Add /admin/log section to cupsd.conf so that remote admin also controls remote

access to the log files (<rdar://problem/23134415>)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12938 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES-2.1.txt b/CHANGES-2.1.txt
index 443557ad5c9a27d13239eb41ea98a43678a25182..80fb00333fa96ab720062648b5241d43bab4739b 100644 (file)
--- a/CHANGES-2.1.txt
+++ b/CHANGES-2.1.txt
@@ -9,7 +9,7 @@ CHANGES IN CUPS V2.1.1
          <rdar://problem/23133393>, <rdar://problem/23133466>,
          <rdar://problem/23133833>, <rdar://problem/23133998>,
          <rdar://problem/23134228>, <rdar://problem/23134299>,
-         <rdar://problem/23134356>)
+         <rdar://problem/23134356>, <rdar://problem/23134415>)
        - The cupsGetPPD* functions did not work with IPP printers (STR #4725)
        - Some older HP LaserJet printers need a delayed close when printing
          using the libusb-based USB backend (STR #4549)

diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
index e17601446d343b72632e9189d0b96243b51f7227..2fd0de0c3e3ac3ebdeefb27125c4e4c7a1ef72e1 100644 (file)
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -39,6 +39,13 @@ WebInterface @CUPS_WEBIF@
   Order allow,deny
 </Location>
 
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
 # Set the default printer/job policies...
 <Policy default>
   # Job/subscription privacy...

diff --git a/cups/adminutil.c b/cups/adminutil.c
index 5a7dea0924afb2a8404722b13fe28c6a258224ad..424c02b4ca004b37e50be4ae9cdba9737dcd1ea6 100644 (file)
--- a/cups/adminutil.c
+++ b/cups/adminutil.c
@@ -3,7 +3,7 @@
  *
  * Administration utility API definitions for CUPS.
  *
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2015 by Apple Inc.
  * Copyright 2001-2007 by Easy Software Products.
  *
  * These coded instructions, statements, and computer programs are the
@@ -1175,6 +1175,7 @@ cupsAdminSetServerSettings(
                in_cancel_job,          /* In a cancel-job section? */
                in_admin_location,      /* In the /admin location? */
                in_conf_location,       /* In the /admin/conf location? */
+               in_log_location,        /* In the /admin/log location? */
                in_root_location;       /* In the / location? */
   const char   *val;                   /* Setting value */
   int          share_printers,         /* Share local printers */
@@ -1188,6 +1189,7 @@ cupsAdminSetServerSettings(
                wrote_loglevel,         /* Wrote the LogLevel line? */
                wrote_admin_location,   /* Wrote the /admin location? */
                wrote_conf_location,    /* Wrote the /admin/conf location? */
+               wrote_log_location,     /* Wrote the /admin/log location? */
                wrote_root_location;    /* Wrote the / location? */
   int          indent;                 /* Indentation */
   int          cupsd_num_settings;     /* New number of settings */
@@ -1401,12 +1403,14 @@ cupsAdminSetServerSettings(
   in_conf_location     = 0;
   in_default_policy    = 0;
   in_location          = 0;
+  in_log_location      = 0;
   in_policy            = 0;
   in_root_location     = 0;
   linenum              = 0;
   wrote_admin_location = 0;
   wrote_browsing       = 0;
   wrote_conf_location  = 0;
+  wrote_log_location   = 0;
   wrote_loglevel       = 0;
   wrote_policy         = 0;
   wrote_port_listen    = 0;
@@ -1550,8 +1554,10 @@ cupsAdminSetServerSettings(
       indent += 2;
       if (!strcmp(value, "/admin"))
        in_admin_location = 1;
-      if (!strcmp(value, "/admin/conf"))
+      else if (!strcmp(value, "/admin/conf"))
        in_conf_location = 1;
+      else if (!strcmp(value, "/admin/log"))
+       in_log_location = 1;
       else if (!strcmp(value, "/"))
        in_root_location = 1;
 
@@ -1593,6 +1599,23 @@ cupsAdminSetServerSettings(
          cupsFilePrintf(temp, "  Allow %s\n",
                         remote_any > 0 ? "all" : "@LOCAL");
       }
+      else if (in_log_location && remote_admin >= 0)
+      {
+       wrote_log_location = 1;
+
+       if (remote_admin)
+          cupsFilePuts(temp, "  # Allow remote access to the log "
+                            "files...\n");
+       else
+          cupsFilePuts(temp, "  # Restrict access to the log "
+                            "files...\n");
+
+        cupsFilePuts(temp, "  Order allow,deny\n");
+
+       if (remote_admin)
+         cupsFilePrintf(temp, "  Allow %s\n",
+                        remote_any > 0 ? "all" : "@LOCAL");
+      }
       else if (in_root_location &&
                (remote_admin >= 0 || remote_any > 0 || share_printers >= 0))
       {
@@ -1619,6 +1642,7 @@ cupsAdminSetServerSettings(
 
       in_admin_location = 0;
       in_conf_location  = 0;
+      in_log_location   = 0;
       in_root_location  = 0;
 
       cupsFilePuts(temp, "</Location>\n");
@@ -1867,6 +1891,25 @@ cupsAdminSetServerSettings(
     cupsFilePuts(temp, "</Location>\n");
   }
 
+  if (!wrote_log_location && remote_admin >= 0)
+  {
+    if (remote_admin)
+      cupsFilePuts(temp,
+                   "# Allow remote access to the log files...\n");
+    else
+      cupsFilePuts(temp, "# Restrict access to the log files...\n");
+
+    cupsFilePuts(temp, "<Location /admin/log>\n"
+                       "  AuthType Default\n"
+                       "  Require user @SYSTEM\n"
+                       "  Order allow,deny\n");
+
+    if (remote_admin)
+      cupsFilePrintf(temp, "  Allow %s\n", remote_any > 0 ? "all" : "@LOCAL");
+
+    cupsFilePuts(temp, "</Location>\n");
+  }
+
   if (!wrote_policy && user_cancel_any >= 0)
   {
     cupsFilePuts(temp, "<Policy default>\n"