Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for configuring separate access control for web interface #2625

Closed
michaelrsweet opened this Issue Dec 12, 2007 · 8 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Dec 12, 2007

Version: 1.5-feature
CUPS.org User: mike

Currently there is no way to share printers but not also grant access to the whole web interface.

At a minimum, the user should be able to turn off all HTTP functionality except for IPP requests and GET requests for PPD files.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented May 16, 2008

CUPS.org User: mike

Pushing to 1.5.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 25, 2010

CUPS.org User: mike

We should also add support for limiting PUT access to the domain socket.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 25, 2010

CUPS.org User: mike

Also add an "allowed filename" directive for GET/PUT accesses to /admin/conf.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 25, 2010

CUPS.org User: mike

and to /admin/log, to the extent that it is possible to entirely disable read access or limit to the domain socket only.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Apr 9, 2010

CUPS.org User: mike

and maybe a "web interface enabled but require authentication for any CGI" mode?

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Dec 1, 2010

CUPS.org User: mike

Work for always authenticating the web interface is now being tracked by STR #3735.

Work for limiting access to domain sockets is now being tracked by STR #3736.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Dec 1, 2010

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Dec 1, 2010

"str2625.patch":

Index: conf/cupsd.conf.in

--- conf/cupsd.conf.in (revision 9395)
+++ conf/cupsd.conf.in (working copy)
@@ -26,6 +26,9 @@

Default authentication type, when authentication is required...

DefaultAuthType Basic

+# Web interface setting...
+WebInterface @CUPS_WEBIF@
+

Restrict access to the server...

Order allow,deny

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 9395)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -470,6 +470,26 @@

AC_SUBST(FONTS)

+dnl Web interface...
+AC_ARG_ENABLE(webif, [ --enable-webif Enable the web interface by default, default=no for Mac OS X])
+case "x$enable_webif" in

  • xno)
  •   CUPS_WEBIF=No
    
  •   ;;
    
  • xyes)
  •   CUPS_WEBIF=Yes
    
  •   ;;
    
  • *)
  •   if test $uname = Darwin; then
    
  •       CUPS_WEBIF=No
    
  •   else
    
  •       CUPS_WEBIF=Yes
    
  •   fi
    
  •   ;;
    

    +esac
    +
    +AC_SUBST(CUPS_WEBIF)
    +
    dnl
    dnl End of "$Id$".
    dnl
    Index: doc/help/ref-cupsd-conf.html.in

    --- doc/help/ref-cupsd-conf.html.in (revision 9395)
    +++ doc/help/ref-cupsd-conf.html.in (working copy)
    @@ -3180,5 +3180,18 @@

+

CUPS 1.5WebInterface


+
+

Examples


+
+

+WebInterface yes
+WebInterface no
+

+
+

Description


+
+

The WebInterface directive specifies whether the web interface is enabled. The default value is no.


+

Index: cups/http.h

--- cups/http.h (revision 9395)
+++ cups/http.h (working copy)
@@ -251,7 +251,8 @@
HTTP_NOT_SUPPORTED, /* HTTP version not supported */

HTTP_AUTHORIZATION_CANCELED = 1000, /* User canceled authorization @SInCE CUPS 1.4@ */

  • HTTP_PKI_ERROR /* Error negotiating a secure connection @SInCE CUPS 1.5@ */
  • HTTP_PKI_ERROR, /* Error negotiating a secure connection @SInCE CUPS 1.5@ */
  • HTTP_WEBIF_DISABLED /* Web interface is disabled @Private@ */
    } http_status_t;

typedef enum http_uri_status_e /**** URI separation status @SInCE CUPS 1.2@ ****/

Index: cups/http-support.c

--- cups/http-support.c (revision 9395)
+++ cups/http-support.c (working copy)
@@ -1253,6 +1253,9 @@
case HTTP_PKI_ERROR :
s = _("SSL/TLS Negotiation Error");
break;

  • case HTTP_WEBIF_DISABLED :
  •    s = _("Web Interface is Disabled");
    
  • break;

default :
s = _("Unknown");

Index: man/cupsd.conf.man.in

--- man/cupsd.conf.man.in (revision 9395)
+++ man/cupsd.conf.man.in (working copy)
@@ -742,6 +742,11 @@
User user-name
.br
Specifies the user name or ID that is used when running external programs.
+.TP 5
+WebInterface yes
+.TP 5
+WebInterface no
+Specifies whether the web interface is enabled.
.SH SEE ALSO
\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
\fImime.types(5)\fR, \fIprinters.conf(5)\fR,

Index: scheduler/conf.c

--- scheduler/conf.c (revision 9395)
+++ scheduler/conf.c (working copy)
@@ -180,7 +180,8 @@
#endif /* HAVE_AUTHORIZATION_H */
{ "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
{ "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },

  • { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN }
  • { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN },
  • { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
    };
    #define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

@@ -632,6 +633,7 @@
RootCertDuration = 300;
Timeout = DEFAULT_TIMEOUT;
NumSystemGroups = 0;

  • WebInterface = FALSE;

BrowseInterval = DEFAULT_INTERVAL;
BrowsePort = ippPort();

Index: scheduler/conf.h

--- scheduler/conf.h (revision 9395)
+++ scheduler/conf.h (working copy)
@@ -219,8 +219,10 @@
/* Format of printcap file? /
DefaultShared VALUE(TRUE),
/
Share printers by default? */

  •       MultipleOperationTimeout VALUE(DEFAULT_TIMEOUT);
    
  •       MultipleOperationTimeout VALUE(DEFAULT_TIMEOUT),
                /\* multiple-operation-time-out value */
    
  •       WebInterface        VALUE(FALSE);
    
  •               /* Enable the web interface? */
    

    VAR cups_file_t AccessFile VALUE(NULL),
    /
    Access log file */
    *ErrorFile VALUE(NULL),

    Index: scheduler/client.c

    --- scheduler/client.c (revision 9395)
    +++ scheduler/client.c (working copy)
    @@ -1369,15 +1369,29 @@
    }
    }

  •   if ((!strncmp(con->uri, "/admin", 6) &&
    
  •        strncmp(con->uri, "/admin/conf/", 12) &&
    
  •        strncmp(con->uri, "/admin/log/", 11)) ||
    
  •   !strncmp(con->uri, "/printers", 9) ||
    
  •   !strncmp(con->uri, "/classes", 8) ||
    
  •   !strncmp(con->uri, "/help", 5) ||
    
  •   !strncmp(con->uri, "/jobs", 5))
    
  •        if (!WebInterface)
    {
     /*
    
  •     \* Web interface is disabled. Show an appropriate message...
    
  •     */
    
  •     if (!cupsdSendError(con, HTTP_WEBIF_DISABLED, CUPSD_AUTH_NONE))
    
  •     {
    
  •   cupsdCloseClient(con);
    
  •   return;
    
  •     }
    
  •     break;
    
  •   }
    
  •   else if ((!strncmp(con->uri, "/admin", 6) &&
    
  •         strncmp(con->uri, "/admin/conf/", 12) &&
    
  •         strncmp(con->uri, "/admin/log/", 11)) ||
    
  •        !strncmp(con->uri, "/printers", 9) ||
    
  •        !strncmp(con->uri, "/classes", 8) ||
    
  •        !strncmp(con->uri, "/help", 5) ||
    
  •        !strncmp(con->uri, "/jobs", 5))
    
  •   {
    
  •    /*
      \* Send CGI output...
      */
    

@@ -1580,6 +1594,20 @@
if (!strcmp(con->http.fields[HTTP_FIELD_CONTENT_TYPE],
"application/ipp"))
con->request = ippNew();

  •        else if (!WebInterface)
    
  •   {
    
  •    /*
    
  •     \* Web interface is disabled. Show an appropriate message...
    
  •     */
    
  •     if (!cupsdSendError(con, HTTP_WEBIF_DISABLED, CUPSD_AUTH_NONE))
    
  •     {
    
  •   cupsdCloseClient(con);
    
  •   return;
    
  •     }
    
  •     break;
    
  •   }
    else if ((!strncmp(con->uri, "/admin", 6) &&
              strncmp(con->uri, "/admin/conf/", 12) &&
              strncmp(con->uri, "/admin/log/", 11)) ||
    

    @@ -1796,7 +1824,53 @@
    break;
    }
    }

  •        else if (!strncmp(con->uri, "/printers/", 10) &&
    
  •        !strcmp(con->uri + strlen(con->uri) - 4, ".png"))
    
  •   {
    
  •    /*
    
  •     \* Send PNG file - get the real printer name since printer
    
  •     \* names are not case sensitive but filenames can be...
    
  •     */
    
  •          con->uri[strlen(con->uri) - 4] = '\0';   /* Drop ".ppd" */
    
  •          if ((p = cupsdFindPrinter(con->uri + 10)) != NULL)
    
  •   snprintf(con->uri, sizeof(con->uri), "/icons/%s.png", p->name);
    
  •     else
    
  •     {
    
  •   if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
    
  •   {
    
  •     cupsdCloseClient(con);
    
  •     return;
    
  •   }
    
  •   break;
    
  •     }
    
  •   }
    
  •   else if (!WebInterface)
    
  •   {
    
  •          if (!cupsdSendHeader(con, HTTP_OK, line, CUPSD_AUTH_NONE))
    
  •     {
    
  •   cupsdCloseClient(con);
    
  •   return;
    
  •     }
    
  •     if (httpPrintf(HTTP(con), "\r\n") < 0)
    
  •     {
    
  •   cupsdCloseClient(con);
    
  •   return;
    
  •     }
    
  •     if (cupsdFlushHeader(con) < 0)
    
  •     {
    
  •   cupsdCloseClient(con);
    
  •   return;
    
  •     }
    
  •     con->http.state = HTTP_WAITING;
    
  •     break;
    
  •   }
    
    • if ((!strncmp(con->uri, "/admin", 6) &&
      strncmp(con->uri, "/admin/conf/", 12) &&
      strncmp(con->uri, "/admin/log/", 11)) ||
      @@ -2411,6 +2485,10 @@
      "CONTENT="3;URL=https://%s:%d%s">\n",
      con->servername, con->serverport, con->uri);
      }
  • else if (code == HTTP_WEBIF_DISABLED)

  •  text = _cupsLangString(con->language,
    
  •                         _("The web interface is currently disabled. Run "
    
  •              "\"cupsctl WebInterface=yes\" to enable it."));
    

    else
    text = "";

@@ -2421,17 +2499,17 @@
"\n"
"\t<META HTTP-EQUIV="Content-Type" "
"CONTENT="text/html; charset=utf-8">\n"

  •    "\t<TITLE>%d %s</TITLE>\n"
    
  •    "\t<TITLE>%s - " CUPS_SVERSION "</TITLE>\n"
     "\t<LINK REL=\"STYLESHEET\" TYPE=\"text/css\" "
     "HREF=\"/cups.css\">\n"
     "%s"
     "</HEAD>\n"
          "<BODY>\n"
    
  •    "<H1>%d %s</H1>\n"
    
  •    "<H1>%s</H1>\n"
     "<P>%s</P>\n"
     "</BODY>\n"
     "</HTML>\n",
    
  •    code, httpStatus(code), redirect, code, httpStatus(code), text);
    
  •    httpStatus(code), redirect, httpStatus(code), text);
    

    if (httpPrintf(HTTP(con), "Content-Type: text/html; charset=utf-8\r\n") < 0)
    return (0);
    @@ -2486,7 +2564,16 @@
    return (httpPrintf(HTTP(con), "HTTP/%d.%d 100 Continue\r\n\r\n",
    con->http.version / 100, con->http.version % 100) > 0);
    }

  • else if (code == HTTP_WEBIF_DISABLED)

  • {

  • /*

  • * Treat our special "web interface is disabled" status as "200 OK" for web

  • * browsers.

  • */

  • code = HTTP_OK;

  • }

httpFlushWrite(HTTP(con));

con->http.data_encoding = HTTP_ENCODE_FIELDS;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.