Policy CUPS-Add-Modify-Printer unlikly when using multiple policies

[michaelrsweet]

Version: 1.3-current
CUPS.org User: rojon

It's useless for instance, to grant access for CUPS-Add-Modify-Printer or CUPS-Add-Modify-Class to a named policy. For example, to restrict groups to modify only printers which belongs to their group / assigned policy. Even changing printer-settings will need these rights granted to CUPS-Add-Modify-Printer/Classes in a global (default) policy.
Would be nice to strip them down to the asigned policies.

[michaelrsweet]

CUPS.org User: pipitas

No, it's not useless.

What you can't do is to use a single operation only, and define a policy on it with a <Limit ...> section and expect the rest of operations to work like is defined in the "default" policy. What happens in reality is, that your single operation may silently amended by a section that works against your intentions.

So when you define a custom policy, be sure to include one or more <Limit ...>... sections that describe exactly all the operations and their (different) limitations, and add another ... section, that describes exactly how the rest of operations should be affected by your custom policy.

This works.

[michaelrsweet]

CUPS.org User: mike

And to add to what Kurt said, once you have added a printer or class, the CUPS-Add-Modify-Printer/Class operations use the printer's policy (not the default policy) to authorize the request. Thus it is possible to only allow one set of users to create a queue and another to maintain it.

[michaelrsweet]

CUPS.org User: mike

Reopening as a bug - not a feature request...

[Reported via mailing list...]

against the printer's policy to authorize the request, thus not doing what
you said beyond ... (at least not in version 1.3.3-r6985)
Thanks. Anyhow, I've changed the code in ipp.c to ask to check against
printer_op_ptr instead of DefaultPolicyPtr in cupsdCheckPolicy , if
printer exist already ....

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str2525.patch":

Index: scheduler/ipp.c

--- scheduler/ipp.c (revision 6992)
+++ scheduler/ipp.c (working copy)
@@ -908,16 +908,6 @@
}

/*

• * Check policy...

- */

• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {
• send_http_error(con, status, NULL);
• return;

- }

• /*
  • See if the class already exists; if not, create a new class...
    */

@@ -941,18 +931,31 @@
}

/*

• * No, add the pclass...
• • No, check the default policy and then add the class...
    */
• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {

•  send_http_error(con, status, NULL);
  

•  return;
  

• }

pclass = cupsdAddClass(resource + 9);
modify = 0;
}
else if (pclass->type & CUPS_PRINTER_IMPLICIT)
{
/*

• * Rename the implicit class to "AnyClass" or remove it...
• * Check the default policy, then tename the implicit class to "AnyClass"
• • or remove it...
    */
• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {

•  send_http_error(con, status, NULL);
  

•  return;
  

• }

if (ImplicitAnyClasses)
{
snprintf(newname, sizeof(newname), "Any%s", resource + 9);
@@ -971,9 +974,15 @@
else if (pclass->type & CUPS_PRINTER_DISCOVERED)
{
/*

• * Rename the remote class to "Class"...
• • Check the default policy, then rename the remote class to "Class"...
    */
• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {

•  send_http_error(con, status, NULL);
  

•  return;
  

• }

snprintf(newname, sizeof(newname), "%s@%s", resource + 9, pclass->hostname);
cupsdRenamePrinter(pclass, newname);

@@ -984,6 +993,12 @@
pclass = cupsdAddClass(resource + 9);
modify = 0;
}

• else if ((status = cupsdCheckPolicy(pclass->op_policy_ptr, con,

•                                  NULL)) != HTTP_OK)
  

• {
• send_http_error(con, status, NULL);
• return;
• }
  else
  modify = 1;

@@ -2180,16 +2195,6 @@
}

/*

• * Check policy...

- */

• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {
• send_http_error(con, status, NULL);
• return;

- }

• /*
  • See if the printer already exists; if not, create a new printer...
    */

@@ -2213,18 +2218,31 @@
}

/*

• * No, add the printer...
• • No, check the default policy then add the printer...
    */
• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {

•  send_http_error(con, status, NULL);
  

•  return;
  

• }

printer = cupsdAddPrinter(resource + 10);
modify = 0;
}
else if (printer->type & CUPS_PRINTER_IMPLICIT)
{
/*

• * Rename the implicit printer to "AnyPrinter" or delete it...
• * Check the default policy, then rename the implicit printer to
• • "AnyPrinter" or delete it...
    */
• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {

•  send_http_error(con, status, NULL);
  

•  return;
  

• }

if (ImplicitAnyClasses)
{
snprintf(newname, sizeof(newname), "Any%s", resource + 10);
@@ -2243,9 +2261,16 @@
else if (printer->type & CUPS_PRINTER_DISCOVERED)
{
/*

• * Rename the remote printer to "Printer@server"...
• * Check the default policy, then rename the remote printer to
• • "Printer@server"...
    */
• if ((status = cupsdCheckPolicy(DefaultPolicyPtr, con, NULL)) != HTTP_OK)
• {

•  send_http_error(con, status, NULL);
  

•  return;
  

• }

snprintf(newname, sizeof(newname), "%s@%s", resource + 10,
printer->hostname);
cupsdRenamePrinter(printer, newname);
@@ -2257,6 +2282,12 @@
printer = cupsdAddPrinter(resource + 10);
modify = 0;
}

• else if ((status = cupsdCheckPolicy(printer->op_policy_ptr, con,

•                                  NULL)) != HTTP_OK)
  

• {
• send_http_error(con, status, NULL);
• return;
• }
  else
  modify = 1;