<a href="man-backend.html?TOPIC=Man+Pages"><b>backend</b>(7),</a>
<a href="man-classes.conf.html?TOPIC=Man+Pages"><b>classes.conf</b>(5),</a>
<a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a>
-<a href="man-cups-deviced.html?TOPIC=Man+Pages"><b>cups-deviced</b>(8),</a>
-<a href="man-cups-driverd.html?TOPIC=Man+Pages"><b>cups-driverd</b>(8),</a>
+<b>cups-deviced</b>(8),
+<b>cups-driverd</b>(8),
<a href="man-cups-lpd.html?TOPIC=Man+Pages"><b>cups-lpd</b>(8),</a>
<a href="man-cupsd.conf.html?TOPIC=Man+Pages"><b>cupsd.conf</b>(5),</a>
<a href="man-filter.html?TOPIC=Man+Pages"><b>filter</b>(7),</a>
" #\"^/Library/Printers/PPD Plugins/\""
")%s)\n", nodebug);
}
- /* Allow execution of child processes */
- cupsFilePuts(fp, "(allow process-fork)\n");
- cupsFilePrintf(fp,
- "(allow process-exec\n"
- " (regex"
- " #\"^/bin/\"" /* /bin/... */
- " #\"^/usr/bin/\"" /* /usr/bin/... */
- " #\"^/usr/libexec/cups/\"" /* /usr/libexec/cups/... */
- " #\"^/usr/libexec/fax/\"" /* /usr/libexec/fax/... */
- " #\"^/usr/sbin/\"" /* /usr/sbin/... */
- " #\"^%s/\"" /* ServerBin/... */
- " #\"^/Library/Printers/.*/\""
- " #\"^/System/Library/Frameworks/Python.framework/\""
- "))\n",
- bin);
+ /* Allow execution of child processes as long as the programs are not in a user directory */
+ cupsFilePuts(fp, "(allow process*)\n");
+ cupsFilePuts(fp, "(deny process-exec (regex #\"^/Users/\"))\n");
if (RunUser && getenv("CUPS_TESTROOT"))
{
/* Allow source directory access in "make test" environment */
" (literal \"/usr/sbin/sendmail\")\n"
" (with no-sandbox))\n");
}
+ /* Allow access to Bluetooth, USB, and notify_post. */
+ cupsFilePuts(fp, "(allow iokit*)\n");
+ cupsFilePuts(fp, "(allow distributed-notification-post)\n");
/* Allow outbound networking to local services */
cupsFilePuts(fp, "(allow network-outbound"
"\n (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
cupsFilePrintf(fp, "\n (literal \"%s\")", domain);
}
}
- /* Allow access to Bluetooth, USB, and notify_post. */
- cupsFilePuts(fp, "(allow iokit*)\n");
- cupsFilePuts(fp, "(allow distributed-notification-post)\n");
if (allow_networking)
{
/* Allow TCP and UDP networking off the machine... */