From: msweet Date: Fri, 28 Mar 2014 19:16:05 +0000 (+0000) Subject: Drop lppasswd and (server-side) Digest authentication (STR #4321) X-Git-Tag: v2.2b1~679 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e066087949e5ede55a5a8efe7168a8d64f99abc6;p=thirdparty%2Fcups.git Drop lppasswd and (server-side) Digest authentication (STR #4321) git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11776 a1ca3aef-8c08-0410-bb20-df032aa958be --- diff --git a/CHANGES.txt b/CHANGES.txt index 717e8601cb..f55c9819a9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -9,6 +9,8 @@ CHANGES IN CUPS V2.0b1 of the CUPS 1.4 sleep support to do a cleaner sleep () - Dropped support for AIX, HP-UX, and OSF/1 (aka Digital UNIX) + - Dropped lppasswd and support for Digest authentication in in the + scheduler (STR #4321) - Adopted Linux man page conventions and updated all man pages (STR #4372) - Added a "--list-filters" option to the cupsfilter command (STR #4325) diff --git a/cups/auth.c b/cups/auth.c index bc4fad6c85..f61def522d 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -261,7 +261,6 @@ cupsDoAuthentication( char encode[33], /* MD5 buffer */ digest[1024]; /* Digest auth data */ - httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm); httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce); diff --git a/doc/Makefile b/doc/Makefile index 8e64da64a1..db6adad141 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -83,7 +83,6 @@ HELPFILES = \ help/man-lpinfo.html \ help/man-lpmove.html \ help/man-lpoptions.html \ - help/man-lppasswd.html \ help/man-lpq.html \ help/man-lpr.html \ help/man-lprm.html \ diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html index 33a92a472b..57ebcd9339 100644 --- a/doc/help/man-cupsd.conf.html +++ b/doc/help/man-cupsd.conf.html @@ -10,58 +10,23 @@

Name

cupsd.conf - server configuration file for cups

Description

-The cupsd.conf file configures the CUPS scheduler, cupsd(8). It -is normally located in the /etc/cups directory. Note: -File, directory, and user configuration directives that used to be allowed in -the cupsd.conf file are now stored in the cups-files.conf(5) instead -in order to prevent certain types of privilege escalation attacks. -

Each line in the file can be a configuration directive, a blank line, -or a comment. Comment lines start with the # character. The -configuration directives are intentionally similar to those used by the -popular Apache web server software and are described below. -

Directives

-The following directives are understood by cupsd(8). Consult the -on-line help for detailed descriptions: +The +cupsd.conf +file configures the CUPS scheduler, +cupsd(8). +It is normally located in the /etc/cups directory. Note: File, directory, and user configuration directives that used to be allowed in the cupsd.conf file are now stored in the cups-files.conf(5) instead in order to prevent certain types of privilege escalation attacks. +

Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the popular Apache web server software and are described below. +

Top-level Directives

+The following directives are understood by +cupsd(8). +Consult the online help (http://localhost:631/help) for detailed descriptions:

AccessLogLevel config

AccessLogLevel actions

AccessLogLevel all
-
Specifies the logging level for the AccessLog file. -

Allow all -
-

Allow none -
-

Allow host.domain.com -
-

Allow *.domain.com -
-

Allow ip-address -
-

Allow ip-address/netmask -
-

Allow ip-address/mm -
-

Allow @IF(name) -
-

Allow @LOCAL -
-
-Allows access from the named hosts or addresses. -

AuthType None -
-

AuthType Basic -
-

AuthType BasicDigest -
-

AuthType Digest -
-

AuthType Negotiate -
-
-Specifies the authentication type (None, Basic, BasicDigest, Digest, Negotiate)

AutoPurgeJobs Yes

AutoPurgeJobs No @@ -69,9 +34,12 @@ Specifies the authentication type (None, Basic, BasicDigest, Digest, Negotiate)
Specifies whether to purge job history data automatically when it is no longer required for quotas. -

BrowseLocalProtocols [All] [DNSSD] -
+

BrowseLocalProtocols [
+All +] [ +DNSSD +] Specifies the protocols to use for local printer sharing.

BrowseWebIF Yes
@@ -98,10 +66,6 @@ Specifies whether to allow users to override the classification of individual print jobs.

DefaultAuthType Basic
-

DefaultAuthType BasicDigest -
-

DefaultAuthType Digest -

DefaultAuthType Negotiate

@@ -112,11 +76,9 @@ Specifies the default type of authentication to use.

DefaultEncryption Required
-
Specifies the type of encryption to use for authenticated requests.

DefaultLanguage locale
-
Specifies the default language to use for text and web content.

DefaultPaperSize Auto
@@ -124,66 +86,30 @@ Specifies the default language to use for text and web content.

DefaultPaperSize sizename
-
Specifies the default paper size for new print queues. "Auto" uses a locale- specific default, while "None" specifies there is no default paper size.

DefaultPolicy policy-name
-
Specifies the default access policy to use.

DefaultShared Yes

DefaultShared No
-
Specifies whether local printers are shared by default. -

Deny all -
-

Deny none -
-

Deny host.domain.com -
-

Deny *.domain.com -
-

Deny ip-address -
-

Deny ip-address/netmask -
-

Deny ip-address/mm -
-

Deny @IF(name) -
-

Deny @LOCAL -
-
-Denies access to the named host or address.

DirtyCleanInterval seconds
-
Specifies the delay for updating of configuration and state files. A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds. -

Encryption IfRequested -
-

Encryption Never -
-

Encryption Required -
-
-Specifies the level of encryption that is required for a particular -location.

FilterLimit limit
-
Specifies the maximum cost of filters that are run concurrently.

FilterNice nice-value
-
Specifies the scheduling priority ("nice" value) of filters that are run to print a job.

GSSServiceName name
-
Specifies the service name when using Kerberos authentication. The default service name is "http".

HostNameLookups On @@ -192,68 +118,38 @@ service name is "http".

HostNameLookups Double
-
Specifies whether or not to do reverse lookups on client addresses.

Include filename
-
Includes the named file.

JobKillDelay seconds
-
Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job. -

JobPrivateAccess all -
-

JobPrivateAccess default -
-

JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+ -
-
-Specifies an access list for a job's private values. The "default" access list -is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed -or requesting-user-name-denied values. -

JobPrivateValues all -
-

JobPrivateValues default -
-

JobPrivateValues none -
-

JobPrivateValues attribute-name-1 [ ... attribute-name-N ] -
-Specifies the list of job values to make private. The "default" values are -"job-name", "job-originating-host-name", and "job-originating-user-name".

JobRetryInterval seconds
-
Specifies the interval between retries of jobs in seconds.

JobRetryLimit count
-
Specifies the number of retries that are done for jobs.

KeepAlive Yes

KeepAlive No
-
Specifies whether to support HTTP keep-alive connections.

KeepAliveTimeout seconds
-
Specifies the amount of time that connections are kept alive.

<Limit operations> ... </Limit>
-
Specifies the IPP operations that are being limited inside a policy.

<Limit methods> ... </Limit>

<LimitExcept methods> ... </LimitExcept>
-
Specifies the HTTP methods that are being limited inside a location.

LimitRequestBody
-
Specifies the maximum size of any print job request.

Listen ip-address:port
@@ -261,15 +157,12 @@ Specifies the maximum size of any print job request.

Listen /path/to/domain/socket
-
Listens to the specified address and port or domain socket path.

<Location /path> ... </Location>
-
Specifies access control for the named location.

LogDebugHistory #-messages
-
Specifies the number of debugging messages that are logged when an error occurs in a print job.

LogLevel alert @@ -292,97 +185,72 @@ occurs in a print job.

LogLevel warn
-
Specifies the logging level for the ErrorLog file.

LogTimeFormat standard

LogTimeFormat usecs
-
Specifies the format of the date and time in the log files.

MaxClients number
-
Specifies the maximum number of simultaneous clients to support.

MaxClientsPerHost number
-
Specifies the maximum number of simultaneous clients to support from a single address.

MaxCopies number
-
Specifies the maximum number of copies that a user can print of each job.

MaxHoldTime seconds
-
Specifies the maximum time a job may remain in the "indefinite" hold state before it is canceled. Set to 0 to disable cancellation of held jobs.

MaxJobs number
-
Specifies the maximum number of simultaneous jobs to support.

MaxJobsPerPrinter number
-
Specifies the maximum number of simultaneous jobs per printer to support.

MaxJobsPerUser number
-
Specifies the maximum number of simultaneous jobs per user to support.

MaxJobTime seconds
-
Specifies the maximum time a job may take to print before it is canceled. The default is 10800 seconds (3 hours). Set to 0 to disable cancellation of "stuck" jobs.

MaxLogSize number-bytes
-
Specifies the maximum size of the log files before they are rotated (0 to disable rotation)

MaxRequestSize number-bytes
-
Specifies the maximum request/file size in bytes (0 for no limit)

MultipleOperationTimeout seconds
-
Specifies the maximum amount of time to allow between files in a multiple file print job. -

Order allow,deny -
-

Order deny,allow -
-
-Specifies the order of HTTP access control (allow,deny or deny,allow)

PageLogFormat format string
-
Specifies the format of page log lines.

PassEnv variable [... variable]
-
Passes the specified environment variable(s) to child processes.

<Policy name> ... </Policy>
-
Specifies access control for the named policy.

Port number
-
Specifies a port number to listen to for HTTP requests.

PreserveJobFiles Yes

PreserveJobFiles No
-
Specifies whether or not to preserve job files after they are printed.

PreserveJobHistory Yes

PreserveJobHistory No
-
Specifies whether or not to preserve the job history after they are printed.

PrintcapFormat bsd @@ -391,47 +259,32 @@ printed.

PrintcapFormat solaris
-
Specifies the format of the printcap file.

ReloadTimeout seconds
-
Specifies the amount of time to wait for job completion before restarting the scheduler. -

Require group group-name-list -
-

Require user user-name-list -
-

Require valid-user -
-
-Specifies that user or group authentication is required.

RIPCache bytes
-
Specifies the maximum amount of memory to use when converting images and PostScript files to bitmaps for a printer.

Satisfy all

Satisfy any
-
Specifies whether all or any limits set for a Location must be satisfied to allow access.

ServerAdmin user@domain.com
-
Specifies the email address of the server administrator.

ServerAlias hostname [... hostname]

ServerAlias *
-
Specifies an alternate name that the server is known by. The special name "*" allows any name to be used.

ServerName hostname-or-ip-address
-
Specifies the fully-qualified hostname of the server.

ServerTokens Full
@@ -447,35 +300,122 @@ Specifies the fully-qualified hostname of the server.

ServerTokens ProductOnly
-
Specifies what information is included in the Server header of HTTP responses.

SetEnv variable value
-
Set the specified environment variable to be passed to child processes.

SSLListen
-
Listens on the specified address and port for encrypted connections.

SSLPort
-
Listens on the specified port for encrypted connections.

StrictConformance Yes

StrictConformance No
-
Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications. The default is No. +

Timeout seconds +
+Specifies the HTTP request timeout in seconds. +

WebInterface yes +
+

WebInterface no +
+Specifies whether the web interface is enabled. +

Directives Valid Within Location And Limit Sections

+The following directives may be placed inside Location and Limit sections in the cupsd.conf file: +

Allow all +
+

Allow none +
+

Allow host.domain.com +
+

Allow *.domain.com +
+

Allow ip-address +
+

Allow ip-address/netmask +
+

Allow ip-address/mm +
+

Allow @IF(name) +
+

Allow @LOCAL +
+Allows access from the named hosts or addresses. +

AuthType None +
+

AuthType Basic +
+

AuthType Negotiate +
+Specifies the authentication type (None, Basic, or Negotiate) +

Deny all +
+

Deny none +
+

Deny host.domain.com +
+

Deny *.domain.com +
+

Deny ip-address +
+

Deny ip-address/netmask +
+

Deny ip-address/mm +
+

Deny @IF(name) +
+

Deny @LOCAL +
+Denies access to the named host or address. +

Encryption IfRequested +
+

Encryption Never +
+

Encryption Required +
+Specifies the level of encryption that is required for a particular +location. +

Order allow,deny +
+

Order deny,allow +
+Specifies the order of HTTP access control (allow,deny or deny,allow) +

Require group group-name-list +
+

Require user user-name-list +
+

Require valid-user +
+Specifies that user or group authentication is required. +

Directives Valid Within Policy Sections

+The following directives may be placed inside Policy sections in the cupsd.conf file: +

JobPrivateAccess all +
+

JobPrivateAccess default +
+

JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+ +
+Specifies an access list for a job's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values. +

JobPrivateValues all +
+

JobPrivateValues default +
+

JobPrivateValues none +
+

JobPrivateValues attribute-name-1 [ ... attribute-name-N ] +
+Specifies the list of job values to make private. The "default" values are "job-name", "job-originating-host-name", and "job-originating-user-name".

SubscriptionPrivateAccess all

SubscriptionPrivateAccess default

SubscriptionPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+
-
Specifies an access list for a subscription's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values. @@ -490,23 +430,11 @@ requesting-user-name-allowed or requesting-user-name-denied values. Specifies the list of job values to make private. The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data". -

Timeout seconds -
-
-Specifies the HTTP request timeout in seconds. -

WebInterface yes -
-

WebInterface no -
-Specifies whether the web interface is enabled.

See Also

-classes.conf(5), cups-files.conf(5), cupsd(8), -mime.convs(5), mime.types(5), printers.conf(5), -subscriptions.conf(5), -
+classes.conf(5), cups-files.conf(5), cupsd(8), mime.convs(5), mime.types(5), printers.conf(5), subscriptions.conf(5), http://localhost:631/help

Copyright

-Copyright 2007-2013 by Apple Inc. +Copyright © 2007-2014 by Apple Inc. diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in index aa6754ad6e..363482eac3 100644 --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in @@ -1,75 +1,40 @@ .\" .\" "$Id$" .\" -.\" cupsd.conf man page for CUPS. +.\" cupsd.conf man page for CUPS. .\" -.\" Copyright 2007-2013 by Apple Inc. -.\" Copyright 1997-2006 by Easy Software Products. +.\" Copyright 2007-2014 by Apple Inc. +.\" Copyright 1997-2006 by Easy Software Products. .\" -.\" These coded instructions, statements, and computer programs are the -.\" property of Apple Inc. and are protected by Federal copyright -.\" law. Distribution and use rights are outlined in the file "LICENSE.txt" -.\" which should have been included with this file. If this file is -.\" file is missing or damaged, see the license at "http://www.cups.org/". +.\" These coded instructions, statements, and computer programs are the +.\" property of Apple Inc. and are protected by Federal copyright +.\" law. Distribution and use rights are outlined in the file "LICENSE.txt" +.\" which should have been included with this file. If this file is +.\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cupsd.conf 5 "CUPS" "8 July 2013" "Apple Inc." +.TH cupsd.conf 5 "CUPS" "28 March 2014" "Apple Inc." .SH NAME cupsd.conf \- server configuration file for cups .SH DESCRIPTION -The \fIcupsd.conf\fR file configures the CUPS scheduler, \fIcupsd(8)\fR. It -is normally located in the \fI/etc/cups\fR directory. \fBNote:\fR -File, directory, and user configuration directives that used to be allowed in -the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead -in order to prevent certain types of privilege escalation attacks. +The +.I cupsd.conf +file configures the CUPS scheduler, +.BR cupsd (8). +It is normally located in the \fI/etc/cups\fR directory. \fBNote:\fR File, directory, and user configuration directives that used to be allowed in the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead in order to prevent certain types of privilege escalation attacks. .LP -Each line in the file can be a configuration directive, a blank line, -or a comment. Comment lines start with the # character. The -configuration directives are intentionally similar to those used by the -popular Apache web server software and are described below. -.SH DIRECTIVES -The following directives are understood by \fIcupsd(8)\fR. Consult the -on-line help for detailed descriptions: +Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the popular Apache web server software and are described below. +.SH TOP-LEVEL DIRECTIVES +The following directives are understood by +.B cupsd (8). +Consult the online help (http://localhost:631/help) for detailed descriptions: .TP 5 AccessLogLevel config .TP 5 AccessLogLevel actions .TP 5 AccessLogLevel all -.br Specifies the logging level for the AccessLog file. .TP 5 -Allow all -.TP 5 -Allow none -.TP 5 -Allow host.domain.com -.TP 5 -Allow *.domain.com -.TP 5 -Allow ip-address -.TP 5 -Allow ip-address/netmask -.TP 5 -Allow ip-address/mm -.TP 5 -Allow @IF(name) -.TP 5 -Allow @LOCAL -.br -Allows access from the named hosts or addresses. -.TP 5 -AuthType None -.TP 5 -AuthType Basic -.TP 5 -AuthType BasicDigest -.TP 5 -AuthType Digest -.TP 5 -AuthType Negotiate -.br -Specifies the authentication type (None, Basic, BasicDigest, Digest, Negotiate) -.TP 5 AutoPurgeJobs Yes .TP 5 AutoPurgeJobs No @@ -77,8 +42,11 @@ AutoPurgeJobs No Specifies whether to purge job history data automatically when it is no longer required for quotas. .TP 5 -BrowseLocalProtocols [All] [DNSSD] -.br +BrowseLocalProtocols [ +.I All +] [ +.I DNSSD +] Specifies the protocols to use for local printer sharing. .TP 5 BrowseWebIF Yes @@ -106,10 +74,6 @@ of individual print jobs. .TP 5 DefaultAuthType Basic .TP 5 -DefaultAuthType BasicDigest -.TP 5 -DefaultAuthType Digest -.TP 5 DefaultAuthType Negotiate .br Specifies the default type of authentication to use. @@ -119,11 +83,9 @@ DefaultEncryption Never DefaultEncryption IfRequested .TP 5 DefaultEncryption Required -.br Specifies the type of encryption to use for authenticated requests. .TP 5 DefaultLanguage locale -.br Specifies the default language to use for text and web content. .TP 5 DefaultPaperSize Auto @@ -131,66 +93,30 @@ DefaultPaperSize Auto DefaultPaperSize None .TP 5 DefaultPaperSize sizename -.br Specifies the default paper size for new print queues. "Auto" uses a locale- specific default, while "None" specifies there is no default paper size. .TP 5 DefaultPolicy policy-name -.br Specifies the default access policy to use. .TP 5 DefaultShared Yes .TP 5 DefaultShared No -.br Specifies whether local printers are shared by default. .TP 5 -Deny all -.TP 5 -Deny none -.TP 5 -Deny host.domain.com -.TP 5 -Deny *.domain.com -.TP 5 -Deny ip-address -.TP 5 -Deny ip-address/netmask -.TP 5 -Deny ip-address/mm -.TP 5 -Deny @IF(name) -.TP 5 -Deny @LOCAL -.br -Denies access to the named host or address. -.TP 5 DirtyCleanInterval seconds -.br Specifies the delay for updating of configuration and state files. A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds. .TP 5 -Encryption IfRequested -.TP 5 -Encryption Never -.TP 5 -Encryption Required -.br -Specifies the level of encryption that is required for a particular -location. -.TP 5 FilterLimit limit -.br Specifies the maximum cost of filters that are run concurrently. .TP 5 FilterNice nice-value -.br Specifies the scheduling priority ("nice" value) of filters that are run to print a job. .TP 5 GSSServiceName name -.br Specifies the service name when using Kerberos authentication. The default service name is "http". .TP 5 @@ -199,68 +125,38 @@ HostNameLookups On HostNameLookups Off .TP 5 HostNameLookups Double -.br Specifies whether or not to do reverse lookups on client addresses. .TP 5 Include filename -.br Includes the named file. .TP 5 JobKillDelay seconds -.br Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job. .TP 5 -JobPrivateAccess all -.TP 5 -JobPrivateAccess default -.TP 5 -JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+ -.br -Specifies an access list for a job's private values. The "default" access list -is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed -or requesting-user-name-denied values. -.TP 5 -JobPrivateValues all -.TP 5 -JobPrivateValues default -.TP 5 -JobPrivateValues none -.TP 5 -JobPrivateValues attribute-name-1 [ ... attribute-name-N ] -Specifies the list of job values to make private. The "default" values are -"job-name", "job-originating-host-name", and "job-originating-user-name". -.TP 5 JobRetryInterval seconds -.br Specifies the interval between retries of jobs in seconds. .TP 5 JobRetryLimit count -.br Specifies the number of retries that are done for jobs. .TP 5 KeepAlive Yes .TP 5 KeepAlive No -.br Specifies whether to support HTTP keep-alive connections. .TP 5 KeepAliveTimeout seconds -.br Specifies the amount of time that connections are kept alive. .TP 5 ... -.br Specifies the IPP operations that are being limited inside a policy. .TP 5 ... .TP 5 ... -.br Specifies the HTTP methods that are being limited inside a location. .TP 5 LimitRequestBody -.br Specifies the maximum size of any print job request. .TP 5 Listen ip-address:port @@ -268,15 +164,12 @@ Listen ip-address:port Listen *:port .TP 5 Listen /path/to/domain/socket -.br Listens to the specified address and port or domain socket path. .TP 5 ... -.br Specifies access control for the named location. .TP 5 LogDebugHistory #-messages -.br Specifies the number of debugging messages that are logged when an error occurs in a print job. .TP 5 @@ -299,97 +192,72 @@ LogLevel none LogLevel notice .TP 5 LogLevel warn -.br Specifies the logging level for the ErrorLog file. .TP 5 LogTimeFormat standard .TP 5 LogTimeFormat usecs -.br Specifies the format of the date and time in the log files. .TP 5 MaxClients number -.br Specifies the maximum number of simultaneous clients to support. .TP 5 MaxClientsPerHost number -.br Specifies the maximum number of simultaneous clients to support from a single address. .TP 5 MaxCopies number -.br Specifies the maximum number of copies that a user can print of each job. .TP 5 MaxHoldTime seconds -.br Specifies the maximum time a job may remain in the "indefinite" hold state before it is canceled. Set to 0 to disable cancellation of held jobs. .TP 5 MaxJobs number -.br Specifies the maximum number of simultaneous jobs to support. .TP 5 MaxJobsPerPrinter number -.br Specifies the maximum number of simultaneous jobs per printer to support. .TP 5 MaxJobsPerUser number -.br Specifies the maximum number of simultaneous jobs per user to support. .TP 5 MaxJobTime seconds -.br Specifies the maximum time a job may take to print before it is canceled. The default is 10800 seconds (3 hours). Set to 0 to disable cancellation of "stuck" jobs. .TP 5 MaxLogSize number-bytes -.br Specifies the maximum size of the log files before they are rotated (0 to disable rotation) .TP 5 MaxRequestSize number-bytes -.br Specifies the maximum request/file size in bytes (0 for no limit) .TP 5 MultipleOperationTimeout seconds -.br Specifies the maximum amount of time to allow between files in a multiple file print job. .TP 5 -Order allow,deny -.TP 5 -Order deny,allow -.br -Specifies the order of HTTP access control (allow,deny or deny,allow) -.TP 5 PageLogFormat format string -.br Specifies the format of page log lines. .TP 5 PassEnv variable [... variable] -.br Passes the specified environment variable(s) to child processes. .TP 5 ... -.br Specifies access control for the named policy. .TP 5 Port number -.br Specifies a port number to listen to for HTTP requests. .TP 5 PreserveJobFiles Yes .TP 5 PreserveJobFiles No -.br Specifies whether or not to preserve job files after they are printed. .TP 5 PreserveJobHistory Yes .TP 5 PreserveJobHistory No -.br Specifies whether or not to preserve the job history after they are printed. .TP 5 @@ -398,47 +266,32 @@ PrintcapFormat bsd PrintcapFormat plist .TP 5 PrintcapFormat solaris -.br Specifies the format of the printcap file. .TP 5 ReloadTimeout seconds -.br Specifies the amount of time to wait for job completion before restarting the scheduler. .TP 5 -Require group group-name-list -.TP 5 -Require user user-name-list -.TP 5 -Require valid-user -.br -Specifies that user or group authentication is required. -.TP 5 RIPCache bytes -.br Specifies the maximum amount of memory to use when converting images and PostScript files to bitmaps for a printer. .TP 5 Satisfy all .TP 5 Satisfy any -.br Specifies whether all or any limits set for a Location must be satisfied to allow access. .TP 5 ServerAdmin user@domain.com -.br Specifies the email address of the server administrator. .TP 5 ServerAlias hostname [... hostname] .TP 5 ServerAlias * -.br Specifies an alternate name that the server is known by. The special name "*" allows any name to be used. .TP 5 ServerName hostname-or-ip-address -.br Specifies the fully-qualified hostname of the server. .TP 5 ServerTokens Full @@ -454,35 +307,122 @@ ServerTokens None ServerTokens OS .TP 5 ServerTokens ProductOnly -.br Specifies what information is included in the Server header of HTTP responses. .TP 5 SetEnv variable value -.br Set the specified environment variable to be passed to child processes. .TP 5 SSLListen -.br Listens on the specified address and port for encrypted connections. .TP 5 SSLPort -.br Listens on the specified port for encrypted connections. .TP 5 StrictConformance Yes .TP 5 StrictConformance No -.br Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications. The default is No. .TP 5 +Timeout seconds +Specifies the HTTP request timeout in seconds. +.TP 5 +WebInterface yes +.TP 5 +WebInterface no +Specifies whether the web interface is enabled. +.SH DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS +The following directives may be placed inside Location and Limit sections in the \fIcupsd.conf\fR file: +.TP 5 +Allow all +.TP 5 +Allow none +.TP 5 +Allow host.domain.com +.TP 5 +Allow *.domain.com +.TP 5 +Allow ip-address +.TP 5 +Allow ip-address/netmask +.TP 5 +Allow ip-address/mm +.TP 5 +Allow @IF(name) +.TP 5 +Allow @LOCAL +Allows access from the named hosts or addresses. +.TP 5 +AuthType None +.TP 5 +AuthType Basic +.TP 5 +AuthType Negotiate +Specifies the authentication type (None, Basic, or Negotiate) +.TP 5 +Deny all +.TP 5 +Deny none +.TP 5 +Deny host.domain.com +.TP 5 +Deny *.domain.com +.TP 5 +Deny ip-address +.TP 5 +Deny ip-address/netmask +.TP 5 +Deny ip-address/mm +.TP 5 +Deny @IF(name) +.TP 5 +Deny @LOCAL +Denies access to the named host or address. +.TP 5 +Encryption IfRequested +.TP 5 +Encryption Never +.TP 5 +Encryption Required +Specifies the level of encryption that is required for a particular +location. +.TP 5 +Order allow,deny +.TP 5 +Order deny,allow +Specifies the order of HTTP access control (allow,deny or deny,allow) +.TP 5 +Require group group-name-list +.TP 5 +Require user user-name-list +.TP 5 +Require valid-user +Specifies that user or group authentication is required. +.SH DIRECTIVES VALID WITHIN POLICY SECTIONS +The following directives may be placed inside Policy sections in the \fIcupsd.conf\fR file: +.TP 5 +JobPrivateAccess all +.TP 5 +JobPrivateAccess default +.TP 5 +JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+ +Specifies an access list for a job's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values. +.TP 5 +JobPrivateValues all +.TP 5 +JobPrivateValues default +.TP 5 +JobPrivateValues none +.TP 5 +JobPrivateValues attribute-name-1 [ ... attribute-name-N ] +Specifies the list of job values to make private. The "default" values are "job-name", "job-originating-host-name", and "job-originating-user-name". +.TP 5 SubscriptionPrivateAccess all .TP 5 SubscriptionPrivateAccess default .TP 5 SubscriptionPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+ -.br Specifies an access list for a subscription's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values. @@ -497,23 +437,11 @@ SubscriptionPrivateValues attribute-name-1 [ ... attribute-name-N ] Specifies the list of job values to make private. The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data". -.TP 5 -Timeout seconds -.br -Specifies the HTTP request timeout in seconds. -.TP 5 -WebInterface yes -.TP 5 -WebInterface no -Specifies whether the web interface is enabled. .SH SEE ALSO -\fIclasses.conf(5)\fR, \fIcups-files.conf(5)\fR, \fIcupsd(8)\fR, -\fImime.convs(5)\fR, \fImime.types(5)\fR, \fIprinters.conf(5)\fR, -\fIsubscriptions.conf(5)\fR, -.br +.BR classes.conf (5), cups-files.conf (5), cupsd (8), mime.convs (5), mime.types (5), printers.conf (5), subscriptions.conf (5), http://localhost:631/help .SH COPYRIGHT -Copyright 2007-2013 by Apple Inc. +Copyright \[co] 2007-2014 by Apple Inc. .\" .\" End of "$Id$". .\" diff --git a/packaging/cups.list.in b/packaging/cups.list.in index c6afe8beaf..efc4abc0e6 100644 --- a/packaging/cups.list.in +++ b/packaging/cups.list.in @@ -1,21 +1,21 @@ # # "$Id$" # -# ESP Package Manager (EPM) file list for CUPS. +# ESP Package Manager (EPM) file list for CUPS. # -# Copyright 2007-2012 by Apple Inc. -# Copyright 1997-2007 by Easy Software Products, all rights reserved. +# Copyright 2007-2014 by Apple Inc. +# Copyright 1997-2007 by Easy Software Products, all rights reserved. # -# These coded instructions, statements, and computer programs are the -# property of Apple Inc. and are protected by Federal copyright -# law. Distribution and use rights are outlined in the file "LICENSE.txt" -# which should have been included with this file. If this file is -# file is missing or damaged, see the license at "http://www.cups.org/". +# These coded instructions, statements, and computer programs are the +# property of Apple Inc. and are protected by Federal copyright +# law. Distribution and use rights are outlined in the file "LICENSE.txt" +# which should have been included with this file. If this file is +# file is missing or damaged, see the license at "http://www.cups.org/". # # Product information %product CUPS -%copyright 2007-2012 by Apple Inc. +%copyright 2007-2014 by Apple Inc. %vendor Apple Inc. #%license LICENSE.txt %readme LICENSE.txt @@ -345,7 +345,6 @@ f 0555 root sys $BINDIR/cupstestppd systemv/cupstestppd f 0555 root sys $BINDIR/ipptool test/ipptool f 0555 root sys $BINDIR/lp systemv/lp f 0555 root sys $BINDIR/lpoptions systemv/lpoptions -f 0555 root sys $BINDIR/lppasswd systemv/lppasswd f 0555 root sys $BINDIR/lpq berkeley/lpq f 0555 root sys $BINDIR/lpr berkeley/lpr f 0555 root sys $BINDIR/lprm berkeley/lprm @@ -652,7 +651,6 @@ f 0444 root sys $MANDIR/man1/cupstestdsc.$MAN1EXT man/cupstestdsc.$MAN1EXT f 0444 root sys $MANDIR/man1/cupstestppd.$MAN1EXT man/cupstestppd.$MAN1EXT f 0444 root sys $MANDIR/man1/ipptool.$MAN1EXT man/ipptool.$MAN1EXT f 0444 root sys $MANDIR/man1/lpoptions.$MAN1EXT man/lpoptions.$MAN1EXT -f 0444 root sys $MANDIR/man1/lppasswd.$MAN1EXT man/lppasswd.$MAN1EXT f 0444 root sys $MANDIR/man1/lpq.$MAN1EXT man/lpq.$MAN1EXT f 0444 root sys $MANDIR/man1/lprm.$MAN1EXT man/lprm.$MAN1EXT f 0444 root sys $MANDIR/man1/lpr.$MAN1EXT man/lpr.$MAN1EXT diff --git a/packaging/cups.spec.in b/packaging/cups.spec.in index dce45ad5fb..efe9d02364 100644 --- a/packaging/cups.spec.in +++ b/packaging/cups.spec.in @@ -301,7 +301,6 @@ rm -rf $RPM_BUILD_ROOT /usr/share/man/man1/ipptool.1.gz /usr/share/man/man1/lp.1.gz /usr/share/man/man1/lpoptions.1.gz -/usr/share/man/man1/lppasswd.1.gz /usr/share/man/man1/lpq.1.gz /usr/share/man/man1/lpr.1.gz /usr/share/man/man1/lprm.1.gz diff --git a/scheduler/auth.c b/scheduler/auth.c index 4c78cbb64e..a7b3f98667 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -77,8 +77,6 @@ static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data); static char *cups_crypt(const char *pw, const char *salt); #endif /* !HAVE_LIBPAM */ static void free_authmask(cupsd_authmask_t *am, void *data); -static char *get_md5_password(const char *username, - const char *group, char passwd[33]); #if HAVE_LIBPAM static int pam_func(int, const struct pam_message **, struct pam_response **, void *); @@ -282,26 +280,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ password[HTTP_MAX_VALUE]; /* Password string */ cupsd_cert_t *localuser; /* Certificate username */ - char nonce[HTTP_MAX_VALUE], /* Nonce value from client */ - md5[33], /* MD5 password */ - basicmd5[33]; /* MD5 of Basic password */ - static const char * const states[] = /* HTTP client states... */ - { - "WAITING", - "OPTIONS", - "GET", - "GET", - "HEAD", - "POST", - "POST", - "POST", - "PUT", - "PUT", - "DELETE", - "TRACE", - "CLOSE", - "STATUS" - }; /* @@ -367,6 +345,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ httpAddrLocalhost(httpGetAddress(con->http))) { OSStatus status; /* Status */ + char authdata[HTTP_MAX_VALUE]; + /* Nonce value from client */ int authlen; /* Auth string length */ AuthorizationItemSet *authinfo; /* Authorization item set */ @@ -378,8 +358,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ while (isspace(*authorization & 255)) authorization ++; - authlen = sizeof(nonce); - httpDecode64_2(nonce, &authlen, authorization); + authlen = sizeof(authdata); + httpDecode64_2(authdata, &authlen, authorization); if (authlen != kAuthorizationExternalFormLength) { @@ -389,8 +369,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ return; } - if ((status = AuthorizationCreateFromExternalForm( - (AuthorizationExternalForm *)nonce, &con->authref)) != 0) + if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0) { cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] AuthorizationCreateFromExternalForm " @@ -832,115 +811,10 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ "[Client %d] Authorized as %s using Basic", con->number, username); break; - - case CUPSD_AUTH_BASICDIGEST : - /* - * Do Basic authentication with the Digest password file... - */ - - if (!get_md5_password(username, NULL, md5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Unknown MD5 username \"%s\".", - con->number, username); - return; - } - - httpMD5(username, "CUPS", password, basicmd5); - - if (strcmp(md5, basicmd5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Authentication failed for \"%s\".", - con->number, username); - return; - } - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "[Client %d] Authorized as %s using BasicDigest", - con->number, username); - break; } con->type = type; } - else if (!strncmp(authorization, "Digest", 6)) - { - /* - * Get the username, password, and nonce from the Digest attributes... - */ - - if (!httpGetSubField2(con->http, HTTP_FIELD_AUTHORIZATION, "username", - username, sizeof(username)) || !username[0]) - { - /* - * Username must not be empty... - */ - - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Empty or missing Digest username.", - con->number); - return; - } - - if (!httpGetSubField2(con->http, HTTP_FIELD_AUTHORIZATION, "response", - password, sizeof(password)) || !password[0]) - { - /* - * Password must not be empty... - */ - - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Empty or missing Digest password.", - con->number); - return; - } - - if (!httpGetSubField(con->http, HTTP_FIELD_AUTHORIZATION, "nonce", - nonce)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] No nonce value for Digest authentication.", - con->number); - return; - } - - if (strcmp(con->http->hostname, nonce)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Bad nonce value, expected \"%s\", " - "got \"%s\".", con->number, con->http->hostname, nonce); - return; - } - - /* - * Validate the username and password... - */ - - if (!get_md5_password(username, NULL, md5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Unknown MD5 username \"%s\".", - con->number, username); - return; - } - - httpMD5Final(nonce, states[httpGetState(con->http)], con->uri, md5); - - if (strcmp(md5, password)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "[Client %d] Authentication failed for \"%s\".", - con->number, username); - return; - } - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "[Client %d] Authorized as %s using Digest", con->number, - username); - - con->type = CUPSD_AUTH_DIGEST; - } #ifdef HAVE_GSSAPI else if (!strncmp(authorization, "Negotiate", 9)) { @@ -1380,7 +1254,6 @@ cupsdCheckGroup( { int i; /* Looping var */ struct group *group; /* System group info */ - char junk[33]; /* MD5 password (not used) */ #ifdef HAVE_MBR_UID_TO_UUID uuid_t useruuid, /* UUID for username */ groupuuid; /* UUID for groupname */ @@ -1466,15 +1339,6 @@ cupsdCheckGroup( return (0); #endif /* HAVE_MBR_UID_TO_UUID */ - /* - * Username not found, group not found, or user is not part of the - * system group... Check for a user and group in the MD5 password - * file... - */ - - if (get_md5_password(username, groupname, junk) != NULL) - return (1); - /* * If we get this far, then the user isn't part of the named group... */ @@ -1763,8 +1627,6 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ { "None", "Basic", - "Digest", - "BasicDigest", "Negotiate" }; @@ -1923,9 +1785,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ #ifdef HAVE_GSSAPI (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) && #endif /* HAVE_GSSAPI */ - (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST)) + con->type != CUPSD_AUTH_BASIC) { - cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!", + cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.", types[con->type], types[type]); return (HTTP_UNAUTHORIZED); @@ -2360,68 +2222,6 @@ free_authmask(cupsd_authmask_t *mask, /* I - Auth mask to free */ } -/* - * 'get_md5_password()' - Get an MD5 password. - */ - -static char * /* O - MD5 password string */ -get_md5_password(const char *username, /* I - Username */ - const char *group, /* I - Group */ - char passwd[33]) /* O - MD5 password string */ -{ - cups_file_t *fp; /* passwd.md5 file */ - char filename[1024], /* passwd.md5 filename */ - line[256], /* Line from file */ - tempuser[33], /* User from file */ - tempgroup[33]; /* Group from file */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)", - username, group ? group : "(null)", passwd); - - snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot); - if ((fp = cupsFileOpen(filename, "r")) == NULL) - { - if (errno != ENOENT) - cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename, - strerror(errno)); - - return (NULL); - } - - while (cupsFileGets(fp, line, sizeof(line)) != NULL) - { - if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3) - { - cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line); - continue; - } - - if (!strcmp(username, tempuser) && - (group == NULL || !strcmp(group, tempgroup))) - { - /* - * Found the password entry! - */ - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...", - username, tempgroup); - - cupsFileClose(fp); - return (passwd); - } - } - - /* - * Didn't find a password entry - return NULL! - */ - - cupsFileClose(fp); - return (NULL); -} - - #if HAVE_LIBPAM /* * 'pam_func()' - PAM conversation function. diff --git a/scheduler/auth.h b/scheduler/auth.h index 64c99746c6..fe11d46558 100644 --- a/scheduler/auth.h +++ b/scheduler/auth.h @@ -27,10 +27,8 @@ #define CUPSD_AUTH_DEFAULT -1 /* Use DefaultAuthType */ #define CUPSD_AUTH_NONE 0 /* No authentication */ #define CUPSD_AUTH_BASIC 1 /* Basic authentication */ -#define CUPSD_AUTH_DIGEST 2 /* Digest authentication */ -#define CUPSD_AUTH_BASICDIGEST 3 /* Basic authentication w/passwd.md5 */ -#define CUPSD_AUTH_NEGOTIATE 4 /* Kerberos authentication */ -#define CUPSD_AUTH_AUTO 5 /* Kerberos or Basic, depending on configuration of server */ +#define CUPSD_AUTH_NEGOTIATE 2 /* Kerberos authentication */ +#define CUPSD_AUTH_AUTO 3 /* Kerberos or Basic, depending on configuration of server */ #define CUPSD_AUTH_ANON 0 /* Anonymous access */ #define CUPSD_AUTH_USER 1 /* Must have a valid username/password */ diff --git a/scheduler/client.c b/scheduler/client.c index b6a93082e0..3bf845c350 100644 --- a/scheduler/client.c +++ b/scheduler/client.c @@ -2321,11 +2321,8 @@ cupsdSendHeader( auth_str[0] = '\0'; - if (auth_type == CUPSD_AUTH_BASIC || auth_type == CUPSD_AUTH_BASICDIGEST) + if (auth_type == CUPSD_AUTH_BASIC) strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str)); - else if (auth_type == CUPSD_AUTH_DIGEST) - snprintf(auth_str, sizeof(auth_str), "Digest realm=\"CUPS\", nonce=\"%s\"", - httpGetHostname(con->http, NULL, 0)); #ifdef HAVE_GSSAPI else if (auth_type == CUPSD_AUTH_NEGOTIATE) { diff --git a/scheduler/conf.c b/scheduler/conf.c index 97eedc7683..3c2143e676 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -2169,20 +2169,6 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ if (loc->level == CUPSD_AUTH_ANON) loc->level = CUPSD_AUTH_USER; } - else if (!_cups_strcasecmp(value, "digest")) - { - loc->type = CUPSD_AUTH_DIGEST; - - if (loc->level == CUPSD_AUTH_ANON) - loc->level = CUPSD_AUTH_USER; - } - else if (!_cups_strcasecmp(value, "basicdigest")) - { - loc->type = CUPSD_AUTH_BASICDIGEST; - - if (loc->level == CUPSD_AUTH_ANON) - loc->level = CUPSD_AUTH_USER; - } else if (!_cups_strcasecmp(value, "default")) { loc->type = CUPSD_AUTH_DEFAULT; @@ -3081,10 +3067,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ default_auth_type = CUPSD_AUTH_NONE; else if (!_cups_strcasecmp(value, "basic")) default_auth_type = CUPSD_AUTH_BASIC; - else if (!_cups_strcasecmp(value, "digest")) - default_auth_type = CUPSD_AUTH_DIGEST; - else if (!_cups_strcasecmp(value, "basicdigest")) - default_auth_type = CUPSD_AUTH_BASICDIGEST; #ifdef HAVE_GSSAPI else if (!_cups_strcasecmp(value, "negotiate")) default_auth_type = CUPSD_AUTH_NEGOTIATE; diff --git a/scheduler/printers.c b/scheduler/printers.c index 73e1fba0d7..4818c863de 100644 --- a/scheduler/printers.c +++ b/scheduler/printers.c @@ -2054,10 +2054,8 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)/* I - Printer to setup */ if ((auth_type = auth->type) == CUPSD_AUTH_DEFAULT) auth_type = cupsdDefaultAuthType(); - if (auth_type == CUPSD_AUTH_BASIC || auth_type == CUPSD_AUTH_BASICDIGEST) + if (auth_type == CUPSD_AUTH_BASIC) auth_supported = "basic"; - else if (auth_type == CUPSD_AUTH_DIGEST) - auth_supported = "digest"; #ifdef HAVE_GSSAPI else if (auth_type == CUPSD_AUTH_NEGOTIATE) auth_supported = "negotiate"; diff --git a/systemv/Makefile b/systemv/Makefile index e8aed6ff2a..a073d91a77 100644 --- a/systemv/Makefile +++ b/systemv/Makefile @@ -1,25 +1,25 @@ # # "$Id$" # -# System V commands makefile for CUPS. +# System V commands makefile for CUPS. # -# Copyright 2007-2012 by Apple Inc. -# Copyright 1997-2006 by Easy Software Products, all rights reserved. +# Copyright 2007-2014 by Apple Inc. +# Copyright 1997-2006 by Easy Software Products, all rights reserved. # -# These coded instructions, statements, and computer programs are the -# property of Apple Inc. and are protected by Federal copyright -# law. Distribution and use rights are outlined in the file "LICENSE.txt" -# which should have been included with this file. If this file is -# file is missing or damaged, see the license at "http://www.cups.org/". +# These coded instructions, statements, and computer programs are the +# property of Apple Inc. and are protected by Federal copyright +# law. Distribution and use rights are outlined in the file "LICENSE.txt" +# which should have been included with this file. If this file is +# file is missing or damaged, see the license at "http://www.cups.org/". # include ../Makedefs TARGETS = cancel cupsaccept cupsaddsmb cupsctl cupstestdsc cupstestppd \ - lp lpadmin lpinfo lpmove lpoptions lppasswd lpstat + lp lpadmin lpinfo lpmove lpoptions lpstat OBJS = cancel.o cupsaccept.o cupsaddsmb.o cupsctl.o cupstestdsc.o \ cupstestppd.o lp.o lpadmin.o lpinfo.o lpmove.o lpoptions.o \ - lppasswd.o lpstat.o + lpstat.o # @@ -105,7 +105,6 @@ install-exec: $(INSTALL_BIN) lp $(BINDIR) $(INSTALL_BIN) lpoptions $(BINDIR) $(INSTALL_BIN) lpstat $(BINDIR) - $(INSTALL_BIN) lppasswd $(BINDIR) if test "x$(SYMROOT)" != "x"; then \ $(INSTALL_DIR) $(SYMROOT); \ for file in $(TARGETS); do \ @@ -139,7 +138,6 @@ uninstall: $(RM) $(BINDIR)/cupstestppd $(RM) $(BINDIR)/lp $(RM) $(BINDIR)/lpoptions - $(RM) $(BINDIR)/lppasswd $(RM) $(BINDIR)/lpstat -$(RMDIR) $(BINDIR) $(RM) $(SBINDIR)/accept @@ -264,15 +262,6 @@ lpoptions: lpoptions.o ../cups/$(LIBCUPS) $(CC) $(LDFLAGS) -o lpoptions lpoptions.o $(LIBZ) $(LIBS) -# -# lppasswd -# - -lppasswd: lppasswd.o ../cups/$(LIBCUPS) - echo Linking $@... - $(CC) $(LDFLAGS) -o lppasswd lppasswd.o $(LIBZ) $(LIBS) - - # # lpstat # diff --git a/systemv/lppasswd.c b/systemv/lppasswd.c deleted file mode 100644 index 597408a67f..0000000000 --- a/systemv/lppasswd.c +++ /dev/null @@ -1,489 +0,0 @@ -/* - * "$Id$" - * - * MD5 password program for CUPS. - * - * Copyright 2007-2011 by Apple Inc. - * Copyright 1997-2006 by Easy Software Products. - * - * These coded instructions, statements, and computer programs are the - * property of Apple Inc. and are protected by Federal copyright - * law. Distribution and use rights are outlined in the file "LICENSE.txt" - * which should have been included with this file. If this file is - * file is missing or damaged, see the license at "http://www.cups.org/". - * - * Contents: - * - * main() - Add, change, or delete passwords from the MD5 password file. - * usage() - Show program usage. - */ - -/* - * Include necessary headers... - */ - -#include -#include -#include -#include -#include -#include - -#ifndef WIN32 -# include -# include -#endif /* !WIN32 */ - - -/* - * Operations... - */ - -#define ADD 0 -#define CHANGE 1 -#define DELETE 2 - - -/* - * Local functions... - */ - -static void usage(FILE *fp) __attribute__((noreturn)); - - -/* - * 'main()' - Add, change, or delete passwords from the MD5 password file. - */ - -int /* O - Exit status */ -main(int argc, /* I - Number of command-line arguments */ - char *argv[]) /* I - Command-line arguments */ -{ - int i; /* Looping var */ - char *opt; /* Option pointer */ - const char *username; /* Pointer to username */ - const char *groupname; /* Pointer to group name */ - int op; /* Operation (add, change, delete) */ - const char *passwd; /* Password string */ - FILE *infile, /* Input file */ - *outfile; /* Output file */ - char line[256], /* Line from file */ - userline[17], /* User from line */ - groupline[17], /* Group from line */ - md5line[33], /* MD5-sum from line */ - md5new[33]; /* New MD5 sum */ - char passwdmd5[1024], /* passwd.md5 file */ - passwdold[1024], /* passwd.old file */ - passwdnew[1024]; /* passwd.tmp file */ - char *newpass, /* new password */ - *oldpass; /* old password */ - int flag; /* Password check flags... */ - int fd; /* Password file descriptor */ - int error; /* Write error */ - _cups_globals_t *cg = _cupsGlobals(); /* Global data */ - cups_lang_t *lang; /* Language info */ -#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) - struct sigaction action; /* Signal action */ -#endif /* HAVE_SIGACTION && !HAVE_SIGSET*/ - - - _cupsSetLocale(argv); - lang = cupsLangDefault(); - - /* - * Check to see if stdin, stdout, and stderr are still open... - */ - - if (fcntl(0, F_GETFD, &i) || - fcntl(1, F_GETFD, &i) || - fcntl(2, F_GETFD, &i)) - { - /* - * No, return exit status 2 and don't try to send any output since - * someone is trying to bypass the security on the server. - */ - - return (2); - } - - /* - * Find the server directory... - */ - - snprintf(passwdmd5, sizeof(passwdmd5), "%s/passwd.md5", cg->cups_serverroot); - snprintf(passwdold, sizeof(passwdold), "%s/passwd.old", cg->cups_serverroot); - snprintf(passwdnew, sizeof(passwdnew), "%s/passwd.new", cg->cups_serverroot); - - /* - * Find the default system group... - */ - - if (getgrnam(CUPS_DEFAULT_GROUP)) - groupname = CUPS_DEFAULT_GROUP; - else - groupname = "unknown"; - - endgrent(); - - username = NULL; - op = CHANGE; - - /* - * Parse command-line options... - */ - - for (i = 1; i < argc; i ++) - if (argv[i][0] == '-') - for (opt = argv[i] + 1; *opt; opt ++) - switch (*opt) - { - case 'a' : /* Add */ - op = ADD; - break; - case 'x' : /* Delete */ - op = DELETE; - break; - case 'g' : /* Group */ - i ++; - if (i >= argc) - usage(stderr); - - groupname = argv[i]; - break; - case 'h' : /* Help */ - usage(stdout); - break; - default : /* Bad option */ - usage(stderr); - break; - } - else if (!username) - username = argv[i]; - else - usage(stderr); - - /* - * See if we are trying to add or delete a password when we aren't logged in - * as root... - */ - - if (getuid() && getuid() != geteuid() && (op != CHANGE || username)) - { - _cupsLangPuts(stderr, - _("lppasswd: Only root can add or delete passwords.")); - return (1); - } - - /* - * Fill in missing info... - */ - - if (!username) - username = cupsUser(); - - oldpass = newpass = NULL; - - /* - * Obtain old and new password _before_ locking the database - * to keep users from locking the file indefinitely. - */ - - if (op == CHANGE && getuid()) - { - if ((passwd = cupsGetPassword(_("Enter old password:"))) == NULL) - return (1); - - if ((oldpass = strdup(passwd)) == NULL) - { - _cupsLangPrintf(stderr, - _("lppasswd: Unable to copy password string: %s"), - strerror(errno)); - return (1); - } - } - - /* - * Now get the new password, if necessary... - */ - - if (op != DELETE) - { - if ((passwd = cupsGetPassword( - _cupsLangString(lang, _("Enter password:")))) == NULL) - return (1); - - if ((newpass = strdup(passwd)) == NULL) - { - _cupsLangPrintf(stderr, - _("lppasswd: Unable to copy password string: %s"), - strerror(errno)); - return (1); - } - - if ((passwd = cupsGetPassword( - _cupsLangString(lang, _("Enter password again:")))) == NULL) - return (1); - - if (strcmp(passwd, newpass) != 0) - { - _cupsLangPuts(stderr, - _("lppasswd: Sorry, passwords don't match.")); - return (1); - } - - /* - * Check that the password contains at least one letter and number. - */ - - flag = 0; - - for (passwd = newpass; *passwd; passwd ++) - if (isdigit(*passwd & 255)) - flag |= 1; - else if (isalpha(*passwd & 255)) - flag |= 2; - - /* - * Only allow passwords that are at least 6 chars, have a letter and - * a number, and don't contain the username. - */ - - if (strlen(newpass) < 6 || strstr(newpass, username) != NULL || flag != 3) - { - _cupsLangPuts(stderr, _("lppasswd: Sorry, password rejected.")); - _cupsLangPuts(stderr, _("Your password must be at least 6 characters " - "long, cannot contain your username, and must " - "contain at least one letter and number.")); - return (1); - } - } - - /* - * Ignore SIGHUP, SIGINT, SIGTERM, and SIGXFSZ (if defined) for the - * remainder of the time so that we won't end up with bogus password - * files... - */ - -#ifndef WIN32 -# if defined(HAVE_SIGSET) - sigset(SIGHUP, SIG_IGN); - sigset(SIGINT, SIG_IGN); - sigset(SIGTERM, SIG_IGN); -# ifdef SIGXFSZ - sigset(SIGXFSZ, SIG_IGN); -# endif /* SIGXFSZ */ -# elif defined(HAVE_SIGACTION) - memset(&action, 0, sizeof(action)); - action.sa_handler = SIG_IGN; - - sigaction(SIGHUP, &action, NULL); - sigaction(SIGINT, &action, NULL); - sigaction(SIGTERM, &action, NULL); -# ifdef SIGXFSZ - sigaction(SIGXFSZ, &action, NULL); -# endif /* SIGXFSZ */ -# else - signal(SIGHUP, SIG_IGN); - signal(SIGINT, SIG_IGN); - signal(SIGTERM, SIG_IGN); -# ifdef SIGXFSZ - signal(SIGXFSZ, SIG_IGN); -# endif /* SIGXFSZ */ -# endif -#endif /* !WIN32 */ - - /* - * Open the output file. - */ - - if ((fd = open(passwdnew, O_WRONLY | O_CREAT | O_EXCL, 0400)) < 0) - { - if (errno == EEXIST) - _cupsLangPuts(stderr, _("lppasswd: Password file busy.")); - else - _cupsLangPrintf(stderr, _("lppasswd: Unable to open password file: %s"), - strerror(errno)); - - return (1); - } - - if ((outfile = fdopen(fd, "w")) == NULL) - { - _cupsLangPrintf(stderr, _("lppasswd: Unable to open password file: %s"), - strerror(errno)); - - unlink(passwdnew); - - return (1); - } - - setbuf(outfile, NULL); - - /* - * Open the existing password file and create a new one... - */ - - infile = fopen(passwdmd5, "r"); - if (infile == NULL && errno != ENOENT && op != ADD) - { - _cupsLangPrintf(stderr, _("lppasswd: Unable to open password file: %s"), - strerror(errno)); - - fclose(outfile); - - unlink(passwdnew); - - return (1); - } - - /* - * Read lines from the password file; the format is: - * - * username:group:MD5-sum - */ - - error = 0; - userline[0] = '\0'; - groupline[0] = '\0'; - md5line[0] = '\0'; - - if (infile) - { - while (fgets(line, sizeof(line), infile) != NULL) - { - if (sscanf(line, "%16[^:]:%16[^:]:%32s", userline, groupline, md5line) != 3) - continue; - - if (strcmp(username, userline) == 0 && - strcmp(groupname, groupline) == 0) - break; - - if (fputs(line, outfile) == EOF) - { - _cupsLangPrintf(stderr, - _("lppasswd: Unable to write to password file: %s"), - strerror(errno)); - error = 1; - break; - } - } - - if (!error) - { - while (fgets(line, sizeof(line), infile) != NULL) - if (fputs(line, outfile) == EOF) - { - _cupsLangPrintf(stderr, - _("lppasswd: Unable to write to password file: %s"), - strerror(errno)); - error = 1; - break; - } - } - } - - if (op == CHANGE && - (strcmp(username, userline) || strcmp(groupname, groupline))) - { - _cupsLangPrintf(stderr, - _("lppasswd: user \"%s\" and group \"%s\" do not exist."), - username, groupname); - error = 1; - } - else if (op != DELETE) - { - if (oldpass && - strcmp(httpMD5(username, "CUPS", oldpass, md5new), md5line) != 0) - { - _cupsLangPuts(stderr, _("lppasswd: Sorry, password doesn't match.")); - error = 1; - } - else - { - snprintf(line, sizeof(line), "%s:%s:%s\n", username, groupname, - httpMD5(username, "CUPS", newpass, md5new)); - if (fputs(line, outfile) == EOF) - { - _cupsLangPrintf(stderr, - _("lppasswd: Unable to write to password file: %s"), - strerror(errno)); - error = 1; - } - } - } - - /* - * Close the files... - */ - - if (infile) - fclose(infile); - - if (fclose(outfile) == EOF) - error = 1; - - /* - * Error out gracefully as needed... - */ - - if (error) - { - _cupsLangPuts(stderr, _("lppasswd: Password file not updated.")); - - unlink(passwdnew); - - return (1); - } - - /* - * Save old passwd file - */ - - unlink(passwdold); - if (link(passwdmd5, passwdold) && errno != ENOENT) - { - _cupsLangPrintf(stderr, - _("lppasswd: failed to backup old password file: %s"), - strerror(errno)); - unlink(passwdnew); - return (1); - } - - /* - * Install new password file - */ - - if (rename(passwdnew, passwdmd5) < 0) - { - _cupsLangPrintf(stderr, _("lppasswd: failed to rename password file: %s"), - strerror(errno)); - unlink(passwdnew); - return (1); - } - - return (0); -} - - -/* - * 'usage()' - Show program usage. - */ - -static void -usage(FILE *fp) /* I - File to send usage to */ -{ - if (getuid()) - _cupsLangPuts(fp, _("Usage: lppasswd [-g groupname]")); - else - _cupsLangPuts(fp, - _("Usage: lppasswd [-g groupname] [username]\n" - " lppasswd [-g groupname] -a [username]\n" - " lppasswd [-g groupname] -x [username]")); - - exit(1); -} - - -/* - * End of "$Id$". - */ diff --git a/xcode/CUPS.xcodeproj/project.pbxproj b/xcode/CUPS.xcodeproj/project.pbxproj index b417bd8555..8db819c8c9 100644 --- a/xcode/CUPS.xcodeproj/project.pbxproj +++ b/xcode/CUPS.xcodeproj/project.pbxproj @@ -1118,7 +1118,6 @@ 2732E08E137A3F5200FAFEF6 /* lpinfo.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = lpinfo.c; path = ../systemv/lpinfo.c; sourceTree = ""; }; 2732E08F137A3F5200FAFEF6 /* lpmove.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = lpmove.c; path = ../systemv/lpmove.c; sourceTree = ""; }; 2732E090137A3F5200FAFEF6 /* lpoptions.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = lpoptions.c; path = ../systemv/lpoptions.c; sourceTree = ""; }; - 2732E091137A3F5200FAFEF6 /* lppasswd.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = lppasswd.c; path = ../systemv/lppasswd.c; sourceTree = ""; }; 2732E092137A3F5200FAFEF6 /* lpstat.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = lpstat.c; path = ../systemv/lpstat.c; sourceTree = ""; }; 273BF6BD1333B5000022CAAB /* testcups */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = testcups; sourceTree = BUILT_PRODUCTS_DIR; }; 273BF6C61333B5370022CAAB /* testcups.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = testcups.c; path = ../cups/testcups.c; sourceTree = ""; }; @@ -1782,7 +1781,6 @@ 2732E08E137A3F5200FAFEF6 /* lpinfo.c */, 2732E08F137A3F5200FAFEF6 /* lpmove.c */, 2732E090137A3F5200FAFEF6 /* lpoptions.c */, - 2732E091137A3F5200FAFEF6 /* lppasswd.c */, 2732E092137A3F5200FAFEF6 /* lpstat.c */, ); name = commands;