Add "kerberos" policy for Kerberized printing support (standard on macOS for a

[thirdparty/cups.git] / conf / cupsd.conf.in
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in

index 2c87fdf1a6532871e55b63e9907744297d6528c5..ab37ca68c7f823c5f703a3279dbdfe5b950dd73a 100644 (file)
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -6,6 +6,7 @@
  # Log general information in error_log - change "@CUPS_LOG_LEVEL@" to "debug"
  # for troubleshooting...
  LogLevel @CUPS_LOG_LEVEL@
+@CUPS_PAGE_LOG_FORMAT@
  
  # Only listen for connections from the local machine.
  Listen localhost:@DEFAULT_IPP_PORT@
@@ -38,6 +39,13 @@ WebInterface @CUPS_WEBIF@
    Order allow,deny
  </Location>
  
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
  # Set the default printer/job policies...
  <Policy default>
    # Job/subscription privacy...
@@ -126,3 +134,49 @@ WebInterface @CUPS_WEBIF@
      Order deny,allow
    </Limit>
  </Policy>
+
+# Set the kerberized printer/job policies...
+<Policy kerberos>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>