"Limit All" must be on its own otherwise clients like "lpstat -p" hang up

[michaelrsweet]

Version: 2.1-current
CUPS.org User: jsmeix.suse

I use CUPS 2.0.3 (without any patches)
and the following in cupsd.conf

(the "Limit" line is shown wrapped here):

JobPrivateAccess all JobPrivateValues none SubscriptionPrivateAccess all SubscriptionPrivateValues none Order deny,allow Allow from all ## DefaultPolicy allowallforanybody

In this case clients like "lpstat -p" hang up

and need to be aborted by [Ctrl]+[C]:

echo 'begin test lpstat' >>/var/log/cups/error_log

lpstat -p

^C

echo 'end test lpstat' >>/var/log/cups/error_log

---

Attached /var/log/cups/error_log with LogLevel debug2.

When I use a separated "Limit All" it works:

JobPrivateAccess all JobPrivateValues none SubscriptionPrivateAccess all SubscriptionPrivateValues none Order deny,allow Allow from all Order deny,allow Allow from all ## DefaultPolicy allowallforanybody

I think it is a bug when because of an incorrectly
specified policy cupsd clients like "lpstat -p" hang up.

A side note (minor issue):

I need the

because without it cupsd shows this warnings in error_log

(long lines shown wrapped here):

W ... No limit for Validate-Job defined in policy
allowallforanybody and no suitable template found.
W ... No limit for Cancel-Jobs defined in policy
allowallforanybody and no suitable template found.
W ... No limit for Cancel-My-Jobs defined in policy
allowallforanybody and no suitable template found.
W ... No limit for Close-Job defined in policy
allowallforanybody and no suitable template found.
W ... No limit for CUPS-Get-Document defined in policy

allowallforanybody and no suitable template found.

I think "Limit All" should include Validate-Job Cancel-Jobs
Cancel-My-Jobs Close-Job CUPS-Get-Document so that those
do not need a separated Limit section.

[michaelrsweet]

CUPS.org User: jsmeix.suse

Attaching plain text /var/log/cups/error_log was rejected
by the server so that I retry with a gzipped file...

[michaelrsweet]

CUPS.org User: mike

Johannes,

The reason "Limit All" does not include Cancel-All-Jobs, etc. is that they typically require authentication or at least a matching requesting user - as those operations were added newly in 1.7 we didn't want people migrating from a prior release to suddenly end up with an insecure policy.

I will see about making this check smarter so that a policy with just a "Limit All" section will not require the extra Limit section for the other operations.

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

This fix is only going into 2.1; because we do not want to have an upgrade cause a change in security behavior, I am not comfortable making the change for 2.0.x.

[michaelrsweet]

"str4659.patch":

Index: scheduler/conf.c

--- scheduler/conf.c (revision 12817)
+++ scheduler/conf.c (working copy)
@@ -4104,121 +4104,106 @@

• Verify that we have an explicit policy for Validate-Job, Cancel-Jobs,

• Cancel-My-Jobs, Close-Job, and CUPS-Get-Document, which ensures that

• upgrades do not introduce new security issues...

  • * CUPS STR "Limit All" must be on its own otherwise clients like "lpstat -p" hang up #4659: Allow a lone policy.
    */

• if ((op = cupsdFindPolicyOp(pol, IPP_VALIDATE_JOB)) == NULL ||

•  op->op == IPP_ANY_OPERATION)
  

• if (cupsArrayCount(pol->ops) > 1)
  {

• if ((op = cupsdFindPolicyOp(pol, IPP_PRINT_JOB)) != NULL &&

• op->op != IPP_ANY_OPERATION)

• if ((op = cupsdFindPolicyOp(pol, IPP_VALIDATE_JOB)) == NULL ||

• op->op == IPP_ANY_OPERATION)
  {

• /*
  

•  \* Add a new limit for Validate-Job using the Print-Job limit as a
  

•  \* template...
  

•  */
  

•  if ((op = cupsdFindPolicyOp(pol, IPP_PRINT_JOB)) != NULL &&
  

• op->op != IPP_ANY_OPERATION)
  

•  {
  

•   /*
  

• * Add a new limit for Validate-Job using the Print-Job limit as a

• * template...

• */

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Validate-Job defined in policy %s "
  

•         "- using Print-Job's policy.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Validate-Job defined in policy %s - using Print-Job's policy.", pol->name);

•  cupsdAddPolicyOp(pol, op, IPP_VALIDATE_JOB);
  

• cupsdAddPolicyOp(pol, op, IPP_VALIDATE_JOB);

•  }
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Validate-Job defined in policy %s and no suitable template found.", pol->name);
  }

• else

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Validate-Job defined in policy %s "
  

•         "and no suitable template found.", pol->name);
  

• }

• if ((op = cupsdFindPolicyOp(pol, IPP_CANCEL_JOBS)) == NULL ||

•  op->op == IPP_ANY_OPERATION)
  

• {

• if ((op = cupsdFindPolicyOp(pol, IPP_PAUSE_PRINTER)) != NULL &&

• op->op != IPP_ANY_OPERATION)

• if ((op = cupsdFindPolicyOp(pol, IPP_CANCEL_JOBS)) == NULL ||

• op->op == IPP_ANY_OPERATION)
  {

• /*
  

•  \* Add a new limit for Cancel-Jobs using the Pause-Printer limit as a
  

•  \* template...
  

•  */
  

•  if ((op = cupsdFindPolicyOp(pol, IPP_PAUSE_PRINTER)) != NULL &&
  

• op->op != IPP_ANY_OPERATION)
  

•  {
  

•   /*
  

• * Add a new limit for Cancel-Jobs using the Pause-Printer limit as a

• * template...

• */

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Cancel-Jobs defined in policy %s "
  

•         "- using Pause-Printer's policy.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Cancel-Jobs defined in policy %s - using Pause-Printer's policy.", pol->name);

•  cupsdAddPolicyOp(pol, op, IPP_CANCEL_JOBS);
  

• cupsdAddPolicyOp(pol, op, IPP_CANCEL_JOBS);

•  }
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Cancel-Jobs defined in policy %s and no suitable template found.", pol->name);
  }

• else

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Cancel-Jobs defined in policy %s "
  

•         "and no suitable template found.", pol->name);
  

• }

• if ((op = cupsdFindPolicyOp(pol, IPP_CANCEL_MY_JOBS)) == NULL ||

•  op->op == IPP_ANY_OPERATION)
  

• {

• if ((op = cupsdFindPolicyOp(pol, IPP_SEND_DOCUMENT)) != NULL &&

• op->op != IPP_ANY_OPERATION)

• if ((op = cupsdFindPolicyOp(pol, IPP_CANCEL_MY_JOBS)) == NULL ||

• op->op == IPP_ANY_OPERATION)
  {

• /*
  

•  \* Add a new limit for Cancel-My-Jobs using the Send-Document limit as
  

•  \* a template...
  

•  */
  

•  if ((op = cupsdFindPolicyOp(pol, IPP_SEND_DOCUMENT)) != NULL &&
  

• op->op != IPP_ANY_OPERATION)
  

•  {
  

•   /*
  

• * Add a new limit for Cancel-My-Jobs using the Send-Document limit as

• * a template...

• */

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Cancel-My-Jobs defined in policy %s "
  

•         "- using Send-Document's policy.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Cancel-My-Jobs defined in policy %s - using Send-Document's policy.", pol->name);

•  cupsdAddPolicyOp(pol, op, IPP_CANCEL_MY_JOBS);
  

• cupsdAddPolicyOp(pol, op, IPP_CANCEL_MY_JOBS);

•  }
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Cancel-My-Jobs defined in policy %s and no suitable template found.", pol->name);
  }

• else

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Cancel-My-Jobs defined in policy %s "
  

•         "and no suitable template found.", pol->name);
  

• }

• if ((op = cupsdFindPolicyOp(pol, IPP_CLOSE_JOB)) == NULL ||

•  op->op == IPP_ANY_OPERATION)
  

• {

• if ((op = cupsdFindPolicyOp(pol, IPP_SEND_DOCUMENT)) != NULL &&

• op->op != IPP_ANY_OPERATION)

• if ((op = cupsdFindPolicyOp(pol, IPP_CLOSE_JOB)) == NULL ||

• op->op == IPP_ANY_OPERATION)
  {

• /*
  

•  \* Add a new limit for Close-Job using the Send-Document limit as a
  

•  \* template...
  

•  */
  

•  if ((op = cupsdFindPolicyOp(pol, IPP_SEND_DOCUMENT)) != NULL &&
  

• op->op != IPP_ANY_OPERATION)
  

•  {
  

•   /*
  

• * Add a new limit for Close-Job using the Send-Document limit as a

• * template...

• */

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Close-Job defined in policy %s "
  

•         "- using Send-Document's policy.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Close-Job defined in policy %s - using Send-Document's policy.", pol->name);

•  cupsdAddPolicyOp(pol, op, IPP_CLOSE_JOB);
  

• cupsdAddPolicyOp(pol, op, IPP_CLOSE_JOB);

•  }
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for Close-Job defined in policy %s and no suitable template found.", pol->name);
  }

• else

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for Close-Job defined in policy %s "
  

•         "and no suitable template found.", pol->name);
  

• }

• if ((op = cupsdFindPolicyOp(pol, CUPS_GET_DOCUMENT)) == NULL ||

•  op->op == IPP_ANY_OPERATION)
  

• {

• if ((op = cupsdFindPolicyOp(pol, IPP_SEND_DOCUMENT)) != NULL &&

• op->op != IPP_ANY_OPERATION)

• if ((op = cupsdFindPolicyOp(pol, CUPS_GET_DOCUMENT)) == NULL ||

• op->op == IPP_ANY_OPERATION)
  {

• /*
  

•  \* Add a new limit for CUPS-Get-Document using the Send-Document
  

•  \* limit as a template...
  

•  */
  

•  if ((op = cupsdFindPolicyOp(pol, IPP_SEND_DOCUMENT)) != NULL &&
  

• op->op != IPP_ANY_OPERATION)
  

•  {
  

•   /*
  

• * Add a new limit for CUPS-Get-Document using the Send-Document

• * limit as a template...

• */

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for CUPS-Get-Document defined in policy %s "
  

•         "- using Send-Document's policy.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for CUPS-Get-Document defined in policy %s - using Send-Document's policy.", pol->name);

•  cupsdAddPolicyOp(pol, op, CUPS_GET_DOCUMENT);
  

• cupsdAddPolicyOp(pol, op, CUPS_GET_DOCUMENT);

•  }
  

•  else
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No limit for CUPS-Get-Document defined in policy %s and no suitable template found.", pol->name);
  }

• else

•  cupsdLogMessage(CUPSD_LOG_WARN,
  

•         "No limit for CUPS-Get-Document defined in policy %s "
  

•         "and no suitable template found.", pol->name);
  

  }

  /*
  @@ -4228,18 +4213,14 @@

  if (!pol->job_access)
  {

• cupsdLogMessage(CUPSD_LOG_WARN,

•       "No JobPrivateAccess defined in policy %s "
  

•       "- using defaults.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No JobPrivateAccess defined in policy %s - using defaults.", pol->name);
  cupsdAddString(&(pol->job_access), "@owner");
  cupsdAddString(&(pol->job_access), "@System");
  }

if (!pol->job_attrs)
{

• cupsdLogMessage(CUPSD_LOG_WARN,

•       "No JobPrivateValues defined in policy %s "
  

•       "- using defaults.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No JobPrivateValues defined in policy %s - using defaults.", pol->name);
  cupsdAddString(&(pol->job_attrs), "job-name");
  cupsdAddString(&(pol->job_attrs), "job-originating-host-name");
  cupsdAddString(&(pol->job_attrs), "job-originating-user-name");
  @@ -4248,18 +4229,14 @@

if (!pol->sub_access)
{

• cupsdLogMessage(CUPSD_LOG_WARN,

•       "No SubscriptionPrivateAccess defined in policy %s "
  

•       "- using defaults.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No SubscriptionPrivateAccess defined in policy %s - using defaults.", pol->name);
  cupsdAddString(&(pol->sub_access), "@owner");
  cupsdAddString(&(pol->sub_access), "@System");
  }

if (!pol->sub_attrs)
{

• cupsdLogMessage(CUPSD_LOG_WARN,

•       "No SubscriptionPrivateValues defined in policy %s "
  

•       "- using defaults.", pol->name);
  

• cupsdLogMessage(CUPSD_LOG_WARN, "No SubscriptionPrivateValues defined in policy %s - using defaults.", pol->name);
  cupsdAddString(&(pol->sub_attrs), "notify-events");
  cupsdAddString(&(pol->sub_attrs), "notify-pull-method");
  cupsdAddString(&(pol->sub_attrs), "notify-recipient-uri");