Michael R Sweet [Sat, 6 Mar 2021 13:21:59 +0000 (08:21 -0500)]
Modernize cups-defaults configure sources.
Remove (long deprecated and not even working since 2.0) LPDConfigFile and
SMBConfigFile directives, along with "LPD" and "SMB" browsing protocols.
(LPD and SMB continue to work through their respective programs)
Till Kamppeter [Fri, 5 Mar 2021 14:50:14 +0000 (15:50 +0100)]
scheduler: Admin task check: Code improvements
Several improvements on the client Snap status check code after review
by the snapd developer who created the facility:
- Create snapctl argument arrays without dynamic variables
- Removed unneeded NULL checks from Glib-based memory freeing
- Do not check stderr output of snapd_client_run_snapctl2_sync(), not
needed in our case
- Use a switch statement for the treatment of the 4 possible snapctl results
In addition, do not use g_clear_object() for the GPtrArray plugs, it must
be g_ptr_array_unref() here.
removing the '=' between "--apparmor-label" and "AA_CONTEXT" to make
these two separate arguments and so avoid the need to concatenate the
strings in a buffer.
Did the same with the arguments for the
snapd_client_run_snapctl2_sync() function call.
Michael R Sweet [Thu, 4 Mar 2021 14:37:28 +0000 (09:37 -0500)]
Work on modernizing autoconf source files and the build system:
- Adopt non-deprecated autoconf macros, wrap shell "if" and "case" statements
with AS_IF and AS_CASE macros.
- Remove strings.h and bstring.h checks since they are not needed for modern
OS's.
- Rename cups-ssl.m4 to cups-tls.m4 (TLS support, not SSL support)
Till Kamppeter [Thu, 4 Mar 2021 14:27:59 +0000 (15:27 +0100)]
scheduler: Admin task check: Support to use libsnapd-glib instead of snapctl
When CUPS is running in a Snap the scheduler checks client Snaps
requesting administrative tasks calling the external executable
"snapctl" which does not scale well on many inquiries in parallel.
Therefore we use an equivalent library function of libsnapd-glib,
snapd_client_run_snapctl2_sync() instead, at least if the
libsnapd-glib is new enough to already contain this function, which we
check during build, by the ./configure script. If the function is not
available we automatically fall back to a build using the "snapctl"
utility.
Till Kamppeter [Tue, 2 Mar 2021 19:29:41 +0000 (20:29 +0100)]
scheduler: Added remaining changes needed to run CUPS as a Snap
cupsd has a lot of functionality, especially for security, which does
not work under the confinement of a Snap. So these features need to
get removed or modified when CUPS is intended to get snapped, but
removing them does not necessarily weaken the security of the whole
thing, as the confinement of the Snap adds security replacing the one
removed from CUPS itself.
Most importantly a Snap cannot create several system groups and users.
Instead, it has a single unprivileged system user and a single
unprivileged system group, both named "snap_daemon". These are
replacing "lp" for running print jobs and filters, for administration
the user is root and as group first "lpadmin" and then "adm" is tried
and used if the host system has such a group. In all cases "root" is
also an admin group.
In addition, fiie ACLs do not work inside a Snap and the PATH and
LD_LIBRARY_PATH environment variables of the Snap are passed on to the
executables started by CUPS, so that they find their files and
libraries on the Snap-specific places.
Both the scheduler and the debugging tool cupsfilter are appropriately
modified.
This commit contains all changes to make the scheduler work under
these conditions, but to no compromise the security of an unsnapped
build of CUPS, conditional compiling is used. The changes are only
applied if the "--enable-snapped-cupsd" ./configure option is
used. Also the checking whether a client Snap doing administrative
tasks plugs "cups-control" (my previous commit) is then
active. "--enable-snapped-clients" is still available to do only the
client checking with an unsnapped scheduler.
All these changes got tested as packaging patches inn both the CUPS
Snap and the Debian/Ubuntu package of CUPS.
Note that this commit is not containing the changes on the
(machine-generated) ./configure script and so will not pass the CI
tests. An additional commit with an autoconf rebuild of ./configure is
needed.
Till Kamppeter [Mon, 1 Mar 2021 17:26:43 +0000 (18:26 +0100)]
scheduler: Added extra check for administrative tasks from Snaps
Let the scheduler check whether if an administrative request
(create/modify print queue, delete someone else's jobs, ...) from a
client is from a fully confined Snap and then only grant access if the
client Snap plugs "cups-control". If client Snap plugs "cups" instead
it can only print, check status, or remove the caller's own jobs. For
requests from classically confined Snaps or unsnapped clients access
is always granted.
This is to protect arbitrary Snaps from the Snap Store to do
administrative CUPS tasks. The Snap Store allows automatic connection
only of the "cups" interface, not of the cups-control interface.
This facility is optional, to be activated by configure options,
"--enable-snapped-clients" for unsnapped CUPS and
"--enable-snapped-cupsd" when CUPS itself is also in a Snap. The
former accesses the needed information about the client using
libsnapd-glib (which cannot be used from within a Snap) and latter
uses the "snapctl" utility (which only works from within a Snap). In
both cases also libapparmor is needed to determine whether the client
is actually a Snap.
Michael R Sweet [Mon, 1 Mar 2021 12:26:58 +0000 (07:26 -0500)]
Update testlang to test all locales (Issue #85)
Also refactored the locale test code into a separate function, updated the
output to be consistent with the other unit tests, and split out the macOS
language identifier tests. Still need to move the PPD tests to the testppd
program.
Michael R Sweet [Mon, 1 Mar 2021 02:26:26 +0000 (21:26 -0500)]
Update man pages and other documentation.
- man/*: Point to OpenPrinting, add OpenPrinting copyright, update dates and
URLS.
- doc/help/cupspm.*: Add array, dir, file, and raster APIs to reference
material.
- doc/help/api-raster.html: Drop now that this content is in the CUPS PM.
(still need to move the examples to the PM)
- Rebuild all HTML documentation using the current codedoc and mantohtml.
Michael R Sweet [Wed, 24 Feb 2021 13:47:24 +0000 (08:47 -0500)]
Update other plain-text documentation to point to OpenPrinting.
CHANGES.md:
- Add release date, next release is 2.4rc1, per CMP.
CONTRIBUTING.md:
- No more Apple contribution agreement.
CREDITS.md:
- Direct corrections to Github issue tracker instead of my old EMail.
DEVELOPING.md:
- Relax C99/C++ comment prohibition.
- Update file naming standard (no more 16 character limit, but specify the
allowed characters)
- Update examples to show the use of // comments and new copyright notice.
- Note that some markdown can be used in comments.
projects / thirdparty / cups.git / log
