { "HideImplicitMembers", &HideImplicitMembers, CUPSD_VARTYPE_BOOLEAN },
  { "ImplicitClasses", &ImplicitClasses, CUPSD_VARTYPE_BOOLEAN },
  { "ImplicitAnyClasses", &ImplicitAnyClasses, CUPSD_VARTYPE_BOOLEAN },
  @@ -137,8 +131,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -155,18 +147,34 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_INTEGER },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_BOOLEAN },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_BOOLEAN },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "PrintcapGUI", &PrintcapGUI, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_INTEGER },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_INTEGER },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
• { "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },
• { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  +};
  +static const cupsd_var_t cupsfiles_vars[] =
  +{
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  @@ -174,7 +182,6 @@
  { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },

endif /* HAVE_LIBSSL || HAVE_GNUTLS _/

#endif /_ HAVE_SSL */

• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
  { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
  { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
  { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
  @@ -182,12 +189,7 @@
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
  { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
• { "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },
• { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  };

-#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

static const unsigned ones[4] =
{
@@ -212,7 +214,12 @@
static int parse_fatal_errors(const char *s);
static int parse_groups(const char *s);
static int parse_protocols(const char *s);
-static int read_configuration(cups_file_t *fp);
+static int parse_variable(const char *filename, int linenum,

•                      const char *line, const char *value,
  

•                      size_t num_vars,
  

•                      const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);
  static void set_policy_defaults(cupsd_policy_t *pol);
  @@ -705,22 +712,48 @@
  cupsdInitEnv();

  /*

• * Read the configuration file...

• * Read the cups-files.conf file...

• */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)
• {
• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)

•  return (0);
  

• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*

• • Read the cupsd.conf file...
    */

  if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {

• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);

• }

• status = read_configuration(fp);

• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)
return (0);

• if (!ErrorLog)

- cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

RunUser = getuid();

cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
@@ -839,6 +872,13 @@
BrowseACL = cupsdFindLocation("CUPS_INTERNAL_BROWSE_ACL");

/*

• * Make sure ConfigFilePerm and LogFilePerm have sane values...
• */

• ConfigFilePerm &= 0664;
• LogFilePerm &= 0664;

• /*
  • Open the system log for cupsd if necessary...
    */

@@ -2504,13 +2544,174 @@

/*

• * 'read_configuration()' - Read a configuration file.
• * 'parse_variable()' - Parse a variable line.
• /
  +
  +static int / O - 1 on success, 0 on failure */
  +parse_variable(
• const char filename, / I - Name of configuration file */
• int linenum, /* I - Line in configuration file */
• const char line, / I - Line from configuration file */
• const char value, / I - Value from configuration file */
• size_t num_vars, /* I - Number of variables */
• const cupsd_var_t vars) / I - Variables */
  +{
• size_t i; /* Looping var */
• const cupsd_var_t var; / Variables */
• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!_cups_strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!_cups_strcasecmp(value, "true") ||

•    !_cups_strcasecmp(value, "on") ||
  

•    !_cups_strcasecmp(value, "enabled") ||
  

•    !_cups_strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!_cups_strcasecmp(value, "false") ||

•    !_cups_strcasecmp(value, "off") ||
  

•    !_cups_strcasecmp(value, "disabled") ||
  

•    !_cups_strcasecmp(value, "no") ||
  

•    !_cups_strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• • 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from */
  {

• int i; /* Looping var /
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2520,7 +2721,6 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */

• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  unsigned ip[4], / Address value /
  @@ -2530,7 +2730,6 @@
  cupsd_location_t *location; / Browse location /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */

• struct group group; / Group */

/*
@@ -2562,7 +2761,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2586,8 +2785,6 @@
  if (linenum == 0)
  return (0);
  }
• else if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!_cups_strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -3246,81 +3443,6 @@
  }
  }
  #endif /* HAVE_SSL */
• else if (!_cups_strcasecmp(line, "User") && value)
• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring.",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!_cups_strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring.",
  

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -3399,22 +3521,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)

[michaelrsweet]

• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!_cups_strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3540,117 +3646,192 @@
  "line %d.", value, linenum);
  }
  #endif /* HAVE_SSL */
• else if (!_cups_strcasecmp(line, "AccessLog") ||

•         !_cups_strcasecmp(line, "CacheDir") ||
  

•         !_cups_strcasecmp(line, "ConfigFilePerm") ||
  

•         !_cups_strcasecmp(line, "DataDir") ||
  

•         !_cups_strcasecmp(line, "DocumentRoot") ||
  

•         !_cups_strcasecmp(line, "ErrorLog") ||
  

•         !_cups_strcasecmp(line, "FatalErrors") ||
  

•         !_cups_strcasecmp(line, "FileDevice") ||
  

•         !_cups_strcasecmp(line, "FontPath") ||
  

•         !_cups_strcasecmp(line, "Group") ||
  

•         !_cups_strcasecmp(line, "LogFilePerm") ||
  

•         !_cups_strcasecmp(line, "LPDConfigFile") ||
  

•         !_cups_strcasecmp(line, "PageLog") ||
  

•         !_cups_strcasecmp(line, "Printcap") ||
  

•         !_cups_strcasecmp(line, "PrintcapFormat") ||
  

•         !_cups_strcasecmp(line, "RemoteRoot") ||
  

•         !_cups_strcasecmp(line, "RequestRoot") ||
  

•         !_cups_strcasecmp(line, "ServerBin") ||
  

•         !_cups_strcasecmp(line, "ServerCertificate") ||
  

•         !_cups_strcasecmp(line, "ServerKey") ||
  

•         !_cups_strcasecmp(line, "ServerRoot") ||
  

•         !_cups_strcasecmp(line, "SMBConfigFile") ||
  

•         !_cups_strcasecmp(line, "StateDir") ||
  

•         !_cups_strcasecmp(line, "SystemGroup") ||
  

•         !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
  

•         !_cups_strcasecmp(line, "TempDir") ||
  

•    !_cups_strcasecmp(line, "User"))
  

• {

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "Please move \"%s%s%s\" on line %d of %s to the %s file; "
  

•         "this will become an error in a future release.",
  

•         line, value ? " " : "", value ? value : "", linenum,
  

•         ConfigurationFile, CupsFilesFile);
  

• }
  else

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

• return (1);
  +}

+/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{
• int linenum; /* Current line number */
• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

• /*
• * Loop through each line in the file...
• */

• linenum = 0;

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!_cups_strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!_cups_strcasecmp(line, "Group") && value)
  {
  /*

•  \* Find a simple variable in the list...
  

•  * Group ID to run as...
  

  */

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!_cups_strcasecmp(line, var->name))
  

- break;

•  if (i == 0)
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

  {

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    endgrent();
  

• group = getgrnam(value);

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• if (group != NULL)

• Group = group->gr_gid;
  

  else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }
  }
• }
• else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•  switch (var->type)
  

•  if (!_cups_strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!_cups_strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!_cups_strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

  {

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d.",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

- char units; / Units */

- n = strtol(value, &units, 0);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

- }

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d.",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d.",
  

•             line, linenum);
  

•        else if (!_cups_strcasecmp(value, "true") ||
  

•            !_cups_strcasecmp(value, "on") ||
  

•        !_cups_strcasecmp(value, "enabled") ||
  

•        !_cups_strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!_cups_strcasecmp(value, "false") ||
  

•            !_cups_strcasecmp(value, "off") ||
  

•        !_cups_strcasecmp(value, "disabled") ||
  

•        !_cups_strcasecmp(value, "no") ||
  

•        !_cups_strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!_cups_strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d.",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist.", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);
  --- a/scheduler/conf.h
  +++ b/scheduler/conf.h
  @@ -96,7 +96,9 @@
  */

  VAR char *ConfigurationFile VALUE(NULL),

•               /\* Configuration file to use */
  

•               /\* cupsd.conf file to use */
  

•       *CupsFilesFile      VALUE(NULL),
  

•               /\* cups-files.conf file to use _/
      *ServerName     VALUE(NULL),
              /_ FQDN for server */
      *ServerAdmin        VALUE(NULL),
  

  --- a/scheduler/main.c
  +++ b/scheduler/main.c
  @@ -234,6 +234,35 @@
  cupsdSetStringf(&ConfigurationFile, "%s/%s", current, argv[i]);
  free(current);
  }
  +

•     if (!CupsFilesFile)
  

•     {
  

•       char    _filename,  /_ Copy of cupsd.conf filename */
  

•       _slash;     /_ Final slash in cupsd.conf filename */
  

•   size_t  len;        /\* Size of buffer */
  

•   len = strlen(ConfigurationFile) + 15;
  

•   if ((filename = malloc(len)) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(filename, ConfigurationFile, len);
  

•   if ((slash = strrchr(filename, '/')) == NULL)
  

•   {
  

•     _cupsLangPrintf(stderr,
  

•                     _("cupsd: Unable to get path to "
  

•                       "cups-files.conf file."));
  

•              return (1);
  

•   }
  

•   strlcpy(slash, "/cups-files.conf", len - (slash - filename));
  

•   cupsdSetString(&CupsFilesFile, filename);
  

•   free(filename);
  

•     }
    break;
  
     case 'f' : /* Run in foreground... */
  

  @@ -272,6 +301,29 @@
  UseProfiles = 0;
  break;

•      case 's' : /* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "
  @@ -298,9 +350,41 @@
  usage(1);
  }

• if (!ConfigurationFile)

- cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");

• if (!ConfigurationFile)

• {

•  cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");
  

•  cupsdSetString(&CupsFilesFile, CUPS_SERVERROOT "/cups-files.conf");
  

• }

• if (!CupsFilesFile)

• {

•  char _filename,      /_ Copy of cupsd.conf filename */
  

•   _slash;         /_ Final slash in cupsd.conf filename */
  

•  size_t   len;            /\* Size of buffer */
  

•  len = strlen(ConfigurationFile) + 15;
  

•  if ((filename = malloc(len)) == NULL)
  

•  {
  

•    _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•    return (1);
  

•  }
  

•  strlcpy(filename, ConfigurationFile, len);
  

•  if ((slash = strrchr(filename, '/')) == NULL)
  

•  {
  

•    _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•    return (1);
  

•  }
  

•  strlcpy(slash, "/cups-files.conf", len - (slash - filename));
  

•  cupsdSetString(&CupsFilesFile, filename);
  

•  free(filename);
  

• }

• /*

  • If the user hasn't specified "-f", run in the background...
    */
    --- a/test/run-stp-tests.sh
    +++ b/test/run-stp-tests.sh
    @@ -337,25 +337,10 @@

  cat >/tmp/cups-$user/cupsd.conf <<EOF
  Browsing Off
  -FileDevice yes
  -Printcap
  Listen 127.0.0.1:$port
  -User $user
  -ServerRoot /tmp/cups-$user
  -StateDir /tmp/cups-$user
  -ServerBin /tmp/cups-$user/bin
  -CacheDir /tmp/cups-$user/share
  -DataDir /tmp/cups-$user/share
  -FontPath /tmp/cups-$user/share/fonts
  PassEnv LOCALEDIR
  -DocumentRoot $root/doc
  -RequestRoot /tmp/cups-$user/spool
  -TempDir /tmp/cups-$user/spool/temp
  MaxSubscriptions 3
  MaxLogSize 0
  -AccessLog /tmp/cups-$user/log/access_log
  -ErrorLog /tmp/cups-$user/log/error_log
  -PageLog /tmp/cups-$user/log/page_log
  AccessLogLevel actions
  LogLevel debug2
  LogTimeFormat usecs
  @@ -370,6 +355,24 @@
  
  EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

[michaelrsweet]

"str4223v2p2.patch":

Index: locale/cups_ja.po

--- locale/cups_ja.po (revision 10728)
+++ locale/cups_ja.po (working copy)
@@ -2836,9 +2836,9 @@
#, c-format
msgid ""
"File device URIs have been disabled. To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
-"�������� URI �������������������"%s/cupsd.conf" "
+"�������� URI �������������������"%s/cups-files.conf" "
"� FileDevice �����������������"

#, c-format

Index: locale/cups_ca.po

--- locale/cups_ca.po (revision 10728)
+++ locale/cups_ca.po (working copy)
@@ -2853,10 +2853,10 @@
#, c-format
msgid ""
"File device URIs have been disabled. To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"S'han deshabilitat els URIs dels dispositius de fitxers. Per habilitar-los, "
-"vegeu la directriu FileDevice a «%s/cupsd.conf»."
+"vegeu la directriu FileDevice a «%s/cups-files.conf»."

#, c-format
msgid "Finished page %d."

Index: locale/cups_es.po

--- locale/cups_es.po (revision 10728)
+++ locale/cups_es.po (working copy)
@@ -2839,10 +2839,10 @@
#, c-format
msgid ""
"File device URIs have been disabled. To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Los URIs del dispositivo de archivo han sido deshabilitados. Para "
-"habilitarlos, vea la directiva FileDevice en "%s/cupsd.conf"."
+"habilitarlos, vea la directiva FileDevice en "%s/cups-files.conf"."

#, c-format
msgid "Finished page %d."

Index: scheduler/ipp.c

--- scheduler/ipp.c (revision 10728)
+++ scheduler/ipp.c (working copy)
@@ -2426,7 +2426,7 @@
send_ipp_status(con, IPP_NOT_POSSIBLE,
_("File device URIs have been disabled. "
"To enable, see the FileDevice directive in "

•         "\"%s/cupsd.conf\"."),
  

•         "\"%s/cups-files.conf\"."),
      ServerRoot);
  

  return;
  }

[michaelrsweet]

"str4223v2p2-1.6.patch":

Index: locale/cups_ja.po

--- locale/cups_ja.po (revision 10728)
+++ locale/cups_ja.po (working copy)
@@ -3631,8 +3631,8 @@
#, c-format
msgid ""
"File device URIs have been disabled. To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
-msgstr "�������� URI �������������������"%s/cupsd.conf" � FileDevice �����������������"
+"in "%s/cups-files.conf"."
+msgstr "�������� URI �������������������"%s/cups-files.conf" � FileDevice �����������������"

#: filter/rastertoepson.c:1117 filter/rastertohp.c:845
#: filter/rastertolabel.c:1273

Index: locale/cups_ca.po

--- locale/cups_ca.po (revision 10728)
+++ locale/cups_ca.po (working copy)
@@ -3710,10 +3710,10 @@
#, c-format
msgid ""
"File device URIs have been disabled. To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"S'han deshabilitat els URIs dels dispositius de fitxers. Per habilitar-los, "
-"vegeu la directriu FileDevice a «%s/cupsd.conf»."
+"vegeu la directriu FileDevice a «%s/cups-files.conf»."

#: filter/rastertoepson.c:1117 filter/rastertohp.c:845
#: filter/rastertolabel.c:1273

Index: locale/cups_es.po

--- locale/cups_es.po (revision 10728)
+++ locale/cups_es.po (working copy)
@@ -3824,8 +3824,8 @@

#: scheduler/ipp.c:2370
#, c-format
-msgid "File device URIs have been disabled. To enable, see the FileDevice directive in "%s/cupsd.conf"."
-msgstr "Los URIs del dispositivo de archivo han sido deshabilitados. Para habilitarlos, vea la directiva FileDevice en "%s/cupsd.conf"."
+msgid "File device URIs have been disabled. To enable, see the FileDevice directive in "%s/cups-files.conf"."
+msgstr "Los URIs del dispositivo de archivo han sido deshabilitados. Para habilitarlos, vea la directiva FileDevice en "%s/cups-files.conf"."

#: filter/rastertoepson.c:1117
#: filter/rastertohp.c:845

Index: scheduler/ipp.c

--- scheduler/ipp.c (revision 10728)
+++ scheduler/ipp.c (working copy)
@@ -2405,7 +2405,7 @@
send_ipp_status(con, IPP_NOT_POSSIBLE,
_("File device URIs have been disabled. "
"To enable, see the FileDevice directive in "

•         "\"%s/cupsd.conf\"."),
  

•         "\"%s/cups-files.conf\"."),
      ServerRoot);
  

  return;
  }

[michaelrsweet]

"cups-logfile-warning.patch":

diff -up cups-1.6.1/scheduler/conf.c.extra cups-1.6.1/scheduler/conf.c
--- cups-1.6.1/scheduler/conf.c.extra 2012-12-06 13:33:15.386055779 +0000
+++ cups-1.6.1/scheduler/conf.c 2012-12-06 13:39:38.167160016 +0000
@@ -801,7 +801,13 @@ cupsdReadConfiguration(void)
cupsFileClose(fp);

 if (!status)

• {

•  if (TestConfigFile)
  

•    printf("%s contains errors\n", CupsFilesFile);
  

•  else
  

•    cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to read %s", CupsFilesFile);
  

  return (0);
• }
  }
  else if (errno == ENOENT)
  cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
  @@ -831,7 +837,13 @@ cupsdReadConfiguration(void)
  cupsFileClose(fp);

if (!status)

• {
• if (TestConfigFile)

•  printf("%s contains errors\n", ConfigurationFile);
  

• else

•  cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to read %s", ConfigurationFile);
  

  return (0);
• }

RunUser = getuid();

diff -up cups-1.6.1/scheduler/main.c.extra cups-1.6.1/scheduler/main.c
--- cups-1.6.1/scheduler/main.c.extra 2012-12-06 13:33:21.433074828 +0000
+++ cups-1.6.1/scheduler/main.c 2012-12-06 13:38:53.750040272 +0000
@@ -554,11 +554,8 @@ main(int argc, /* I - Number of comm

if (!cupsdReadConfiguration())
{

• if (TestConfigFile)

•  printf("%s contains errors\n", ConfigurationFile);
  

• else

•  syslog(LOG_LPR, "Unable to read configuration file \'%s\' - exiting!",
  

•    ConfigurationFile);
  

• if (!TestConfigFile)

•  syslog(LOG_LPR, "Unable to read configuration file - exiting!");
  

  return (1);
  }
  else if (TestConfigFile)

[michaelrsweet]

"str4223v2-1.4.4-debian.patch":

#! /bin/sh /usr/share/dpatch/dpatch-run

DP: Description: Move file, directory, user, and group configuration to a

DP: separate file. Also warn about directives that have moved and set

DP: default cups-files.conf.

DP:

DP: Author: Michael Sweet msweet@apple.com

DP: Origin: http://svn.cups.org/public/cups/branches/branch-1.6@10710

DP: Origin: http://svn.cups.org/public/cups/branches/branch-1.6@10713

DP:

DP: Author: Marc Deslauriers marc.deslauriers@canonical.com

DP: Author: Tim Waugh twaugh@redhat.com

DP:

DP: Bug-Upstream: https://www.cups.org/str.php?L4223

DP: Bug-Debian: http://bugs.debian.org/692791

DP: Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519

@dpatch@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/conf/Makefile cups/conf/Makefile
--- cups~/conf/Makefile 2012-12-08 00:29:09.000000000 +0100
+++ cups/conf/Makefile 2012-12-08 00:29:10.000000000 +0100
@@ -19,7 +19,7 @@

Config files...

-KEEP = cupsd.conf snmp.conf
+KEEP = cups-files.conf cupsd.conf snmp.conf
REPLACE = mime.convs mime.types

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/conf/cups-files.conf.in cups/conf/cups-files.conf.in
--- cups~/conf/cups-files.conf.in 1970-01-01 01:00:00.000000000 +0100
+++ cups/conf/cups-files.conf.in 2012-12-08 00:29:10.000000000 +0100
@@ -0,0 +1,98 @@
+#
+# "$Id$"
+#
+# Sample file/directory/user/group configuration file for the CUPS scheduler.
+# See "man cups-files.conf" for a complete description of this file.
+#
+
+# List of events that are considered fatal errors for the scheduler...
+#FatalErrors @CUPS_FATAL_ERRORS@
+
+# Default user and group for filters/backends/helper programs; this cannot be
+# any user or group that resolves to ID 0 for security reasons...
+#User @CUPS_USER@
+#Group @CUPS_GROUP@
+
+# Administrator user group, used to match @System in cupsd.conf policy rules...
+SystemGroup @CUPS_SYSTEM_GROUPS@
+@CUPS_SYSTEM_AUTHKEY@
+
+# User that is substituted for unauthenticated (remote) root accesses...
+#RemoteRoot remroot
+
+# Do we allow file: device URIs other than to /dev/null?
+#FileDevice No
+
+# Permissions for configuration and log files...
+#ConfigFilePerm @CUPS_CONFIG_FILE_PERM@
+#LogFilePerm @CUPS_LOG_FILE_PERM@
+
+# Location of the file logging all access to the scheduler; may be the name
+# "syslog". If not an absolute path, the value of ServerRoot is used as the
+# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
+AccessLog @CUPS_LOGDIR@/access_log
+
+# Location of cache files used by the scheduler...
+#CacheDir @CUPS_CACHEDIR@
+
+# Location of data files used by the scheduler...
+#DataDir @CUPS_DATADIR@
+
+# Location of the static web content served by the scheduler...
+#DocumentRoot @CUPS_DOCROOT@
+
+# Location of the file logging all messages produced by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "LogLevel"
+# directive in cupsd.conf.
+ErrorLog @CUPS_LOGDIR@/error_log
+
+# Location of fonts used by older print filters...
+#FontPath @CUPS_FONTPATH@
+
+# Location of LPD configuration
+#LPDConfigFile @CUPS_DEFAULT_LPD_CONFIG_FILE@
+
+# Location of the file logging all pages printed by the scheduler and any
+# helper programs; may be the name "syslog". If not an absolute path, the value
+# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
+# directive in cupsd.conf.
+PageLog @CUPS_LOGDIR@/page_log
+
+# Location of the file listing all of the local printers...
+#Printcap @CUPS_DEFAULT_PRINTCAP@
+
+# Format of the Printcap file...
+#PrintcapFormat bsd
+#PrintcapFormat plist
+#PrintcapFormat solaris
+
+# Location of all spool files...
+#RequestRoot @CUPS_REQUESTS@
+
+# Location of helper programs...
+#ServerBin @CUPS_SERVERBIN@
+
+# SSL/TLS certificate for the scheduler...
+#ServerCertificate @CUPS_SERVERCERT@
+
+# SSL/TLS private key for the scheduler...
+#ServerKey @CUPS_SERVERKEY@
+
+# Location of other configuration files...
+#ServerRoot @CUPS_SERVERROOT@
+
+# Location of Samba configuration file...
+#SMBConfigFile @CUPS_DEFAULT_SMB_CONFIG_FILE@
+
+# Location of scheduler state files...
+#StateDir @CUPS_STATEDIR@
+
+# Location of scheduler/helper temporary files. This directory is emptied on
+# scheduler startup and cannot be one of the standard (public) temporary
+# directory locations for security reasons...
+#TempDir @CUPS_REQUESTS@/tmp
+
+#
+# End of "$Id$".
+#
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/conf/cupsd.conf.in cups/conf/cupsd.conf.in
--- cups~/conf/cupsd.conf.in 2012-12-08 00:29:09.000000000 +0100
+++ cups/conf/cupsd.conf.in 2012-12-08 00:29:10.000000000 +0100
@@ -13,10 +13,6 @@

LogLevel debug2 gets usable now

MaxLogSize 0

-# Administrator user group...
-SystemGroup @CUPS_SYSTEM_GROUPS@

-@CUPS_SYSTEM_AUTHKEY@

Only listen for connections from the local machine.

Listen localhost:@DEFAULT_IPP_PORT@
@CUPS_LISTEN_DOMAINSOCKET@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/config-scripts/cups-defaults.m4 cups/config-scripts/cups-defaults.m4
--- cups~/config-scripts/cups-defaults.m4 2012-12-07 13:00:47.000000000 +0100
+++ cups/config-scripts/cups-defaults.m4 2012-12-08 00:29:10.000000000 +0100
@@ -353,6 +353,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LPD_CONFIG_FILE, "$CUPS_DEFAULT_LPD_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_LPD_CONFIG_FILE)

dnl Default SMB config file...
AC_ARG_WITH(smbconfigfile, [ --with-smbconfigfile set default SMBConfigFile URI],
@@ -374,6 +375,7 @@
fi

AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SMB_CONFIG_FILE, "$CUPS_DEFAULT_SMB_CONFIG_FILE")
+AC_SUBST(CUPS_DEFAULT_SMB_CONFIG_FILE)

dnl Default MaxCopies value...
AC_ARG_WITH(max-copies, [ --with-max-copies set default max copies value, default=9999 ],
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/config-scripts/cups-ssl.m4 cups/config-scripts/cups-ssl.m4
--- cups~/config-scripts/cups-ssl.m4 2012-12-07 13:00:47.000000000 +0100
+++ cups/config-scripts/cups-ssl.m4 2012-12-08 00:29:10.000000000 +0100
@@ -27,6 +27,8 @@
SSLFLAGS=""
SSLLIBS=""
have_ssl=0
+CUPS_SERVERCERT=""
+CUPS_SERVERKEY=""

if test x$enable_ssl != xno; then
dnl Look for CDSA...
@@ -36,6 +38,7 @@
have_ssl=1
AC_DEFINE(HAVE_SSL)
AC_DEFINE(HAVE_CDSASSL)

•   CUPS_SERVERCERT="/Library/Keychains/System.keychain"
  
  dnl Check for the various security headers...
  AC_CHECK_HEADER(Security/SecPolicy.h,
  

  @@ -85,6 +88,9 @@
  fi

  if test $have_ssl = 1; then

•   CUPS_SERVERCERT="ssl/server.crt"
  

•   CUPS_SERVERKEY="ssl/server.key"
  

  •    if $PKGCONFIG --exists gcrypt; then
      SSLLIBS="$SSLLIBS `$PKGCONFIG --libs gcrypt`"
      SSLFLAGS="$SSLFLAGS `$PKGCONFIG --cflags gcrypt`"
    

  @@ -122,6 +128,9 @@
  $libcrypto)

  if test "x${SSLLIBS}" != "x"; then
  

•       CUPS_SERVERCERT="ssl/server.crt"
  

•       CUPS_SERVERKEY="ssl/server.key"
  

  •   break
    

    fi
    done
    @@ -135,6 +144,8 @@
    AC_MSG_RESULT([ Using SSLFLAGS="$SSLFLAGS"])
    fi

+AC_SUBST(CUPS_SERVERCERT)
+AC_SUBST(CUPS_SERVERKEY)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/configure.in cups/configure.in
--- cups~/configure.in 2012-12-07 13:00:47.000000000 +0100
+++ cups/configure.in 2012-12-08 00:29:10.000000000 +0100
@@ -63,14 +63,14 @@
AC_SUBST(UNINSTALL_LANGUAGES)

AC_OUTPUT(Makedefs packaging/cups.list init/cups.sh init/cups-lpd cups-config

• conf/cupsd.conf conf/mime.convs conf/pam.std conf/snmp.conf
  

• conf/cups-files.conf conf/cupsd.conf conf/mime.convs conf/pam.std conf/snmp.conf
  

  data/testprint
  desktop/cups.desktop
  doc/index.html doc/help/ref-cupsd-conf.html doc/help/standard.html
  init/org.cups.cups-lpd.plist init/cups.xml
  man/client.conf.man man/cups-deviced.man man/cups-driverd.man
  man/cups-lpd.man man/cupsaddsmb.man man/cupsd.man

• man/cupsd.conf.man man/drv.man man/lpoptions.man
  

• man/cups-files.conf.man man/cupsd.conf.man man/drv.man man/lpoptions.man
  

  templates/header.tmpl
  $LANGFILES)

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/doc/help/ref-cups-files-conf.html.in cups/doc/help/ref-cups-files-conf.html.in
--- cups~/doc/help/ref-cups-files-conf.html.in 1970-01-01 01:00:00.000000000 +0100
+++ cups/doc/help/ref-cups-files-conf.html.in 2012-12-08 00:29:10.000000000 +0100
@@ -0,0 +1,531 @@
+
+
+

• <TITLE>cups-files.conf</TITLE>

+
+
+
+

cups-files.conf

+
+

The /etc/cups/cups-files.conf file contains configuration directives that control the files, directories. users. and groups that are used by the CUPS scheduler, cupsd(8). Each directive is listed on a line by itself followed by its value. Comments are introduced using the number sign ("#") character at the beginning of a line.

+
+

AccessLog

+
+

Examples

+
+

+AccessLog /var/log/cups/access_log

+AccessLog /var/log/cups/access_log-%s

+AccessLog syslog

+

+
+

Description

+
+

The AccessLog directive sets the name of the
+access log file. If the filename is not absolute then it is
+assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+access log file is stored in "common log format" and can be used
+by any web access reporting tool to generate a report on CUPS
+server activity.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the access
+information to the system log instead of a plain file.

+
+

The default access log file is
+@CUPS_LOGDIR@/access_log.

+
+
+

CUPS 1.1.15ConfigFilePerm

+
+

Examples

+
+

+ConfigFilePerm 0644

+ConfigFilePerm 0640

+

+
+

Description

+
+

The ConfigFilePerm directive specifies the permissions to use when the scheduler writes configuration and cache files, typically in response to IPP or HTTP requests. The default is @CUPS_CONFIG_FILE_PERM@.

+
+

Note:
+
+

The permissions for the printers.conf file are always masked to only allow access from the scheduler user (typically root). This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system. There is no way to disable this security feature.

+
+

+
+
+

DataDir

+
+

Examples

+
+

+DataDir /usr/share/cups

+

+
+

Description

+
+

The DataDir directive sets the directory to use
+for data files.

+
+
+

CUPS 1.2/OS X 10.5DefaultAuthType

+
+

Examples

+
+

+DefaultAuthType Basic

+DefaultAuthType BasicDigest

+DefaultAuthType Digest

+DefaultAuthType Negotiate

+

+
+

Description

+
+

The DefaultAuthType directive specifies the type
+of authentication to use for IPP operations that require a
+username. The default is Basic.

+
+
+

DocumentRoot

+
+

Examples

+
+

+DocumentRoot /usr/share/doc/cups

+DocumentRoot /foo/bar/doc/cups

+

+
+

Description

+
+

The DocumentRoot directive specifies the location
+of web content for the HTTP server in CUPS. If an absolute path
+is not specified then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default directory is @CUPS_DOCROOT@.

+
+

Documents are first looked up in a sub-directory for the
+primary language requested by the client (e.g.
+@CUPS_DOCROOT@/fr/...) and then directly under
+the DocumentRoot directory (e.g.
+@CUPS_DOCROOT@/...), so it is possible to
+localize the web content by providing subdirectories for each
+language needed.

+
+
+

ErrorLog

+
+

Examples

+
+

+ErrorLog /var/log/cups/error_log

+ErrorLog /var/log/cups/error_log-%s

+ErrorLog syslog

+

+
+

Description

+
+

The ErrorLog directive sets the name of the error
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default error log file is @CUPS_LOGDIR@/error_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the error
+information to the system log instead of a plain file.

+
+
+

CUPS 1.4/OS X 10.6FatalErrors

+
+

Examples

+
+

+FatalErrors none

+FatalErrors all

+FatalErrors browse

+FatalErrors config

+FatalErrors listen

+FatalErrors log

+FatalErrors permissions

+FatalErrors all -permissions

+FatalErrors config permissions log

+

+
+

Description

+
+

The FatalErrors directive determines whether certain kinds of
+errors are fatal. The following kinds of errors are currently recognized:

+
+

+
• none - No errors are fatal
• all - All of the errors below are fatal
• browse - Browsing initialization errors are fatal,
• for example failed binding to the CUPS browse port or failed connections
• to LDAP servers
• config - Configuration file syntax errors are
• fatal
• listen - Listen or Port errors are fatal, except for
• IPv6 failures on the loopback or "any" addresses
• log - Log file creation or write errors are fatal
• permissions - Bad startup file permissions are
• fatal, for example shared SSL certificate and key files with world-
• read permissions

+

+
+

Multiple errors can be listed, and the form "-kind" can be used with
+all to remove specific kinds of errors. The default setting is
+@CUPS_FATAL_ERRORS@.

+
+
+

CUPS 1.1.18FileDevice

+
+

Examples

+
+

+FileDevice Yes

+FileDevice No

+

+
+

Description

+
+

The FileDevice directive determines whether the
+scheduler allows new printers to be added using device URIs of
+the form file:/filename. File devices are most often
+used to test new printer drivers and do not support raw file
+printing.

+
+

The default setting is No.

+
+

Note:
+
+

File devices are managed by the scheduler. Since the
+scheduler normally runs as the root user, file devices
+can be used to overwrite system files and potentially
+gain unauthorized access to the system. If you must
+create printers using file devices, we recommend that
+you set the FileDevice directive to
+Yes for only as long as you need to add the
+printers to the system, and then reset the directive to
+No.

+
+

+
+
+

CUPS 1.1.3FontPath

+
+

Examples

+
+

+FontPath /foo/bar/fonts

+FontPath /usr/share/cups/fonts:/foo/bar/fonts

+

+
+

Description

+
+

The FontPath directive specifies the font path to
+use when searching for fonts. The default font path is
+/usr/share/cups/fonts.

+
+
+

Group

+
+

Examples

+
+

+Group lp

+Group nobody

+

+
+

Description

+
+

The Group directive specifies the UNIX group that
+filter and CGI programs run as. The default group is
+system-specific but is usually lp or
+nobody.

+
+
+

CUPS 1.1.15LogFilePerm

+
+

Examples

+
+

+LogFilePerm 0644

+LogFilePerm 0600

+

+
+

Description

+
+

The LogFilePerm directive specifies the
+permissions to use when writing log files. The default
+is @CUPS_LOG_FILE_PERM@.

+
+
+

PageLog

+
+

Examples

+
+

+PageLog /var/log/cups/page_log

+PageLog /var/log/cups/page_log-%s

+PageLog syslog

+

+
+

Description

+
+

The PageLog directive sets the name of the page
+log file. If the filename is not absolute then it is assumed to
+be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default page log file is @CUPS_LOGDIR@/page_log.

+
+

The server name can be included in the filename by using
+%s in the name.

+
+

The special name "syslog" can be used to send the page
+information to the system log instead of a plain file.

+
+
+

Printcap

+
+

Examples

+
+

+Printcap

+Printcap /etc/printcap

+Printcap /etc/printers.conf

+Printcap /Library/Preferences/org.cups.printers.plist

+

+
+

Description

+
+

The Printcap directive controls whether or not a
+printcap file is automatically generated and updated with a list
+of available printers. If specified with no value, then no
+printcap file will be generated. The default is to generate a
+file named @CUPS_DEFAULT_PRINTCAP@.

+
+

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
+the printcap file is written whenever a printer is added or
+removed. The printcap file can then be used by applications that
+are hardcoded to look at the printcap file for the available
+printers.

+
+
+

PrintcapFormat

+
+

Examples

+
+

+PrintcapFormat BSD

+PrintcapFormat Solaris

+PrintcapFormat plist

+

+
+

Description

+
+

The PrintcapFormat directive controls the output format of the
+printcap file. The default is to generate the plist format on OS X, the
+Solaris format on Solaris, and the BSD format on other operating systems.

+
+
+

CUPS 1.1.3RemoteRoot

+
+

Examples

+
+

+RemoteRoot remroot

+RemoteRoot root

+

+
+

Description

+
+

The RemoteRoot directive sets the username for
+unauthenticated root requests from remote hosts. The default
+username is remroot. Setting RemoteRoot
+to root effectively disables this security
+mechanism.

+
+
+

RequestRoot

+
+

Examples

+
+

+RequestRoot /var/spool/cups

+RequestRoot /foo/bar/spool/cups

+

+
+

Description

+
+

The RequestRoot directive sets the directory for
+incoming IPP requests and HTML forms. If an absolute path is not
+provided then it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default request directory is @CUPS_REQUESTS@.

+
+
+

ServerBin

+
+

Examples

+
+

+ServerBin /usr/lib/cups

+ServerBin /foo/bar/lib/cups

+

+
+

Description

+
+

The ServerBin directive sets the directory for
+server-run executables. If an absolute path is not provided then
+it is assumed to be relative to the <A
+HREF="#ServerRoot">ServerRoot directory. The
+default executable directory is /usr/lib/cups,
+/usr/lib32/cups, or /usr/libexec/cups
+depending on the operating system.

+
+
+

ServerCertificate

+
+

Examples

+
+

+ServerCertificate /etc/cups/ssl/server.crt

+

+
+

Description

+
+

The ServerCertificate directive specifies the
+location of the SSL certificate file used by the server when
+negotiating encrypted connections. The certificate must not be
+encrypted (password protected) since the scheduler normally runs
+in the background and will be unable to ask for a password.

+
+

The default certificate file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerKey

+
+

Examples

+
+

+ServerKey /etc/cups/ssl/server.key

+

+
+

Description

+
+

The ServerKey directive specifies the location of
+the SSL private key file used by the server when negotiating
+encrypted connections.

+
+

The default key file is
+/etc/cups/ssl/server.crt.

+
+
+

ServerRoot

+
+

Examples

+
+

+ServerRoot /etc/cups

+ServerRoot /foo/bar/cups

+

+
+

Description

+
+

The ServerRoot directive specifies the absolute
+path to the server configuration and state files. It is also used
+to resolve relative paths in the cupsd.conf file. The
+default server directory is /etc/cups.

+
+
+

SystemGroup

+
+

Examples

+
+

+SystemGroup lpadmin

+SystemGroup sys

+SystemGroup system

+SystemGroup root

+SystemGroup root lpadmin

+

+
+

Description

+
+

The SystemGroup directive specifies the system
+administration group for System authentication.
+Multiple groups can be listed, separated with spaces. The default
+group list is @CUPS_SYSTEM_GROUPS@.

+
+
+

TempDir

+
+

Examples

+
+

+TempDir /var/tmp

+TempDir /foo/bar/tmp

+

+
+

Description

+
+

The TempDir directive specifies an absolute path
+for the directory to use for temporary files. The default
+directory is @CUPS_REQUESTS@/tmp.

+
+

Temporary directories must be world-writable and should have
+the "sticky" permission bit enabled so that other users cannot
+delete filter temporary files. The following commands will create
+an appropriate temporary directory called
+/foo/bar/tmp:

+
+

+mkdir /foo/bar/tmp

+chmod a+rwxt /foo/bar/tmp

+

+
+
+

User

+
+

Examples

+
+

+User lp

+User guest

+

+
+

Description

+
+

The User directive specifies the UNIX user that
+filter and CGI programs run as. The default user is
+@CUPS_USER@.

+
+

Note:
+
+

You may not use user root, as that would expose
+the system to unacceptable security risks. The scheduler will
+automatically choose user nobody if you specify a
+user whose ID is 0.

+
+

+
+
+
+
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/doc/help/ref-cupsd-conf.html.in cups/doc/help/ref-cupsd-conf.html.in
--- cups~/doc/help/ref-cupsd-conf.html.in 2012-12-07 13:00:48.000000000 +0100
+++ cups/doc/help/ref-cupsd-conf.html.in 2012-12-08 00:29:10.000000000 +0100
@@ -191,82 +191,6 @@
HREF="#Limit">Limit section.

-

DeprecatedAuthClass

-

Examples

-

-<Location /path>


...
AuthClass Anonymous
AuthClass User
AuthClass System
AuthClass Group

-</Location>

-

-

Description

-

The AuthClass directive defines what level of
-authentication is required:

-

• Anonymous - No authentication should be

- performed (default)

• User - A valid username and password is

- required

• System - A valid username and password
• is required, and the username must belong to the "sys"
• group; this can be changed using the <A
• HREF="#SystemGroup">SystemGroup

- directive

• Group - A valid username and password is
• required, and the username must belong to the group named
• by the <A
• HREF="#AuthGroupName">AuthGroupName

- directive

-

-

The AuthClass directive must appear inside a <A
-HREF="#Location">Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

-

DeprecatedAuthGroupName

-

Examples

-

-<Location /path>


...
AuthGroupName mygroup
AuthGroupName lp

-</Location>

-

-

Description

-

The AuthGroupName directive sets the group to use

-for Group authentication.

-

The AuthGroupName directive must appear inside a
-Location or <A

-HREF="#Limit">Limit section.

-

This directive is deprecated and will be removed from a
-future release of CUPS. Consider using the more flexible <A

-HREF="#Require">Require directive instead.

AuthType

Examples

@@ -2494,65 +2418,6 @@
files as soon as each job is completed, canceled, or aborted.

-

Printcap

-

Examples

-

-Printcap

-Printcap /etc/printcap

-Printcap /etc/printers.conf

-Printcap /Library/Preferences/org.cups.printers.plist

-

-

Description

-

The Printcap directive controls whether or not a
-printcap file is automatically generated and updated with a list
-of available printers. If specified with no value, then no
-printcap file will be generated. The default is to generate a

-file named @CUPS_DEFAUL_PRINTCAP@.

-

When a filename is specified (e.g. @CUPS_DEFAULT_PRINTCAP@),
-the printcap file is written whenever a printer is added or
-removed. The printcap file can then be used by applications that
-are hardcoded to look at the printcap file for the available

-printers.

-

PrintcapFormat

-

Examples

-

-PrintcapFormat BSD

-PrintcapFormat Solaris

-PrintcapFormat plist

-

-

Description

-

The PrintcapFormat directive controls the output format of the
-printcap file. The default is to generate the plist format on Mac OS X, the

-Solaris format on Solaris, and the BSD format on other operating systems.

-

CUPS 1.1.13PrintcapGUI

-

Examples

-

-PrintGUI /usr/bin/glpoptions

-

-

Description

-

The PrintcapGUI directive sets the program to
-associate with the IRIX printer GUI interface script which is
-used by IRIX applications to display printer-specific options.

-There is no default program.

CUPS 1.1.21ReloadTimeout

Examples

@@ -2569,42 +2434,6 @@ before doing a restart. The default is 30 seconds.

-

CUPS 1.1.3RemoteRoot

-

Examples

-

-RemoteRoot remroot

-RemoteRoot root

-

-

Description

-

The RemoteRoot directive sets the username for
-unauthenticated root requests from remote hosts. The default
-username is remroot. Setting RemoteRoot
-to root effectively disables this security

-mechanism.

-

RequestRoot

-

Examples

-

-RequestRoot /var/spool/cups

-RequestRoot /foo/bar/spool/cups

-

-

Description

-

The RequestRoot directive sets the directory for
-incoming IPP requests and HTML forms. If an absolute path is not
-provided then it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The

-default request directory is @CUPS_REQUESTS@.

CUPS 1.1.7Require

Examples

@@ -2759,64 +2588,6 @@

-

ServerBin

-

Examples

-

-ServerBin /usr/lib/cups

-ServerBin /foo/bar/lib/cups

-

-

Description

-

The ServerBin directive sets the directory for
-server-run executables. If an absolute path is not provided then
-it is assumed to be relative to the <A
-HREF="#ServerRoot">ServerRoot directory. The
-default executable directory is /usr/lib/cups,
-/usr/lib32/cups, or /usr/libexec/cups

-depending on the operating system.

-

ServerCertificate

-

Examples

-

-ServerCertificate /etc/cups/ssl/server.crt

-

-

Description

-

The ServerCertificate directive specifies the
-location of the SSL certificate file used by the server when
-negotiating encrypted connections. The certificate must not be
-encrypted (password protected) since the scheduler normally runs

-in the background and will be unable to ask for a password.

-

The default certificate file is

-/etc/cups/ssl/server.crt.

-

ServerKey

-

Examples

-

-ServerKey /etc/cups/ssl/server.key

-

-

Description

-

The ServerKey directive specifies the location of
-the SSL private key file used by the server when negotiating

-encrypted connections.

-

The default key file is

-/etc/cups/ssl/server.crt.

ServerName

Examples

@@ -2833,23 +2604,6 @@ hostname.

-

ServerRoot

-

Examples

-

-ServerRoot /etc/cups

-ServerRoot /foo/bar/cups

-

-

Description

-

The ServerRoot directive specifies the absolute
-path to the server configuration and state files. It is also used
-to resolve relative paths in the cupsd.conf file. The

-default server directory is /etc/cups.

CUPS 1.1.21ServerTokens

Examples

@@ -2985,53 +2739,6 @@ can be specified to listen on multiple ports.

-

SystemGroup

-

Examples

-

-SystemGroup lpadmin

-SystemGroup sys

-SystemGroup system

-SystemGroup root

-SystemGroup root lpadmin

-

-

Description

-

The SystemGroup directive specifies the system
-administration group for System authentication.
-Multiple groups can be listed, separated with spaces. The default

-group list is @CUPS_SYSTEM_GROUPS@.

-

TempDir

-

Examples

-

-TempDir /var/tmp

-TempDir /foo/bar/tmp

-

-

Description

-

The TempDir directive specifies an absolute path
-for the directory to use for temporary files. The default

-directory is @CUPS_REQUESTS@/tmp.

-

Temporary directories must be world-writable and should have
-the "sticky" permission bit enabled so that other users cannot
-delete filter temporary files. The following commands will create
-an appropriate temporary directory called

-/foo/bar/tmp:

-

-mkdir /foo/bar/tmp

-chmod a+rwxt /foo/bar/tmp

-

Timeout

Examples

@@ -3048,52 +2755,5 @@ default timeout is 300 seconds.

-

CUPS 1.2/Mac OS X 10.5UseNetworkDefault

-

Examples

-

-UseNetworkDefault yes

-UseNetworkDefault no

-

-

Description

-

The UseNetworkDefault directive controls whether
-the client will use a network/remote printer as a default
-printer. If enabled, the default printer of a server is used as
-the default printer on a client. When multiple servers are
-advertising a default printer, the client's default printer is
-set to the first discovered printer, or to the implicit class for

-the same printer available from multiple servers.

-

The default is @CUPS_USE_NETWORK_DEFAULT@.

-

User

-

Examples

-

-User lp

-User guest

-

-

Description

-

The User directive specifies the UNIX user that
-filter and CGI programs run as. The default user is

-@CUPS_USER@.

-

Note:

-

You may not use user root, as that would expose
-the system to unacceptable security risks. The scheduler will
-automatically choose user nobody if you specify a

-user whose ID is 0.

-

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_da.po cups/locale/cups_da.po --- cups~/locale/cups_da.po 2012-12-07 13:00:48.000000000 +0100 +++ cups/locale/cups_da.po 2012-12-08 01:01:31.675672771 +0100 @@ -2881,10 +2881,10 @@ #, c-format msgid "" "File device URIs have been disabled! To enable, see the FileDevice directive " -"in \"%s/cupsd.conf\"." +"in \"%s/cups-files.conf\"." msgstr "" "Arkivets enheds-URI'er er blevet slået fra! Du slår det til ved at se i " -"FileDevice-direktivet i \"%s/cupsd.conf\"." +"FileDevice-direktivet i \"%s/cups-files.conf\"."

msgid "Folio"
msgstr "8,5 x 13""
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_de.po cups/locale/cups_de.po
--- cups~/locale/cups_de.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_de.po 2012-12-08 00:56:57.515682472 +0100
@@ -2909,10 +2909,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Dateigeräte-URIs wurden deaktiviert! Infos zum Aktivieren finden Sie im "
-"FileDevice-Verzeichnis unter �%s/cupsd.conf�."
+"FileDevice-Verzeichnis unter �%s/cups-files.conf�."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_es.po cups/locale/cups_es.po
--- cups~/locale/cups_es.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_es.po 2012-12-08 00:57:31.903681255 +0100
@@ -2941,10 +2941,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Los URIs del dispositivo de archivo han sido deshabilitados. Para "
-"habilitarlos, vea la directiva FileDevice en "%s/cupsd.conf"."
+"habilitarlos, vea la directiva FileDevice en "%s/cups-files.conf"."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_eu.po cups/locale/cups_eu.po
--- cups~/locale/cups_eu.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_eu.po 2012-12-08 00:58:35.175679014 +0100
@@ -3793,10 +3793,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Fitxategiaren gailuaren URIak desgaitu egin dira. Gaitzeko, ikus FileDevice "
-"direktiba "%s/cupsd.conf" fitxategian."
+"direktiba "%s/cups-files.conf" fitxategian."

#: ppdc/sample.c:92
msgid "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_fi.po cups/locale/cups_fi.po
--- cups~/locale/cups_fi.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_fi.po 2012-12-08 01:02:01.039671731 +0100
@@ -2886,10 +2886,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Tiedostolaitteiden osoitteet on poistettu käytöstä! Voit ottaa ne käyttöön �%"
-"s/cupsd.conf�-tiedoston FileDevice-säännöllä."
+"s/cups-files.conf�-tiedoston FileDevice-säännöllä."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_fr.po cups/locale/cups_fr.po
--- cups~/locale/cups_fr.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_fr.po 2012-12-08 01:03:03.287669533 +0100
@@ -2925,10 +2925,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Les URI des périphériques de fichier ont été désactivés. Pour l�activer, "
-"reportez-vous à la directive FileDevice dans « %s/cupsd.conf »."
+"reportez-vous à la directive FileDevice dans « %s/cups-files.conf »."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_id.po cups/locale/cups_id.po
--- cups~/locale/cups_id.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_id.po 2012-12-08 01:03:26.919668695 +0100
@@ -3712,10 +3712,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Berkas URI perangkat telah dinonaktifkan! Untuk mengaktifkannya, lihatlah "
-"petunjuk FileDevice dalam "%s/cupsd.conf"."
+"petunjuk FileDevice dalam "%s/cups-files.conf"."

#: ppdc/sample.c:92
msgid "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_it.po cups/locale/cups_it.po
--- cups~/locale/cups_it.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_it.po 2012-12-08 01:04:46.011665881 +0100
@@ -2819,8 +2819,8 @@
msgstr "Cartella documento: 9/16 x 3 7/16""

#, c-format
-msgid "File device URIs have been disabled! To enable, see the FileDevice directive in "%s/cupsd.conf"."
-msgstr "Gli URI del dispositivo documento sono stati disabilitati! Per abilitarli, consulta l'istruzione del FileDevice in "%s/cupsd.conf"."
+msgid "File device URIs have been disabled! To enable, see the FileDevice directive in "%s/cups-files.conf"."
+msgstr "Gli URI del dispositivo documento sono stati disabilitati! Per abilitarli, consulta l'istruzione del FileDevice in "%s/cups-files.conf"."

msgid "Folio"
msgstr "Foglio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_ja.po cups/locale/cups_ja.po
--- cups~/locale/cups_ja.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_ja.po 2012-12-08 01:05:34.883664166 +0100
@@ -2867,8 +2867,8 @@
msgstr "��������� - 9/16 x 3 7/16""

#, c-format
-msgid "File device URIs have been disabled! To enable, see the FileDevice directive in "%s/cupsd.conf"."
-msgstr "�������� URI ����������! ��������"%s/cupsd.conf" � FileDevice �����������������"
+msgid "File device URIs have been disabled! To enable, see the FileDevice directive in "%s/cups-files.conf"."
+msgstr "�������� URI ����������! ��������"%s/cups-files.conf" � FileDevice �����������������"

msgid "Folio"
msgstr "����"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_ko.po cups/locale/cups_ko.po
--- cups~/locale/cups_ko.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_ko.po 2012-12-08 01:06:35.647662090 +0100
@@ -2866,9 +2866,9 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
-"�� �� URI� ���������! ����려면, "%s/cupsd.conf"� �� "
+"�� �� URI� ���������! ����려면, "%s/cups-files.conf"� �� "
"FileDevice ��문� 보���."

msgid "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_nl.po cups/locale/cups_nl.po
--- cups~/locale/cups_nl.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_nl.po 2012-12-08 01:07:07.987660903 +0100
@@ -2910,10 +2910,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"File device-URI&aops;s zijn uitgeschakeld! Raadpleeg als u de URI&aops;s "
-"weer wilt inschakelen de richtlijn voor FileDevice in "%s/cupsd.conf"."
+"weer wilt inschakelen de richtlijn voor FileDevice in "%s/cups-files.conf"."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_no.po cups/locale/cups_no.po
--- cups~/locale/cups_no.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_no.po 2012-12-08 01:07:18.003660528 +0100
@@ -2871,10 +2871,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Enhets-URIer for filer er deaktivert! Hvis du vil aktivere funksjonen, leser "
-"du FileDevice-direktivet i «%s/cupsd.conf»."
+"du FileDevice-direktivet i «%s/cups-files.conf»."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_pl.po cups/locale/cups_pl.po
--- cups~/locale/cups_pl.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_pl.po 2012-12-08 01:07:24.747660332 +0100
@@ -2895,10 +2895,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"URI pliku urz�dzenia zosta�o wy��czone! Aby w��czy�, zobacz dyrektyw� "
-"FileDevice w "%s/cupsd.conf"."
+"FileDevice w "%s/cups-files.conf"."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_pt.po cups/locale/cups_pt.po
--- cups~/locale/cups_pt.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_pt.po 2012-12-08 01:07:37.875659840 +0100
@@ -2897,10 +2897,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"URIs do periférico do ficheiro foram desactivados! Para activar, consulte a "
-"directiva FileDevice em "%s/cupsd.conf"."
+"directiva FileDevice em "%s/cups-files.conf"."

msgid "Folio"
msgstr "Fólio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_pt_BR.po cups/locale/cups_pt_BR.po
--- cups~/locale/cups_pt_BR.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_pt_BR.po 2012-12-08 01:07:31.707660026 +0100
@@ -2904,10 +2904,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"URIs de dispositivo de arquivo foram desativados! Para ativá-los, consulte a "
-"diretiva FileDevice em "%s/cupsd.conf"."
+"diretiva FileDevice em "%s/cups-files.conf"."

msgid "Folio"
msgstr "Fólio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_ru.po cups/locale/cups_ru.po
--- cups~/locale/cups_ru.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_ru.po 2012-12-08 01:07:51.439659296 +0100
@@ -2884,10 +2884,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"URI-ад�е�а �айлового ����ой��ва о�кл��ен�! Ч�об� вкл��и�� и�, и�пол�з�й�е "
-"ди�ек�ив� FileDevice в «%s/cupsd.conf»."
+"ди�ек�ив� FileDevice в «%s/cups-files.conf»."

msgid "Folio"
msgstr "Фолио"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_sv.po cups/locale/cups_sv.po
--- cups~/locale/cups_sv.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_sv.po 2012-12-08 01:07:58.247659102 +0100
@@ -2875,10 +2875,10 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
"Filenhets URI:er har blivit avaktiverade! För att aktivera, se direktivet "
-"FileDevice i "%s/cupsd.conf"."
+"FileDevice i "%s/cups-files.conf"."

msgid "Folio"
msgstr "Folio"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_zh.po cups/locale/cups_zh.po
--- cups~/locale/cups_zh.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_zh.po 2012-12-08 01:08:56.791657022 +0100
@@ -2844,9 +2844,9 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
-"�件设� URI 已被�������请���%s/cupsd.conf�中� FileDevice �令�"
+"�件设� URI 已被�������请���%s/cups-files.conf�中� FileDevice �令�"

msgid "Folio"
msgstr "对��"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/locale/cups_zh_TW.po cups/locale/cups_zh_TW.po
--- cups~/locale/cups_zh_TW.po 2012-12-07 13:00:48.000000000 +0100
+++ cups/locale/cups_zh_TW.po 2012-12-08 01:09:07.407656652 +0100
@@ -2845,9 +2845,9 @@
#, c-format
msgid ""
"File device URIs have been disabled! To enable, see the FileDevice directive "
-"in "%s/cupsd.conf"."
+"in "%s/cups-files.conf"."
msgstr ""
-"已����設� URI����������%s/cupsd.conf�中� FileDevice �示�"
+"已����設� URI����������%s/cups-files.conf�中� FileDevice �示�"

msgid "Folio"
msgstr "���"
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/man/Makefile cups/man/Makefile
--- cups~/man/Makefile 2012-12-08 00:29:09.000000000 +0100
+++ cups/man/Makefile 2012-12-08 00:29:10.000000000 +0100
@@ -39,6 +39,7 @@
ppdpo.$(MAN1EXT)
MAN5 = classes.conf.$(MAN5EXT)
client.conf.$(MAN5EXT) \

•   cups-files.conf.$(MAN5EXT) \
  cups-snmp.conf.$(MAN5EXT) \
  cupsd.conf.$(MAN5EXT) \
  mailto.conf.$(MAN5EXT) \
  

  diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/man/cups-files.conf.man.in cups/man/cups-files.conf.man.in
  --- cups~/man/cups-files.conf.man.in 1970-01-01 01:00:00.000000000 +0100
  +++ cups/man/cups-files.conf.man.in 2012-12-08 00:29:10.000000000 +0100
  @@ -0,0 +1,146 @@
  +."
  +." "$Id$"
  +."
  +." cupsd.conf man page for CUPS.
  +."
  +." Copyright 2007-2012 by Apple Inc.
  +." Copyright 1997-2006 by Easy Software Products.
  +."
  +." These coded instructions, statements, and computer programs are the
  +." property of Apple Inc. and are protected by Federal copyright
  +." law. Distribution and use rights are outlined in the file "LICENSE.txt"
  +." which should have been included with this file. If this file is
  +." file is missing or damaged, see the license at "http://www.cups.org/".
  +."
  +.TH cups-files.conf 5 "CUPS" "19 November 2012" "Apple Inc."
  +.SH NAME
  +cups-files.conf - file and directory configuration file for cups
  +.SH DESCRIPTION
  +The \fIcups-file.conf\fR file configures the files and directories used by the
  +CUPS scheduler, \fIcupsd(8)\fR. It is normally located in the
  +\fI@CUPS_SERVERROOT@\fR directory.
  +.LP
  +Each line in the file can be a configuration directive, a blank line,
  +or a comment. Comment lines start with the # character.
  +.SH DIRECTIVES
  +The following directives are understood by \fIcupsd(8)\fR. Consult the
  +on-line help for detailed descriptions:
  +.TP 5
  +AccessLog filename
  +.TP 5
  +AccessLog syslog
  +.br
  +Defines the access log filename.
  +.TP 5
  +ConfigFilePerm mode
  +.br
  +Specifies the permissions for all configuration files that the scheduler
  +writes.
  +.TP 5
  +DataDir path
  +.br
  +Specified the directory where data files can be found.
  +.TP 5
  +DocumentRoot directory
  +.br
  +Specifies the root directory for the internal web server documents.
  +.TP 5
  +ErrorLog filename
  +.TP 5
  +ErrorLog syslog
  +.br
  +Specifies the error log filename.
  +.TP 5
  +FatalErrors none
  +.TP 5
  +FatalErrors all -kind [... -kind]
  +.TP 5
  +FatalErrors kind [... kind]
  +.br
  +Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
  +"browse", "config", "listen", "log", or "permissions".
  +.TP 5
  +FileDevice Yes
  +.TP 5
  +FileDevice No
  +.br
  +Specifies whether the file pseudo-device can be used for new
  +printer queues.
  +.TP 5
  +FontPath directory[:directory:...]
  +.br
  +Specifies the search path for fonts.
  +.TP 5
  +Group group-name-or-number
  +.br
  +Specifies the group name or ID that will be used when executing
  +external programs.
  +.TP 5
  +LogFilePerm mode
  +.br
  +Specifies the permissions for all log files that the scheduler writes.
  +.TP 5
  +PageLog filename
  +.TP 5
  +PageLog syslog
  +.br
  +Specifies the page log filename.
  +.TP 5
  +Printcap
  +.TP 5
  +Printcap filename
  +.br
  +Specifies the filename for a printcap file that is updated
  +automatically with a list of available printers (needed for
  +legacy applications); specifying Printcap with no filename
  +disables printcap generation.
  +.TP 5
  +RemoteRoot user-name
  +.br
  +Specifies the username that is associated with unauthenticated root
  +accesses.
  +.TP 5
  +RequestRoot directory
  +.br
  +Specifies the directory to store print jobs and other HTTP request
  +data.
  +.TP 5
  +ServerBin directory
  +.br
  +Specifies the directory where backends, CGIs, daemons, and filters may
  +be found.
  +.TP 5
  +ServerCertificate filename
  +.br
  +Specifies the encryption certificate to use.
  +.TP 5
  +ServerKey filename
  +.br
  +Specifies the encryption key to use.
  +.TP 5
  +ServerRoot directory
  +.br
  +Specifies the directory where the server configuration files can be found.
  +.TP 5
  +SystemGroup group-name [group-name ...]
  +.br
  +Specifies the group(s) to use for System class authentication.
  +.TP 5
  +TempDir directory
  +.br
  +Specifies the directory where temporary files are stored.
  +.TP 5
  +User user-name
  +.br
  +Specifies the user name or ID that is used when running external programs.
  +.SH SEE ALSO
  +\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fIcupsd.conf(5)\fR, \fImime.convs(5)\fR,
  +\fImime.types(5)\fR, \fIprinters.conf(5)\fR,
  +\fIsubscriptions.conf(5)\fR,
  +.br
  +http://localhost:631/help
  +.SH COPYRIGHT
  +Copyright 2007-2012 by Apple Inc.
  +."
  +." End of "$Id$".
  +."
  diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/man/cupsd.conf.man.in cups/man/cupsd.conf.man.in
  --- cups~/man/cupsd.conf.man.in 2012-12-07 13:00:48.000000000 +0100
  +++ cups/man/cupsd.conf.man.in 2012-12-08 00:29:10.000000000 +0100
  @@ -12,13 +12,16 @@
  ." which should have been included with this file. If this file is
  ." file is missing or damaged, see the license at "http://www.cups.org/".
  ."
  -.TH cupsd.conf 5 "CUPS" "28 January 2010" "Apple Inc."
  +.TH cupsd.conf 5 "CUPS" "19 November 2012" "Apple Inc."
  .SH NAME
  cupsd.conf - server configuration file for cups
  .SH DESCRIPTION
  The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It
  -is normally located in the \fI@CUPS_SERVERROOT@\fR directory.
  -.LP
  +is normally located in the \fI@CUPS_SERVERROOT@\fR directory. \fBNote:\fR
  +File, directory, and user configuration directives that used to be allowed in
  +the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead
  +in order to prevent certain types of privilege escalation attacks.
  +LP
  Each line in the file can be a configuration directive, a blank line,
  or a comment. Comment lines start with the # character. The
  configuration directives are intentionally similar to those used by the
  @@ -27,12 +30,6 @@
  The following directives are understood by \fIcupsd(8)\fR. Consult the
  on-line help for detailed descriptions:
  .TP 5
  -AccessLog filename
  -.TP 5
  -AccessLog syslog
  -.br
  -Defines the access log filename.
  -.TP 5
  AccessLogLevel config
  .TP 5
  AccessLogLevel actions
  @@ -61,20 +58,6 @@
  .br
  Allows access from the named hosts or addresses.
  .TP 5
  -AuthClass User
  -.TP 5
  -AuthClass Group
  -.TP 5
  -AuthClass System
  -.br
  -Specifies the authentication class (User, Group, System) -
  -\fBthis directive is deprecated\fR.
  -.TP 5
  -AuthGroupName group-name
  -.br
  -Specifies the authentication group - \fBthis directive is
  -deprecated\fR.
  -.TP 5
  AuthType None
  .TP 5
  AuthType Basic
  @@ -220,7 +203,7 @@
  .TP 5
  Browsing No
  .br
  -Specifies whether or not remote printer browsing should be enabled.
  +Specifies whether or not shared printers should be advertised.
  .TP 5
  Classification banner
  .br
  @@ -233,15 +216,6 @@
  Specifies whether to allow users to override the classification
  of individual print jobs.
  .TP 5
  -ConfigFilePerm mode
  -.br
  -Specifies the permissions for all configuration files that the scheduler
  -writes.
  -.TP 5
  -DataDir path
  -.br
  -Specified the directory where data files can be found.
  -.TP 5
  DefaultAuthType Basic
  .TP 5
  DefaultAuthType BasicDigest
  @@ -309,10 +283,6 @@
  causes the update to happen as soon as possible, typically within a few
  milliseconds.
  .TP 5
  -DocumentRoot directory
  -.br
  -Specifies the root directory for the internal web server documents.
  -.TP 5
  Encryption IfRequested
  .TP 5
  Encryption Never
  @@ -322,28 +292,6 @@
  Specifies the level of encryption that is required for a particular
  location.
  .TP 5
  -ErrorLog filename
  -.TP 5
  -ErrorLog syslog
  -.br
  -Specifies the error log filename.
  -.TP 5
  -FatalErrors none
  -.TP 5
  -FatalErrors all -kind [... -kind]
  -.TP 5
  -FatalErrors kind [... kind]
  -.br
  -Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
  -"browse", "config", "listen", "log", or "permissions".
  -.TP 5
  -FileDevice Yes
  -.TP 5
  -FileDevice No
  -.br
  -Specifies whether the file pseudo-device can be used for new
  -printer queues.
  -.TP 5
  FilterLimit limit
  .br
  Specifies the maximum cost of filters that are run concurrently.
  @@ -449,10 +397,6 @@
  Specifies the number of debugging messages that are logged when an error
  occurs in a print job.
  .TP 5
  -LogFilePerm mode
  -.br
  -Specifies the permissions for all log files that the scheduler writes.
  -.TP 5
  LogLevel alert
  .TP 5
  LogLevel crit
  @@ -526,12 +470,6 @@
  .br
  Specifies the order of HTTP access control (allow,deny or deny,allow)
  .TP 5
  -PageLog filename
  -.TP 5
  -PageLog syslog
  -.br
  -Specifies the page log filename.
  -.TP 5
  PageLogFormat format string
  .br
  Specifies the format of page log lines.
  @@ -561,15 +499,6 @@
  Specifies whether or not to preserve the job history after they are
  printed.
  .TP 5
  -Printcap
  -.TP 5
  -Printcap filename
  -.br
  -Specifies the filename for a printcap file that is updated
  -automatically with a list of available printers (needed for
  -legacy applications); specifying Printcap with no filename
  -disables printcap generation.
  -.TP 5
  PrintcapFormat bsd
  .TP 5
  PrintcapFormat plist
  @@ -578,29 +507,11 @@
  .br
  Specifies the format of the printcap file.
  .TP 5
  -PrintcapGUI
  -.TP 5
  -PrintcapGUI gui-program-filename
  -.br
  -Specifies whether to generate option panel definition files on
  -some operating systems. When provided with no program filename,
  -disables option panel definition files.
  -.TP 5
  ReloadTimeout seconds
  .br
  Specifies the amount of time to wait for job completion before
  restarting the scheduler.
  .TP 5
  -RemoteRoot user-name
  -.br
  -Specifies the username that is associated with unauthenticated root
  -accesses.
  -.TP 5
  -RequestRoot directory
  -.br
  -Specifies the directory to store print jobs and other HTTP request
  -data.
  -.TP 5
  Require group group-name-list
  .TP 5
  Require user user-name-list
  @@ -630,27 +541,10 @@
  Specifies an alternate name that the server is known by. The special name "*"
  allows any name to be used.
  .TP 5
  -ServerBin directory
  -.br
  -Specifies the directory where backends, CGIs, daemons, and filters may
  -be found.
  -.TP 5
  -ServerCertificate filename
  -.br
  -Specifies the encryption certificate to use.
  -.TP 5
  -ServerKey filename
  -.br
  -Specifies the encryption key to use.
  -.TP 5
  ServerName hostname-or-ip-address
  .br
  Specifies the fully-qualified hostname of the server.
  .TP 5
  -ServerRoot directory
  -.br
  -Specifies the directory where the server configuration files can be found.
  -.TP 5
  ServerTokens Full
  .TP 5
  ServerTokens Major
  @@ -686,14 +580,6 @@
  .br
  Listens on the specified port for encrypted connections.
  .TP 5
  -SystemGroup group-name [group-name ...]
  -.br
  -Specifies the group(s) to use for System class authentication.
  -.TP 5
  -TempDir directory
  -.br
  -Specifies the directory where temporary files are stored.
  -.TP 5
  Timeout seconds
  .br
  Specifies the HTTP request timeout in seconds.
  @@ -702,7 +588,7 @@
  .br
  Specifies the user name or ID that is used when running external programs.
  .SH SEE ALSO
  -\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
  +\fIclasses.conf(5)\fR, \fIcups-files.conf(8)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
  \fImime.types(5)\fR, \fIprinters.conf(5)\fR,
  \fIsubscriptions.conf(5)\fR,
  .br
  diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/client.c cups/scheduler/client.c
  --- cups~/scheduler/client.c 2012-12-08 00:29:09.000000000 +0100
  +++ cups/scheduler/client.c 2012-12-08 00:29:10.000000000 +0100
  @@ -35,7 +35,7 @@

  • get_cdsa_certificate() - Get a SSL/TLS certificate from the System

  •                        keychain.
    

  • get_file() - Get a filename and state info.

• * install_conf_file() - Install a configuration file.

• • install_cupsd_conf() - Install a configuration file.
  • is_cgi() - Is the resource a CGI script/program?
  • is_path_absolute() - Is a path absolute and free of relative elements

  •                        (i.e. "..").
    

    @@ -102,7 +102,7 @@
    #endif /* HAVE_CDSASSL */
    static char *get_file(cupsd_client_t *con, struct stat *filestats,
    char *filename, int len);
    -static http_status_t install_conf_file(cupsd_client_t *con);
    +static http_status_t install_cupsd_conf(cupsd_client_t *con);
    static int is_cgi(cupsd_client_t *con, const char *filename,
    struct stat *filestats, mime_type_t *type);
    static int is_path_absolute(const char *path);
    @@ -1691,17 +1691,14 @@
    • Validate the resource name...
      */

•        if (strncmp(con->uri, "/admin/conf/", 12) ||
  

•       strchr(con->uri + 12, '/') ||
  

•   strlen(con->uri) == 12)
  

•        if (strcmp(con->uri, "/admin/conf/cupsd.conf"))
  {
   /*
  

•     \* PUT can only be done to configuration files under
  

•     \* /admin/conf...
  

•     * PUT can only be done to the cupsd.conf file...
    */
  
    cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Request for subdirectory \"%s\"!", con->uri);
  

•                          "Disallowed PUT request for \"%s\"!", con->uri);
  
    if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
    {
  

  @@ -2019,7 +2016,7 @@

  • Install the configuration file...

[michaelrsweet]

  */

•      status = install_conf_file(con);
  

•      status = install_cupsd_conf(con);
  
    /*
  

  • Return the status to the client...
    @@ -3685,11 +3682,11 @@

  /*

• * 'install_conf_file()' - Install a configuration file.

• • 'install_cupsd_conf()' - Install a configuration file.
    */

  static http_status_t /* O - Status /
  -install_conf_file(cupsd_client_t *con) / I - Connection /
  +install_cupsd_conf(cupsd_client_t *con) / I - Connection /
  {
  cups_file_t *in, / Input file /
  *out; / Output file */
  @@ -3705,9 +3702,9 @@

  • First construct the filenames...
    */

• snprintf(conffile, sizeof(conffile), "%s%s", ServerRoot, con->uri + 11);

• snprintf(newfile, sizeof(newfile), "%s%s.N", ServerRoot, con->uri + 11);

• snprintf(oldfile, sizeof(oldfile), "%s%s.O", ServerRoot, con->uri + 11);

• snprintf(conffile, sizeof(conffile), "%s/cupsd.conf", ServerRoot);

• snprintf(newfile, sizeof(newfile), "%s/cupsd.conf.N", ServerRoot);

• snprintf(oldfile, sizeof(oldfile), "%s/cupsd.conf.O", ServerRoot);

cupsdLogMessage(CUPSD_LOG_INFO, "Installing config file "%s"...", conffile);

@@ -3829,14 +3826,10 @@
}

/*

• * If the cupsd.conf file was updated, set the NeedReload flag...
• • Set the NeedReload flag...
    */
• if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))
• NeedReload = RELOAD_CUPSD;
• else

- NeedReload = RELOAD_ALL;

• NeedReload = RELOAD_CUPSD;
  ReloadTime = time(NULL);

/*
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/conf.c cups/scheduler/conf.c
--- cups~/scheduler/conf.c 2012-12-08 00:29:09.000000000 +0100
+++ cups/scheduler/conf.c 2012-12-08 00:49:29.747698308 +0100
@@ -26,7 +26,9 @@

• parse_fatal_errors() - Parse FatalErrors values in a string.
• parse_groups() - Parse system group names in a string.
• parse_protocols() - Parse browse protocols in a string.
• * read_configuration() - Read a configuration file.
• * parse_variable() - Parse a variable line.
• * read_cupsd_conf() - Read the cupsd.conf configuration file.
• * read_cups_files_conf() - Read the cups-files.conf configuration file.
  • read_location() - Read a definition.
  • read_policy() - Read a definition.
    */
    @@ -79,9 +81,8 @@
  • Local globals...
    */

-static const cupsd_var_t variables[] =
+static const cupsd_var_t cupsd_vars[] =
{

• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
  #ifdef APPLE
  { "AppleQuotas", &AppleQuotas, CUPSD_VARTYPE_BOOLEAN },
  #endif /* APPLE */
  @@ -103,24 +104,17 @@
  { "BrowseTimeout", &BrowseTimeout, CUPSD_VARTYPE_INTEGER },
  { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
  { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
  { "Classification", &Classification, CUPSD_VARTYPE_STRING },
  { "ClassifyOverride", &ClassifyOverride, CUPSD_VARTYPE_BOOLEAN },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
  { "DefaultLanguage", &DefaultLanguage, CUPSD_VARTYPE_STRING },
  { "DefaultLeaseDuration", &DefaultLeaseDuration, CUPSD_VARTYPE_INTEGER },
  { "DefaultPaperSize", &DefaultPaperSize, CUPSD_VARTYPE_STRING },
  { "DefaultPolicy", &DefaultPolicy, CUPSD_VARTYPE_STRING },
  { "DefaultShared", &DefaultShared, CUPSD_VARTYPE_BOOLEAN },
  { "DirtyCleanInterval", &DirtyCleanInterval, CUPSD_VARTYPE_INTEGER },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
  { "ErrorPolicy", &ErrorPolicy, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
  { "FilterLimit", &FilterLimit, CUPSD_VARTYPE_INTEGER },
  { "FilterNice", &FilterNice, CUPSD_VARTYPE_INTEGER },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
  { "HideImplicitMembers", &HideImplicitMembers, CUPSD_VARTYPE_BOOLEAN },
  { "ImplicitClasses", &ImplicitClasses, CUPSD_VARTYPE_BOOLEAN },
  { "ImplicitAnyClasses", &ImplicitAnyClasses, CUPSD_VARTYPE_BOOLEAN },
  @@ -135,8 +129,6 @@
  { "LimitRequestBody", &MaxRequestSize, CUPSD_VARTYPE_INTEGER },
  { "ListenBackLog", &ListenBackLog, CUPSD_VARTYPE_INTEGER },
  { "LogDebugHistory", &LogDebugHistory, CUPSD_VARTYPE_INTEGER },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
  { "MaxActiveJobs", &MaxActiveJobs, CUPSD_VARTYPE_INTEGER },
  { "MaxClients", &MaxClients, CUPSD_VARTYPE_INTEGER },
  { "MaxClientsPerHost", &MaxClientsPerHost, CUPSD_VARTYPE_INTEGER },
  @@ -154,18 +146,34 @@
  { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
  { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
  { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_INTEGER },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
  { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
  { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_BOOLEAN },
  { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_BOOLEAN },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "PrintcapGUI", &PrintcapGUI, CUPSD_VARTYPE_STRING },
  { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_INTEGER },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "RIPCache", &RIPCache, CUPSD_VARTYPE_STRING },
  { "RootCertDuration", &RootCertDuration, CUPSD_VARTYPE_INTEGER },
  { "ServerAdmin", &ServerAdmin, CUPSD_VARTYPE_STRING },
• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
• { "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },
• { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN }
  +};
  +static const cupsd_var_t cupsfiles_vars[] =
  +{
• { "AccessLog", &AccessLog, CUPSD_VARTYPE_STRING },
• { "CacheDir", &CacheDir, CUPSD_VARTYPE_STRING },
• { "ConfigFilePerm", &ConfigFilePerm, CUPSD_VARTYPE_INTEGER },
• { "DataDir", &DataDir, CUPSD_VARTYPE_STRING },
• { "DocumentRoot", &DocumentRoot, CUPSD_VARTYPE_STRING },
• { "ErrorLog", &ErrorLog, CUPSD_VARTYPE_STRING },
• { "FileDevice", &FileDevice, CUPSD_VARTYPE_BOOLEAN },
• { "FontPath", &FontPath, CUPSD_VARTYPE_STRING },
• { "LogFilePerm", &LogFilePerm, CUPSD_VARTYPE_INTEGER },
• { "LPDConfigFile", &LPDConfigFile, CUPSD_VARTYPE_STRING },
• { "PageLog", &PageLog, CUPSD_VARTYPE_STRING },
• { "Printcap", &Printcap, CUPSD_VARTYPE_STRING },
• { "PrintcapGUI", &PrintcapGUI, CUPSD_VARTYPE_STRING },
• { "RemoteRoot", &RemoteRoot, CUPSD_VARTYPE_STRING },
• { "RequestRoot", &RequestRoot, CUPSD_VARTYPE_STRING },
  { "ServerBin", &ServerBin, CUPSD_VARTYPE_PATHNAME },
  #ifdef HAVE_SSL
  { "ServerCertificate", &ServerCertificate, CUPSD_VARTYPE_PATHNAME },
  @@ -173,7 +181,6 @@
  { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME },

endif /* HAVE_LIBSSL || HAVE_GNUTLS _/

#endif /_ HAVE_SSL */

• { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
  { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
  { "SMBConfigFile", &SMBConfigFile, CUPSD_VARTYPE_STRING },
  { "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
  @@ -181,12 +188,8 @@
  { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
  #endif /* HAVE_AUTHORIZATION_H */
  { "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
• { "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },
• { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN },
  { "PidFile", &PidFile, CUPSD_VARTYPE_STRING }
  };

-#define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

static const unsigned ones[4] =
{
@@ -210,7 +213,12 @@
static int parse_fatal_errors(const char *s);
static int parse_groups(const char *s);
static int parse_protocols(const char *s);
-static int read_configuration(cups_file_t *fp);
+static int parse_variable(const char *filename, int linenum,

•           const char *line, const char *value,
  

•           size_t num_vars,
  

•           const cupsd_var_t *vars);
  

  +static int read_cupsd_conf(cups_file_t *fp);
  +static int read_cups_files_conf(cups_file_t *fp);
  static int read_location(cups_file_t *fp, char *name, int linenum);
  static int read_policy(cups_file_t *fp, char *name, int linenum);

@@ -697,18 +705,59 @@
#endif /* APPLE */

/*

• * Read the configuration file...
• * Read the cups-files.conf file...
• */

• if ((fp = cupsFileOpen(CupsFilesFile, "r")) != NULL)
• {
• status = read_cups_files_conf(fp);

• cupsFileClose(fp);

• if (!status)
• {

•  if (TestConfigFile)
  

•    printf("%s contains errors\n", CupsFilesFile);
  

•  else
  

•    cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to read %s", CupsFilesFile);
  

•  return (0);
  

• }
• }
• else if (errno == ENOENT)
• cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
• else
• {
• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• return (0);
• }

• if (!ErrorLog)
• cupsdSetString(&ErrorLog, CUPS_LOGDIR "/error_log");

• /*

• • Read the cupsd.conf file...
    */

  if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)

• {

• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

  return (0);

• }

• status = read_configuration(fp);

• status = read_cupsd_conf(fp);

cupsFileClose(fp);

if (!status)

• {
• if (TestConfigFile)

•  printf("%s contains errors\n", ConfigurationFile);
  

• else

•  cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to read %s", ConfigurationFile);
  

  return (0);
• }

RunUser = getuid();

@@ -828,6 +877,13 @@
BrowseACL = cupsdFindLocation("CUPS_INTERNAL_BROWSE_ACL");

/*

• * Make sure ConfigFilePerm and LogFilePerm have sane values...
• */

• ConfigFilePerm &= 0664;
• LogFilePerm &= 0664;

• /*
  • Open the system log for cupsd if necessary...
    */

@@ -2389,13 +2445,174 @@

/*

• * 'read_configuration()' - Read a configuration file.

• • 'parse_variable()' - Parse a variable line.
    */

  static int /* O - 1 on success, 0 on failure /
  -read_configuration(cups_file_t *fp) / I - File to read from */
  +parse_variable(

• const char filename, / I - Name of configuration file */

• int linenum, /* I - Line in configuration file */

• const char line, / I - Line from configuration file */

• const char value, / I - Value from configuration file */

• size_t num_vars, /* I - Number of variables */

• const cupsd_var_t vars) / I - Variables */
  +{

• size_t i; /* Looping var */

• const cupsd_var_t var; / Variables */

• char temp[1024]; /* Temporary string */

• for (i = num_vars, var = vars; i > 0; i --, var ++)
• if (!strcasecmp(line, var->name))

•  break;
  
• if (i == 0)
• {
• /*
• * Unknown directive! Output an error message and continue...
• */

• if (!value)

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• else

•  cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
  

•         line, linenum, filename);
  
• return (0);
• }

• switch (var->type)
• {
• case CUPSD_VARTYPE_INTEGER :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else if (!isdigit(*value & 255))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Bad integer value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

•      return (0);
  

• }
• else
• {

• int   n;      /\* Number */
  

• char  _units;     /_ Units */
  

• n = strtol(value, &units, 0);
  

• if (units && *units)
  

• {
  

•   if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

•   else
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•             "Unknown integer value for %s on line %d of %s.",
  

•             line, linenum, filename);
  

•     return (0);
  

•   }
  

• }
  

• if (n < 0)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•           "Bad negative integer value for %s on line %d of "
  

•           "%s.", line, linenum, filename);
  

•   return (0);
  

• }
  

• else
  

• {
  

•   *((int *)var->ptr) = n;
  

• }
  

• }
• break;

• case CUPSD_VARTYPE_BOOLEAN :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing boolean value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }
• else if (!strcasecmp(value, "true") ||

•    !strcasecmp(value, "on") ||
  

•    !strcasecmp(value, "enabled") ||
  

•    !strcasecmp(value, "yes") ||
  

•    atoi(value) != 0)
  

• {

• *((int *)var->ptr) = TRUE;
  

• }
• else if (!strcasecmp(value, "false") ||

•    !strcasecmp(value, "off") ||
  

•    !strcasecmp(value, "disabled") ||
  

•    !strcasecmp(value, "no") ||
  

•    !strcasecmp(value, "0"))
  

• {

• *((int *)var->ptr) = FALSE;
  

• }
• else
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Unknown boolean value %s on line %d of %s.",
  

•         value, linenum, filename);
  

• return (0);
  

• }
• break;

• case CUPSD_VARTYPE_PATHNAME :
• if (!value)
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "Missing pathname value for %s on line %d of %s.",
  

•         line, linenum, filename);
  

• return (0);
  

• }

• if (value[0] == '/')

• strlcpy(temp, value, sizeof(temp));
  

• else

• snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  
• if (access(temp, 0))
• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•         "File or directory for \"%s %s\" on line %d of %s "
  

•         "does not exist.", line, value, linenum, filename);
  

• return (0);
  

• }

• cupsdSetString((char **)var->ptr, temp);
• break;

• case CUPSD_VARTYPE_STRING :
• cupsdSetString((char **)var->ptr, value);
• break;
• }

• return (1);
  +}

+/*

• * 'read_cupsd_conf()' - Read the cupsd.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cupsd_conf(cups_file_t *fp) / I - File to read from */
  {
• int i; /* Looping var /
  int linenum; / Current line number /
  char line[HTTP_MAX_BUFFER],
  / Line from file /
  @@ -2407,7 +2624,6 @@
  *value, / Pointer to value /
  *valueptr; / Pointer into value /
  int valuelen; / Length of value */
• cupsd_var_t const var; / Current variable /
  http_addrlist_t *addrlist, / Address list /
  *addr; / Current address /
  unsigned ip[4], / Address value /
  @@ -2417,7 +2633,6 @@
  cupsd_location_t *location; / Browse location /
  cups_file_t *incfile; / Include file /
  char incname[1024]; / Include filename */
• struct group group; / Group */

/*
@@ -2449,7 +2664,7 @@
incname, strerror(errno));
else
{

•    read_configuration(incfile);
  

•    read_cupsd_conf(incfile);
  

  cupsFileClose(incfile);
  }
  }
  @@ -2473,8 +2688,6 @@
  if (linenum == 0)
  return (0);
  }
• else if (!strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

  else if (!strcasecmp(line, "FaxRetryInterval") && value)
  {
  JobRetryInterval = atoi(value);
  @@ -3151,81 +3364,6 @@
  }
  }
  #endif /* HAVE_SSL */
• else if (!strcasecmp(line, "User") && value)
• {

• /*
  

•  \* User ID to run as...
  

- */

•  if (isdigit(value[0] & 255))
  

•  {
  

- int uid = atoi(value);

• if (!uid)

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum);
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

- struct passwd p; / Password information */

•    endpwent();
  

- p = getpwnam(value);

• if (p)
• {

• if (!p->pw_uid)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d for security reasons.  You must use a non-"
  

•           "privileged account instead.",
  

•                   value, linenum);
  

• else
  

•   User = p->pw_uid;
  

• }
• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d, ignoring!",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!strcasecmp(line, "Group") && value)
• {

• /*
  

•  \* Group ID to run as...
  

- */

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

•  {
  

•    endgrent();
  

- group = getgrnam(value);

• if (group != NULL)

• Group = group->gr_gid;
  

• else

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d, ignoring!",
  

•                 value, linenum);
  

•  }
  

• }
• else if (!strcasecmp(line, "SystemGroup") && value)
• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

- */

•  if (!parse_groups(value))
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d, ignoring!",
  

•               value, linenum);
  

• }
  else if (!strcasecmp(line, "HostNameLookups") && value)
  {
  /*
  @@ -3304,22 +3442,6 @@
  cupsdLogMessage(CUPSD_LOG_WARN, "Unknown LogTimeFormat %s on line %d.",
  value, linenum);
  }
• else if (!strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

- */

•  if (!strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "Unknown PrintcapFormat %s on line %d.",

•               value, linenum);
  

• }
  else if (!strcasecmp(line, "ServerTokens") && value)
  {
  /*
  @@ -3423,123 +3545,197 @@
  "line %d.", value, linenum);
  }
  #endif /* HAVE_SSL */
• else if (!strcasecmp(line, "AccessLog") ||

•         !strcasecmp(line, "CacheDir") ||
  

•         !strcasecmp(line, "ConfigFilePerm") ||
  

•         !strcasecmp(line, "DataDir") ||
  

•         !strcasecmp(line, "DocumentRoot") ||
  

•         !strcasecmp(line, "ErrorLog") ||
  

•         !strcasecmp(line, "FatalErrors") ||
  

•         !strcasecmp(line, "FileDevice") ||
  

•         !strcasecmp(line, "FontPath") ||
  

•         !strcasecmp(line, "Group") ||
  

•         !strcasecmp(line, "LogFilePerm") ||
  

•         !strcasecmp(line, "LPDConfigFile") ||
  

•         !strcasecmp(line, "PageLog") ||
  

•         !strcasecmp(line, "Printcap") ||
  

•         !strcasecmp(line, "PrintcapFormat") ||
  

•         !strcasecmp(line, "RemoteRoot") ||
  

•         !strcasecmp(line, "RequestRoot") ||
  

•         !strcasecmp(line, "ServerBin") ||
  

•         !strcasecmp(line, "ServerCertificate") ||
  

•         !strcasecmp(line, "ServerKey") ||
  

•         !strcasecmp(line, "ServerRoot") ||
  

•         !strcasecmp(line, "SMBConfigFile") ||
  

•         !strcasecmp(line, "StateDir") ||
  

•         !strcasecmp(line, "SystemGroup") ||
  

•         !strcasecmp(line, "SystemGroupAuthKey") ||
  

•         !strcasecmp(line, "TempDir") ||
  

•    !strcasecmp(line, "User"))
  

• {

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "Please move \"%s%s%s\" on line %d of %s to the %s file; "
  

•         "this will become an error in a future release.",
  

•         line, value ? " " : "", value ? value : "", linenum,
  

•         ConfigurationFile, CupsFilesFile);
  

• }
  else

•  parse_variable(ConfigurationFile, linenum, line, value,
  

•                 sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
  

• }

• return (1);
  +}

+/*

• * 'read_cups_files_conf()' - Read the cups-files.conf configuration file.
• /
  +
  +static int / O - 1 on success, 0 on failure /
  +read_cups_files_conf(cups_file_t *fp) / I - File to read from */
  +{
• int linenum; /* Current line number */
• char line[HTTP_MAX_BUFFER], /* Line from file */

•   _value;         /_ Value from line */
  

• struct group group; / Group */

• /*
• * Loop through each line in the file...
• */

• linenum = 0;

• while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))

• {

• if (!strcasecmp(line, "FatalErrors"))

•  FatalErrors = parse_fatal_errors(value);
  

• else if (!strcasecmp(line, "Group") && value)
  {
  /*

•  \* Find a simple variable in the list...
  

•  * Group ID to run as...
  

  */

•  for (i = NUM_VARS, var = variables; i > 0; i --, var ++)
  

•    if (!strcasecmp(line, var->name))
  

- break;

•  if (i == 0)
  

•  if (isdigit(value[0]))
  

•    Group = atoi(value);
  

•  else
  

  {

•   /*
  

•    \* Unknown directive!  Output an error message and continue...
  

• */

•    endgrent();
  

• group = getgrnam(value);

•    if (!value)
  

• cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d.",
  

•                 line, linenum);
  

• if (group != NULL)

• Group = group->gr_gid;
  

  else

• cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d.",
  

•                 line, linenum);
  

•    continue;
  

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown Group \"%s\" on line %d of %s.", value,
  

•                 linenum, CupsFilesFile);
  

• if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•   return (0);
  

• }
  }
• }
• else if (!strcasecmp(line, "PrintcapFormat") && value)
• {

• /*
  

•  \* Format of printcap file?
  

•  */
  

•  switch (var->type)
  

•  if (!strcasecmp(value, "bsd"))
  

•    PrintcapFormat = PRINTCAP_BSD;
  

•  else if (!strcasecmp(value, "plist"))
  

•    PrintcapFormat = PRINTCAP_PLIST;
  

•  else if (!strcasecmp(value, "solaris"))
  

•    PrintcapFormat = PRINTCAP_SOLARIS;
  

•  else
  

  {

•    case CUPSD_VARTYPE_INTEGER :
  

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing integer value for %s on line %d!",
  

•             line, linenum);
  

•   else
  

•   {
  

•     int   n;      /\* Number */
  

- char units; / Units */

- n = strtol(value, &units, 0);

•     if (units && *units)
  

•     {
  

•       if (tolower(units[0] & 255) == 'g')
  

•     n *= 1024 \* 1024 \* 1024;
  

•       else if (tolower(units[0] & 255) == 'm')
  

•     n *= 1024 \* 1024;
  

•   else if (tolower(units[0] & 255) == 'k')
  

•     n *= 1024;
  

•   else if (tolower(units[0] & 255) == 't')
  

•     n *= 262144;
  

- }

•          if (n < 0)
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Bad negative integer value for %s on line %d!",
  

•           line, linenum);
  

•     else
  

•   *((int *)var->ptr) = n;
  

•   }
  

•   break;
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown PrintcapFormat \"%s\" on line %d of %s.",
  

•               value, linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!strcasecmp(line, "SystemGroup") && value)

• {

• /*
  

•  \* SystemGroup (admin) group(s)...
  

•  */
  

• case CUPSD_VARTYPE_BOOLEAN :

•   if (!value)
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing boolean value for %s on line %d!",
  

•             line, linenum);
  

•        else if (!strcasecmp(value, "true") ||
  

•            !strcasecmp(value, "on") ||
  

•        !strcasecmp(value, "enabled") ||
  

•        !strcasecmp(value, "yes") ||
  

•        atoi(value) != 0)
  

•          *((int *)var->ptr) = TRUE;
  

•   else if (!strcasecmp(value, "false") ||
  

•            !strcasecmp(value, "off") ||
  

•        !strcasecmp(value, "disabled") ||
  

•        !strcasecmp(value, "no") ||
  

•        !strcasecmp(value, "0"))
  

•          *((int *)var->ptr) = FALSE;
  

•   else
  

•          cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Unknown boolean value %s on line %d.",
  

•                     value, linenum);
  

•   break;
  

•  if (!parse_groups(value))
  

•  {
  

• cupsdLogMessage(CUPSD_LOG_ERROR,

•               "Unknown SystemGroup \"%s\" on line %d of %s.", value,
  

•               linenum, CupsFilesFile);
  

•    if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•      return (0);
  

•  }
  

• }

• else if (!strcasecmp(line, "User") && value)

• {

• /*
  

•  \* User ID to run as...
  

•  */
  

• case CUPSD_VARTYPE_PATHNAME :

•        if (!value)
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "Missing pathname value for %s on line %d!",
  

•             line, linenum);
  

•          break;
  

•   }
  

•  if (isdigit(value[0] & 255))
  

•  {
  

•    int uid = atoi(value);
  

•   if (value[0] == '/')
  

•     strlcpy(temp, value, sizeof(temp));
  

•   else
  

•     snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, value);
  

• if (!uid)

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Will not use User 0 as specified on line %d of %s "
  

•         "for security reasons.  You must use a non-"
  

•         "privileged account instead.",
  

•                 linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

•    else
  

• User = atoi(value);
  

•  }
  

•  else
  

•  {
  

•    struct passwd *p;  /* Password information */
  

•        if (access(temp, 0))
  

•   {
  

•     cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                     "File or directory for \"%s %s\" on line %d "
  

•             "does not exist!", line, value, linenum);
  

•          break;
  

•   }
  

•    endpwent();
  

• p = getpwnam(value);

• case CUPSD_VARTYPE_STRING :

•   cupsdSetString((char **)var->ptr, value);
  

•   break;
  

• if (p)

• {

• if (!p->pw_uid)
  

• {
  

•   cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                   "Will not use User %s (UID=0) as specified on line "
  

•           "%d of %s for security reasons.  You must use a "
  

•           "non-privileged account instead.",
  

•                   value, linenum, CupsFilesFile);
  

•   if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•     return (0);
  

• }
  

• else
  

•   User = p->pw_uid;
  

• }

• else

• {

• cupsdLogMessage(CUPSD_LOG_ERROR,
  

•                 "Unknown User \"%s\" on line %d of %s.",
  

•                 value, linenum, CupsFilesFile);
  

•      if (FatalErrors & CUPSD_FATAL_CONFIG)
  

•        return (0);
  

•    }
  

  }
  }

• else if (!parse_variable(CupsFilesFile, linenum, line, value,

•            sizeof(cupsfiles_vars) / sizeof(cupsfiles_vars[0]),
  

•            cupsfiles_vars) &&
  

•    (FatalErrors & CUPSD_FATAL_CONFIG))
  

•  return (0);
  

  }

  return (1);
  }

/*

• 'read_location()' - Read a definition.
  */
  diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/conf.h cups/scheduler/conf.h
  --- cups~/scheduler/conf.h 2012-12-08 00:29:09.000000000 +0100
  +++ cups/scheduler/conf.h 2012-12-08 00:29:10.000000000 +0100
  @@ -96,7 +96,9 @@
  */

  VAR char *ConfigurationFile VALUE(NULL),

  •               /\* Configuration file to use */
    

  •               /\* cupsd.conf file to use */
    

  •       *CupsFilesFile      VALUE(NULL),
    

  •               /\* cups-files.conf file to use _/
    *ServerName     VALUE(NULL),
            /_ FQDN for server */
    *ServerAdmin        VALUE(NULL),
    

    diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/ipp.c cups/scheduler/ipp.c
    --- cups~/scheduler/ipp.c 2012-12-08 00:29:09.000000000 +0100
    +++ cups/scheduler/ipp.c 2012-12-08 00:54:10.627688371 +0100
    @@ -2597,7 +2597,7 @@
    send_ipp_status(con, IPP_NOT_POSSIBLE,
    _("File device URIs have been disabled! "
    "To enable, see the FileDevice directive in "

  •         "\"%s/cupsd.conf\"."),
    

  •         "\"%s/cups-files.conf\"."),
    ServerRoot);
    

    return;
    }
    diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/scheduler/main.c cups/scheduler/main.c
    --- cups~/scheduler/main.c 2012-12-08 00:29:09.000000000 +0100
    +++ cups/scheduler/main.c 2012-12-08 00:29:10.000000000 +0100
    @@ -251,6 +251,35 @@
    cupsdSetStringf(&ConfigurationFile, "%s/%s", current, argv[i]);
    free(current);
    }
    +

  •     if (!CupsFilesFile)
    

  •     {
    

  •       char    _filename,  /_ Copy of cupsd.conf filename */
    

  •       _slash;     /_ Final slash in cupsd.conf filename */
    

  •   size_t  len;        /\* Size of buffer */
    

  •   len = strlen(ConfigurationFile) + 15;
    

  •   if ((filename = malloc(len)) == NULL)
    

  •   {
    

  •     _cupsLangPrintf(stderr,
    

  •                     _("cupsd: Unable to get path to "
    

  •                       "cups-files.conf file."));
    

  •              return (1);
    

  •   }
    

  •   strlcpy(filename, ConfigurationFile, len);
    

  •   if ((slash = strrchr(filename, '/')) == NULL)
    

  •   {
    

  •     _cupsLangPrintf(stderr,
    

  •                     _("cupsd: Unable to get path to "
    

  •                       "cups-files.conf file."));
    

  •              return (1);
    

  •   }
    

  •   strlcpy(slash, "/cups-files.conf", len - (slash - filename));
    

  •   cupsdSetString(&CupsFilesFile, filename);
    

  •   free(filename);
    

  •     }
    

    break;

    case 'f' : /* Run in foreground... */
    @@ -289,6 +318,29 @@
    UseProfiles = 0;
    break;

•      case 's' : /\* Set cups-files.conf location */
  

•          i ++;
  

•     if (i >= argc)
  

•     {
  

•       _cupsLangPuts(stderr, _("cupsd: Expected cups-files.conf "
  

•                               "filename after \"-s\" option."));
  

•       usage(1);
  

•     }
  

•          if (argv[i][0] != '/')
  

•     {
  

•      /*
  

•       \* Relative filename not allowed...
  

•   */
  

•       _cupsLangPuts(stderr, _("cupsd: Relative cups-files.conf "
  

•                               "filename not allowed."));
  

•       usage(1);
  

•          }
  

•     cupsdSetString(&CupsFilesFile, argv[i]);
  

•     break;
  

  #ifdef APPLE
  case 'S' : /* Disable system management functions */
  fputs("cupsd: -S (disable system management) for internal "
  @@ -315,8 +367,40 @@
  usage(1);
  }

• if (!ConfigurationFile)

• cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");

• if (!ConfigurationFile)

• {

•  cupsdSetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");
  

•  cupsdSetString(&CupsFilesFile, CUPS_SERVERROOT "/cups-files.conf");
  

• }

• if (!CupsFilesFile)

• {

•  char _filename,      /_ Copy of cupsd.conf filename */
  

•   _slash;         /_ Final slash in cupsd.conf filename */
  

•  size_t   len;            /\* Size of buffer */
  

•  len = strlen(ConfigurationFile) + 15;
  

•  if ((filename = malloc(len)) == NULL)
  

•  {
  

•    _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•    return (1);
  

•  }
  

•  strlcpy(filename, ConfigurationFile, len);
  

•  if ((slash = strrchr(filename, '/')) == NULL)
  

•  {
  

•    _cupsLangPrintf(stderr,
  

•         _("cupsd: Unable to get path to "
  

•       "cups-files.conf file."));
  

•    return (1);
  

•  }
  

•  strlcpy(slash, "/cups-files.conf", len - (slash - filename));
  

•  cupsdSetString(&CupsFilesFile, filename);
  

•  free(filename);
  

• }

/*

• If the user hasn't specified "-f", run in the background...
  diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cups~/test/run-stp-tests.sh cups/test/run-stp-tests.sh
  --- cups~/test/run-stp-tests.sh 2012-12-08 00:29:09.000000000 +0100
  +++ cups/test/run-stp-tests.sh 2012-12-08 00:29:10.000000000 +0100
  @@ -316,26 +316,10 @@

cat >/tmp/cups-$user/cupsd.conf <<EOF
Browsing Off
-FileDevice yes
-Printcap
Listen 127.0.0.1:$port
-User $user
-ServerRoot /tmp/cups-$user
-StateDir /tmp/cups-$user
-ServerBin /tmp/cups-$user/bin
-CacheDir /tmp/cups-$user/share
-DataDir /tmp/cups-$user/share
-FontPath /tmp/cups-$user/share/fonts
PassEnv LOCALEDIR
-DocumentRoot $root/doc
-RequestRoot /tmp/cups-$user/spool
-TempDir /tmp/cups-$user/spool/temp
-PidFile /tmp/cups-$user/cupsd.pid
MaxSubscriptions 3
MaxLogSize 0
-AccessLog /tmp/cups-$user/log/access_log
-ErrorLog /tmp/cups-$user/log/error_log
-PageLog /tmp/cups-$user/log/page_log
AccessLogLevel actions
LogLevel debug2
LogTimeFormat usecs
@@ -350,6 +334,25 @@

EOF

+cat >/tmp/cups-$user/cups-files.conf <<EOF
+FileDevice yes
+Printcap
+User $user
+ServerRoot /tmp/cups-$user
+StateDir /tmp/cups-$user
+ServerBin /tmp/cups-$user/bin
+CacheDir /tmp/cups-$user/share
+DataDir /tmp/cups-$user/share
+FontPath /tmp/cups-$user/share/fonts
+DocumentRoot $root/doc
+RequestRoot /tmp/cups-$user/spool
+TempDir /tmp/cups-$user/spool/temp
+PidFile /tmp/cups-$user/cupsd.pid
+AccessLog /tmp/cups-$user/log/access_log
+ErrorLog /tmp/cups-$user/log/error_log
+PageLog /tmp/cups-$user/log/page_log
+EOF
+

Setup lots of test queues - half with PPD files, half without...

[michaelrsweet]

"0001-Another-documentation-fix-related-to-CVE-2012-5519.patch":

From 0bb53055d0a42f389806d0087b34e9a540e51564 Mon Sep 17 00:00:00 2001
From: Tim Waugh twaugh@redhat.com
Date: Wed, 12 Dec 2012 12:27:47 +0000
Subject: [PATCH 1/2] Another documentation fix related to CVE-2012-5519.

The FileDevice option can no longer be adjusted using cupsctl.

man/cupsctl.man | 5 -----
1 file changed, 5 deletions(-)

diff --git a/man/cupsctl.man b/man/cupsctl.man
index a9e3ac1..6d7dd51 100644
--- a/man/cupsctl.man
+++ b/man/cupsctl.man
@@ -84,11 +84,6 @@ Disable printer sharing:
.nf
cupsctl --no-shared-printers
.fi
-.LP
-Enable printing using the file: pseudo-device:
-.nf

• cupsctl FileDevice=Yes
  -.fi
  .SH KNOWN ISSUES
  You cannot set the Listen or Port directives using \fIcupsctl\fR.
  .SH SEE ALSO
  --
  1.8.0.1

[michaelrsweet]

"cups-str4223-ref-cups-files-conf.patch":

diff -up cups-1.5.4/configure.in.str4223-extra cups-1.5.4/configure.in
--- cups-1.5.4/configure.in.str4223-extra 2012-12-12 12:41:41.008019159 +0000
+++ cups-1.5.4/configure.in 2012-12-12 12:42:00.313070539 +0000
@@ -78,6 +78,7 @@ AC_OUTPUT(Makedefs
data/cups.path
desktop/cups.desktop
doc/help/ref-cupsd-conf.html

• doc/help/ref-cups-files-conf.html
  

  doc/help/standard.html
  doc/index.html
  man/client.conf.man
  diff -up cups-1.5.4/doc/Makefile.str4223-extra cups-1.5.4/doc/Makefile
  --- cups-1.5.4/doc/Makefile.str4223-extra 2012-12-12 12:41:41.009019162 +0000
  +++ cups-1.5.4/doc/Makefile 2012-12-12 12:42:00.313070539 +0000
  @@ -105,6 +105,7 @@ HELPFILES =
  help/ref-classes-conf.html
  help/ref-client-conf.html
  help/ref-cupsd-conf.html \

•       help/ref-cups-files-conf.html \
      help/ref-error_log.html \
      help/ref-mailto-conf.html \
      help/ref-page_log.html \
  

  diff -up cups-1.5.4/Makefile.str4223-extra cups-1.5.4/Makefile
  --- cups-1.5.4/Makefile.str4223-extra 2011-08-29 22:19:27.000000000 +0100
  +++ cups-1.5.4/Makefile 2012-12-12 12:42:00.312070535 +0000
  @@ -101,6 +101,7 @@ distclean: clean
  $(RM) cups-config
  $(RM) conf/cupsd.conf conf/mime.convs conf/pam.std conf/snmp.conf
  $(RM) doc/help/ref-cupsd-conf.html doc/help/standard.html doc/index.html
• $(RM) doc/help/ref-cups-files-conf.html
  $(RM) man/client.conf.man
  $(RM) man/cups-deviced.man man/cups-driverd.man
  $(RM) man/cups-lpd.man man/cupsaddsmb.man man/cupsd.man

[michaelrsweet]

"0001-Check-permissions-on-cups-files.conf.patch":

From 3c03696466ff3dcb6caded170c5866f2523ccf5e Mon Sep 17 00:00:00 2001
From: Tim Waugh twaugh@redhat.com
Date: Wed, 12 Dec 2012 16:31:38 +0000
Subject: [PATCH] Check permissions on cups-files.conf.

---

scheduler/conf.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/scheduler/conf.c b/scheduler/conf.c
index 8e169e1..a296e44 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -1110,6 +1110,8 @@ cupsdReadConfiguration(void)
Group, 1, 0) < 0 ||
cupsdCheckPermissions(ServerRoot, "cupsd.conf", ConfigFilePerm, RunUser,
Group, 0, 0) < 0 ||

•   cupsdCheckPermissions(ServerRoot, "cups-files.conf", ConfigFilePerm,
  

•            RunUser, Group, 0, 0) < 0 ||
  cupsdCheckPermissions(ServerRoot, "classes.conf", 0600, RunUser,
           Group, 0, 0) < 0 ||
  cupsdCheckPermissions(ServerRoot, "printers.conf", 0600, RunUser,
  

  --
  1.8.0.1

[michaelrsweet]

"str4223v2p3.patch":

Index: doc/Makefile

--- doc/Makefile (revision 10749)
+++ doc/Makefile (working copy)
@@ -105,6 +105,7 @@
help/ref-classes-conf.html
help/ref-client-conf.html
help/ref-cupsd-conf.html \

•       help/ref-cups-files-conf.html \
      help/ref-error_log.html \
      help/ref-mailto-conf.html \
      help/ref-page_log.html \
  

  Index: man/cupsctl.man

  --- man/cupsctl.man (revision 10749)
  +++ man/cupsctl.man (working copy)
  @@ -12,7 +12,7 @@
  ." which should have been included with this file. If this file is
  ." file is missing or damaged, see the license at "http://www.cups.org/".
  ."
  -.TH cupsctl 8 "CUPS" "16 July 2012" "Apple Inc."
  +.TH cupsctl 8 "CUPS" "12 December 2012" "Apple Inc."
  .SH NAME
  cupsctl - configure cupsd.conf options
  .SH SYNOPSIS
  @@ -84,11 +84,6 @@
  .nf
  cupsctl --no-shared-printers
  .fi
  -.LP
  -Enable printing using the file: pseudo-device:
  -.nf

• cupsctl FileDevice=Yes
  -.fi
  .SH KNOWN ISSUES
  You cannot set the Listen or Port directives using \fIcupsctl\fR.
  .SH SEE ALSO
  Index: configure.in
  ===================================================================
  --- configure.in (revision 10749)
  +++ configure.in (working copy)
  @@ -68,6 +68,7 @@
  cups-config
  data/testprint
  desktop/cups.desktop

• doc/help/ref-cups-files-conf.html
  

  doc/help/ref-cupsd-conf.html
  doc/help/standard.html
  doc/index.html

  Index: scheduler/conf.c

  --- scheduler/conf.c (revision 10749)
  +++ scheduler/conf.c (working copy)
  @@ -797,14 +797,22 @@
  cupsFileClose(fp);

  if (!status)

• {

•  if (TestConfigFile)
  

•    printf("\"%s\" contains errors.\n", CupsFilesFile);
  

•  else
  

•    syslog(LOG_LPR, "Unable to read \"%s\" due to errors.",
  

•           CupsFilesFile);
  

  • return (0);

• }
  }
  else if (errno == ENOENT)
  cupsdLogMessage(CUPSD_LOG_INFO, "No %s, using defaults.", CupsFilesFile);
  else
  {

• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", CupsFilesFile,

•                strerror(errno));
  

• syslog(LOG_LPR, "Unable to open "%s": %s", CupsFilesFile,

•  strerror(errno));
  

  return (0);
  }

@@ -817,8 +825,8 @@

if ((fp = cupsFileOpen(ConfigurationFile, "r")) == NULL)
{

• cupsdLogMessage(CUPSD_LOG_CRIT, "Unable to open %s: %s", ConfigurationFile,

•                strerror(errno));
  

• syslog(LOG_LPR, "Unable to open "%s": %s", ConfigurationFile,

•  strerror(errno));
  

  return (0);
  }

@@ -827,7 +835,15 @@
cupsFileClose(fp);

if (!status)

• {
• if (TestConfigFile)

•  printf("\"%s\" contains errors.\n", ConfigurationFile);
  

• else

•  syslog(LOG_LPR, "Unable to read \"%s\" due to errors.",
  

•    ConfigurationFile);
  

  return (0);
• }

RunUser = getuid();

@@ -1108,8 +1124,10 @@
Group, 1, 1) < 0 ||
cupsdCheckPermissions(ServerRoot, "ssl", 0700, RunUser,
Group, 1, 0) < 0 ||

•   cupsdCheckPermissions(ServerRoot, "cupsd.conf", ConfigFilePerm, RunUser,
  

•   cupsdCheckPermissions(ConfigurationFile, NULL, ConfigFilePerm, RunUser,
           Group, 0, 0) < 0 ||
  

•   cupsdCheckPermissions(CupsFilesFile, NULL, ConfigFilePerm, RunUser,
  

•            Group, 0, 0) < 0 ||
  cupsdCheckPermissions(ServerRoot, "classes.conf", 0600, RunUser,
           Group, 0, 0) < 0 ||
  cupsdCheckPermissions(ServerRoot, "printers.conf", 0600, RunUser,
  

  Index: scheduler/client.c

  --- scheduler/client.c (revision 10749)
  +++ scheduler/client.c (working copy)
  @@ -3336,14 +3336,14 @@

  • Open the new config file...
    */

• snprintf(filename, sizeof(filename), "%s/cupsd.conf", ServerRoot);

• if ((out = cupsdCreateConfFile(filename, ConfigFilePerm)) == NULL)

• if ((out = cupsdCreateConfFile(ConfigurationFile, ConfigFilePerm)) == NULL)
  {
  cupsFileClose(in);
  return (HTTP_SERVER_ERROR);
  }

• cupsdLogMessage(CUPSD_LOG_INFO, "Installing config file "%s"...", filename);

• cupsdLogMessage(CUPSD_LOG_INFO, "Installing config file "%s"...",

•              ConfigurationFile);
  

  /*

  • Copy from the request to the new config file...
    @@ -3354,12 +3354,12 @@
    {
    cupsdLogMessage(CUPSD_LOG_ERROR,
    "Unable to copy to config file "%s": %s",

•             filename, strerror(errno));
  

•             ConfigurationFile, strerror(errno));
  

  cupsFileClose(in);
  cupsFileClose(out);

•  snprintf(filename, sizeof(filename), "%s%s.N", ServerRoot, con->uri + 11);
  

•  snprintf(filename, sizeof(filename), "%s.N", ConfigurationFile);
  

  cupsdRemoveFile(filename);

  return (HTTP_SERVER_ERROR);
  @@ -3371,7 +3371,7 @@

  cupsFileClose(in);

• if (cupsdCloseCreatedConfFile(out, filename))

• if (cupsdCloseCreatedConfFile(out, ConfigurationFile))
  return (HTTP_SERVER_ERROR);

/*

Index: scheduler/log.c

--- scheduler/log.c (revision 10749)
+++ scheduler/log.c (working copy)
@@ -41,7 +41,23 @@
static int log_linesize = 0; /* Size of line for output file /
static char *log_line = NULL; / Line for output file */

+#ifdef HAVE_VSYSLOG
+static const int syslevels[] = /* SYSLOG levels... */

•   {
  

•     0,
  

•     LOG_EMERG,
  

•     LOG_ALERT,
  

•     LOG_CRIT,
  

•     LOG_ERR,
  

•     LOG_WARNING,
  

•     LOG_NOTICE,
  

•     LOG_INFO,
  

•     LOG_DEBUG,
  

•     LOG_DEBUG
  

•   };
  

  +#endif /* HAVE_VSYSLOG */

/*

• Local functions...
  */
  @@ -543,8 +559,12 @@
  if ((TestConfigFile || !ErrorLog) && level <= CUPSD_LOG_WARN)
  {
  va_start(ap, message);
  +#ifdef HAVE_VSYSLOG

  • vsyslog(LOG_LPR | syslevels[level], message, ap);
    +#else
    vfprintf(stderr, message, ap);
    putc('\n', stderr);
    +#endif /* HAVE_VSYSLOG */
    va_end(ap);

  return (1);
  @@ -984,21 +1004,6 @@
  'D',
  'd'
  };
  -#ifdef HAVE_VSYSLOG

  • static const int syslevels[] = /* SYSLOG levels... */

  •   {
    

  •     0,
    

  •     LOG_EMERG,
    

  •     LOG_ALERT,
    

  •     LOG_CRIT,
    

  •     LOG_ERR,
    

  •     LOG_WARNING,
    

  •     LOG_NOTICE,
    

  •     LOG_INFO,
    

  •     LOG_DEBUG,
    

  •     LOG_DEBUG
    

  •   };
    

    -#endif /* HAVE_VSYSLOG */

  #ifdef HAVE_VSYSLOG

  Index: scheduler/main.c

  --- scheduler/main.c (revision 10749)
  +++ scheduler/main.c (working copy)
  @@ -535,17 +535,11 @@
  */

  if (!cupsdReadConfiguration())

  • {
  • if (TestConfigFile)

  •  printf("%s contains errors\n", ConfigurationFile);
    

  • else

  •  syslog(LOG_LPR, "Unable to read configuration file \'%s\' - exiting!",
    

  •    ConfigurationFile);
    

    return (1);
  • }
    else if (TestConfigFile)
    {
  • printf("%s is OK\n", ConfigurationFile);
  • printf(""%s" is OK.\n", CupsFilesFile);
  • printf(""%s" is OK.\n", ConfigurationFile);
    return (0);
    }