Add support for configuring separate access control for web interface

[michaelrsweet]

Version: 1.5-feature
CUPS.org User: mike

Currently there is no way to share printers but not also grant access to the whole web interface.

At a minimum, the user should be able to turn off all HTTP functionality except for IPP requests and GET requests for PPD files.

[michaelrsweet]

CUPS.org User: mike

Pushing to 1.5.

[michaelrsweet]

CUPS.org User: mike

We should also add support for limiting PUT access to the domain socket.

[michaelrsweet]

CUPS.org User: mike

Also add an "allowed filename" directive for GET/PUT accesses to /admin/conf.

[michaelrsweet]

CUPS.org User: mike

and to /admin/log, to the extent that it is possible to entirely disable read access or limit to the domain socket only.

[michaelrsweet]

CUPS.org User: mike

and maybe a "web interface enabled but require authentication for any CGI" mode?

[michaelrsweet]

CUPS.org User: mike

Work for always authenticating the web interface is now being tracked by STR #3735.

Work for limiting access to domain sockets is now being tracked by STR #3736.

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str2625.patch":

Index: conf/cupsd.conf.in

--- conf/cupsd.conf.in (revision 9395)
+++ conf/cupsd.conf.in (working copy)
@@ -26,6 +26,9 @@

Default authentication type, when authentication is required...

DefaultAuthType Basic

+# Web interface setting...
+WebInterface @CUPS_WEBIF@
+

Restrict access to the server...

Order allow,deny

Index: config-scripts/cups-defaults.m4

--- config-scripts/cups-defaults.m4 (revision 9395)
+++ config-scripts/cups-defaults.m4 (working copy)
@@ -470,6 +470,26 @@

AC_SUBST(FONTS)

+dnl Web interface...
+AC_ARG_ENABLE(webif, [ --enable-webif Enable the web interface by default, default=no for Mac OS X])
+case "x$enable_webif" in

• xno)

•   CUPS_WEBIF=No
  

•   ;;
  

• xyes)

•   CUPS_WEBIF=Yes
  

•   ;;
  

• *)

•   if test $uname = Darwin; then
  

•       CUPS_WEBIF=No
  

•   else
  

•       CUPS_WEBIF=Yes
  

•   fi
  

•   ;;
  

  +esac
  +
  +AC_SUBST(CUPS_WEBIF)
  +
  dnl
  dnl End of "$Id$".
  dnl
  Index: doc/help/ref-cupsd-conf.html.in

  --- doc/help/ref-cupsd-conf.html.in (revision 9395)
  +++ doc/help/ref-cupsd-conf.html.in (working copy)
  @@ -3180,5 +3180,18 @@

+

CUPS 1.5WebInterface

+
+

Examples

+
+

+WebInterface yes

+WebInterface no

+

+
+

Description

+
+

The WebInterface directive specifies whether the web interface is enabled. The default value is no.

+

Index: cups/http.h

--- cups/http.h (revision 9395)
+++ cups/http.h (working copy)
@@ -251,7 +251,8 @@
HTTP_NOT_SUPPORTED, /* HTTP version not supported */

HTTP_AUTHORIZATION_CANCELED = 1000, /* User canceled authorization @SInCE CUPS 1.4@ */

• HTTP_PKI_ERROR /* Error negotiating a secure connection @SInCE CUPS 1.5@ */
• HTTP_PKI_ERROR, /* Error negotiating a secure connection @SInCE CUPS 1.5@ */
• HTTP_WEBIF_DISABLED /* Web interface is disabled @Private@ */
  } http_status_t;

typedef enum http_uri_status_e /**** URI separation status @SInCE CUPS 1.2@ ****/

Index: cups/http-support.c

--- cups/http-support.c (revision 9395)
+++ cups/http-support.c (working copy)
@@ -1253,6 +1253,9 @@
case HTTP_PKI_ERROR :
s = _("SSL/TLS Negotiation Error");
break;

• case HTTP_WEBIF_DISABLED :

•    s = _("Web Interface is Disabled");
  

• break;

default :
s = _("Unknown");

Index: man/cupsd.conf.man.in

--- man/cupsd.conf.man.in (revision 9395)
+++ man/cupsd.conf.man.in (working copy)
@@ -742,6 +742,11 @@
User user-name
.br
Specifies the user name or ID that is used when running external programs.
+.TP 5
+WebInterface yes
+.TP 5
+WebInterface no
+Specifies whether the web interface is enabled.
.SH SEE ALSO
\fIclasses.conf(5)\fR, \fIcupsd(8)\fR, \fImime.convs(5)\fR,
\fImime.types(5)\fR, \fIprinters.conf(5)\fR,

Index: scheduler/conf.c

--- scheduler/conf.c (revision 9395)
+++ scheduler/conf.c (working copy)
@@ -180,7 +180,8 @@
#endif /* HAVE_AUTHORIZATION_H */
{ "TempDir", &TempDir, CUPSD_VARTYPE_PATHNAME },
{ "Timeout", &Timeout, CUPSD_VARTYPE_INTEGER },

• { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN }
• { "UseNetworkDefault", &UseNetworkDefault, CUPSD_VARTYPE_BOOLEAN },
• { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
  };
  #define NUM_VARS (sizeof(variables) / sizeof(variables[0]))

@@ -632,6 +633,7 @@
RootCertDuration = 300;
Timeout = DEFAULT_TIMEOUT;
NumSystemGroups = 0;

• WebInterface = FALSE;

BrowseInterval = DEFAULT_INTERVAL;
BrowsePort = ippPort();

Index: scheduler/conf.h

--- scheduler/conf.h (revision 9395)
+++ scheduler/conf.h (working copy)
@@ -219,8 +219,10 @@
/* Format of printcap file? /
DefaultShared VALUE(TRUE),
/ Share printers by default? */

•       MultipleOperationTimeout VALUE(DEFAULT_TIMEOUT);
  

•       MultipleOperationTimeout VALUE(DEFAULT_TIMEOUT),
              /\* multiple-operation-time-out value */
  

•       WebInterface        VALUE(FALSE);
  

•               /* Enable the web interface? */
  

  VAR cups_file_t AccessFile VALUE(NULL),
  / Access log file */
  *ErrorFile VALUE(NULL),

  Index: scheduler/client.c

  --- scheduler/client.c (revision 9395)
  +++ scheduler/client.c (working copy)
  @@ -1369,15 +1369,29 @@
  }
  }

•   if ((!strncmp(con->uri, "/admin", 6) &&
  

•        strncmp(con->uri, "/admin/conf/", 12) &&
  

•        strncmp(con->uri, "/admin/log/", 11)) ||
  

•   !strncmp(con->uri, "/printers", 9) ||
  

•   !strncmp(con->uri, "/classes", 8) ||
  

•   !strncmp(con->uri, "/help", 5) ||
  

•   !strncmp(con->uri, "/jobs", 5))
  

•        if (!WebInterface)
  {
   /*
  

•     \* Web interface is disabled. Show an appropriate message...
  

•     */
  

•     if (!cupsdSendError(con, HTTP_WEBIF_DISABLED, CUPSD_AUTH_NONE))
  

•     {
  

•   cupsdCloseClient(con);
  

•   return;
  

•     }
  

•     break;
  

•   }
  

•   else if ((!strncmp(con->uri, "/admin", 6) &&
  

•         strncmp(con->uri, "/admin/conf/", 12) &&
  

•         strncmp(con->uri, "/admin/log/", 11)) ||
  

•        !strncmp(con->uri, "/printers", 9) ||
  

•        !strncmp(con->uri, "/classes", 8) ||
  

•        !strncmp(con->uri, "/help", 5) ||
  

•        !strncmp(con->uri, "/jobs", 5))
  

•   {
  

•    /*
    \* Send CGI output...
    */
  

@@ -1580,6 +1594,20 @@
if (!strcmp(con->http.fields[HTTP_FIELD_CONTENT_TYPE],
"application/ipp"))
con->request = ippNew();

•        else if (!WebInterface)
  

•   {
  

•    /*
  

•     \* Web interface is disabled. Show an appropriate message...
  

•     */
  

•     if (!cupsdSendError(con, HTTP_WEBIF_DISABLED, CUPSD_AUTH_NONE))
  

•     {
  

•   cupsdCloseClient(con);
  

•   return;
  

•     }
  

•     break;
  

•   }
  else if ((!strncmp(con->uri, "/admin", 6) &&
            strncmp(con->uri, "/admin/conf/", 12) &&
            strncmp(con->uri, "/admin/log/", 11)) ||
  

  @@ -1796,7 +1824,53 @@
  break;
  }
  }

•        else if (!strncmp(con->uri, "/printers/", 10) &&
  

•        !strcmp(con->uri + strlen(con->uri) - 4, ".png"))
  

•   {
  

•    /*
  

•     \* Send PNG file - get the real printer name since printer
  

•     \* names are not case sensitive but filenames can be...
  

•     */
  

•          con->uri[strlen(con->uri) - 4] = '\0';   /* Drop ".ppd" */
  

•          if ((p = cupsdFindPrinter(con->uri + 10)) != NULL)
  

•   snprintf(con->uri, sizeof(con->uri), "/icons/%s.png", p->name);
  

•     else
  

•     {
  

•   if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
  

•   {
  

•     cupsdCloseClient(con);
  

•     return;
  

•   }
  

•   break;
  

•     }
  

•   }
  

•   else if (!WebInterface)
  

•   {
  

•          if (!cupsdSendHeader(con, HTTP_OK, line, CUPSD_AUTH_NONE))
  

•     {
  

•   cupsdCloseClient(con);
  

•   return;
  

•     }
  

•     if (httpPrintf(HTTP(con), "\r\n") < 0)
  

•     {
  

•   cupsdCloseClient(con);
  

•   return;
  

•     }
  

•     if (cupsdFlushHeader(con) < 0)
  

•     {
  

•   cupsdCloseClient(con);
  

•   return;
  

•     }
  

•     con->http.state = HTTP_WAITING;
  

•     break;
  

•   }
  

  • if ((!strncmp(con->uri, "/admin", 6) &&
    strncmp(con->uri, "/admin/conf/", 12) &&
    strncmp(con->uri, "/admin/log/", 11)) ||
    @@ -2411,6 +2485,10 @@
    "CONTENT="3;URL=https://%s:%d%s">\n",
    con->servername, con->serverport, con->uri);
    }

• else if (code == HTTP_WEBIF_DISABLED)

•  text = _cupsLangString(con->language,
  

•                         _("The web interface is currently disabled. Run "
  

•              "\"cupsctl WebInterface=yes\" to enable it."));
  

  else
  text = "";

@@ -2421,17 +2499,17 @@
"\n"
"\t<META HTTP-EQUIV="Content-Type" "
"CONTENT="text/html; charset=utf-8">\n"

•    "\t<TITLE>%d %s</TITLE>\n"
  

•    "\t<TITLE>%s - " CUPS_SVERSION "</TITLE>\n"
   "\t<LINK REL=\"STYLESHEET\" TYPE=\"text/css\" "
   "HREF=\"/cups.css\">\n"
   "%s"
   "</HEAD>\n"
        "<BODY>\n"
  

•    "<H1>%d %s</H1>\n"
  

•    "<H1>%s</H1>\n"
   "<P>%s</P>\n"
   "</BODY>\n"
   "</HTML>\n",
  

•    code, httpStatus(code), redirect, code, httpStatus(code), text);
  

•    httpStatus(code), redirect, httpStatus(code), text);
  

  if (httpPrintf(HTTP(con), "Content-Type: text/html; charset=utf-8\r\n") < 0)
  return (0);
  @@ -2486,7 +2564,16 @@
  return (httpPrintf(HTTP(con), "HTTP/%d.%d 100 Continue\r\n\r\n",
  con->http.version / 100, con->http.version % 100) > 0);
  }

• else if (code == HTTP_WEBIF_DISABLED)

• {

• /*

• * Treat our special "web interface is disabled" status as "200 OK" for web

• * browsers.

• */

• code = HTTP_OK;

• }

httpFlushWrite(HTTP(con));

con->http.data_encoding = HTTP_ENCODE_FIELDS;