parent
a3ed52df9d
commit
54992e0f93
@ -0,0 +1,31 @@
|
||||
From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
|
||||
From: Michael R Sweet <michael.r.sweet@gmail.com>
|
||||
Date: Tue, 6 Dec 2022 09:04:01 -0500
|
||||
Subject: [PATCH] Require authentication for CUPS-Get-Document.
|
||||
|
||||
---
|
||||
conf/cupsd.conf.in | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
|
||||
index b25884907..a07536f3e 100644
|
||||
--- a/conf/cupsd.conf.in
|
||||
+++ b/conf/cupsd.conf.in
|
||||
@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
|
||||
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
|
||||
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
|
||||
+ Require user @OWNER @SYSTEM
|
||||
+ Order deny,allow
|
||||
+ </Limit>
|
||||
+
|
||||
+ <Limit CUPS-Get-Document>
|
||||
+ AuthType Default
|
||||
Require user @OWNER @SYSTEM
|
||||
Order deny,allow
|
||||
</Limit>
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,171 @@
|
||||
@PYTHON_SHEBANG@
|
||||
|
||||
"""
|
||||
Upgrade script to enable authentication for CUPS-Get-Document in
|
||||
default policy
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
from shutil import copy
|
||||
|
||||
|
||||
def get_cupsd_conf():
|
||||
"""
|
||||
Get all lines from cupsd.conf
|
||||
"""
|
||||
if not os.path.exists('/etc/cups/cupsd.conf'):
|
||||
return None
|
||||
|
||||
lines = []
|
||||
with open('/etc/cups/cupsd.conf', 'r') as conf:
|
||||
lines = conf.readlines()
|
||||
|
||||
return lines
|
||||
|
||||
|
||||
def get_default_policy(lines):
|
||||
"""
|
||||
Get the default policy lines
|
||||
|
||||
:param list lines: lines from cupsd.conf
|
||||
"""
|
||||
default_policy = []
|
||||
in_policy = False
|
||||
|
||||
for line in lines:
|
||||
if not in_policy and not line.lstrip().startswith('<Policy default>'):
|
||||
continue
|
||||
|
||||
default_policy.append(line)
|
||||
|
||||
if line.lstrip().startswith('</Policy>'):
|
||||
return default_policy
|
||||
|
||||
in_policy = True
|
||||
|
||||
return default_policy
|
||||
|
||||
|
||||
def get_limit_with_document(lines):
|
||||
"""
|
||||
Get <Limit> scope which defines CUPS-Get-Document operation
|
||||
|
||||
:param list lines: Lines containing the default policy
|
||||
"""
|
||||
limit = []
|
||||
in_limit = False
|
||||
|
||||
for line in lines:
|
||||
if not in_limit and not line.lstrip().startswith('<Limit'):
|
||||
continue
|
||||
|
||||
if (not in_limit and line.lstrip().startswith('<Limit') and
|
||||
not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||
continue
|
||||
|
||||
limit.append(line)
|
||||
|
||||
if line.lstrip().startswith('</Limit>'):
|
||||
return limit
|
||||
|
||||
in_limit = True
|
||||
|
||||
return limit
|
||||
|
||||
|
||||
def check_for_authtype(lines):
|
||||
"""
|
||||
Check if <Limit> defining CUPS-Get-Document defines
|
||||
any authentication
|
||||
|
||||
:param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
|
||||
"""
|
||||
for line in lines:
|
||||
if line.lstrip().startswith('AuthType'):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def migrate_cupsd_conf(lines):
|
||||
"""
|
||||
Make changes to cupsd.conf contents to use authentication
|
||||
for CUPS-Get-Document
|
||||
|
||||
:param list lines: Lines from cupsd.conf
|
||||
"""
|
||||
new_lines = []
|
||||
in_policy = False
|
||||
create_document_limit = False
|
||||
|
||||
for line in lines:
|
||||
if (in_policy and line.lstrip().startswith('<Limit') and
|
||||
not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
|
||||
'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
|
||||
line = line.replace(' CUPS-Get-Document', '')
|
||||
create_document_limit = True
|
||||
|
||||
if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
|
||||
new_lines.append('\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'# added during upgrade\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'<Limit CUPS-Get-Document>\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'AuthType Default\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'Require user @OWNER @SYSTEM\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
|
||||
'Order deny,allow\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'</Limit>\n')
|
||||
create_document_limit = False
|
||||
|
||||
new_lines.append(line)
|
||||
|
||||
if not in_policy:
|
||||
if line.lstrip().startswith('<Policy default>'):
|
||||
in_policy = True
|
||||
continue
|
||||
|
||||
if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'# added during upgrade\n')
|
||||
new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
|
||||
'AuthType Default\n')
|
||||
continue
|
||||
|
||||
if line.lstrip().startswith('</Policy>'):
|
||||
in_policy = False
|
||||
continue
|
||||
|
||||
return new_lines
|
||||
|
||||
|
||||
def apply_changes(lines):
|
||||
"""
|
||||
Backup the original file if there is no .rpmsave already and
|
||||
apply changes to the actual cupsd.conf
|
||||
|
||||
:param list lines: New lines for cupsd.conf
|
||||
"""
|
||||
if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
|
||||
copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
|
||||
|
||||
with open('/etc/cups/cupsd.conf', 'w') as conf:
|
||||
conf.writelines(lines)
|
||||
|
||||
|
||||
|
||||
content = get_cupsd_conf()
|
||||
if content is None:
|
||||
sys.exit(1)
|
||||
|
||||
if check_for_authtype(get_limit_with_document(get_default_policy(content))):
|
||||
sys.exit(0)
|
||||
|
||||
new_content = migrate_cupsd_conf(content)
|
||||
|
||||
apply_changes(new_content)
|
||||
|
||||
sys.exit(0)
|
Loading…
Reference in new issue