--- a/usr/src/cmd/lp/cmd/lpsched/server.xml	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/cmd/lp/cmd/lpsched/server.xml	Mon Apr 09 17:13:22 2007 -0700
@@ -1,15 +1,14 @@
 <?xml version="1.0"?>
 <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
 <!--
- Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  Use is subject to license terms.
 
  CDDL HEADER START
 
  The contents of this file are subject to the terms of the
- Common Development and Distribution License, Version 1.0 only
- (the "License").  You may not use this file except in compliance
- with the License.
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
 
  You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  or http://www.opensolaris.org/os/licensing.
@@ -39,6 +38,7 @@
     type='service'
     version='1'>
 
+	<create_default_instance enabled='false' />
 	<single_instance />
 
 	<dependency
@@ -99,7 +99,13 @@
 		<propval name='reserved_fds' type='count' value='0' />
 	</property_group>
 
-	<instance name='default' enabled='false' />
+	<property_group name='general' type='framework'>
+		<!-- to start/stop spooling daemon -->
+		<propval name='action_authorization' type='astring'
+			value='solaris.print.admin' />
+		<propval name='value_authorization' type='astring'
+			value='solaris.print.admin' />
+	</property_group>
 
 	<stability value='Unstable' />
 

--- a/usr/src/cmd/lp/model/uri	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/cmd/lp/model/uri	Mon Apr 09 17:13:22 2007 -0700
@@ -3,9 +3,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -21,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -56,6 +55,7 @@
 EXIT_RETRY=129
 
 fail() {	# exit-code "message"
+	logger -p lpr.error -t ${TAG} "${2}"
 	echo ${2} >&5
 	exit ${1}
 }
@@ -196,6 +196,20 @@
 		IO_HANDLER_ARGS="${request_id} ${user} \"${title}\" 1
 				 \"${options}\""
 		;;
+	tcp|socket)
+		URI_HOST=$(expr "${DEVICE_URI}" : ".*://\([^:/]*\)")
+		URI_PORT=$(expr "${DEVICE_URI}" : ".*://.*:\([^/]*\)")
+		if [[ -z "${URI_HOST}" ]] ; then
+			fail ${EXIT_FATAL} "invalid device-uri: ${DEVICE_URI}, reset with lpadmin -v"
+		fi
+		URI_PORT=${URI_PORT:-"9100"}
+		IO_HANDLER="telnet"
+		IO_HANDLER_ARGS="-c -E ${URI_HOST} ${URI_PORT}"
+		;;
+	lpd|ipp)
+		IO_HANDLER="lp"
+		IO_HANDLER_ARGS="-s -d ${DEVICE_URI}"
+		;;
 	*)
 		IO_HANDLER=${URI_SCHEME}
 		IO_HANDLER_ARGS=""

--- a/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml	Mon Apr 09 17:13:22 2007 -0700
@@ -80,6 +80,14 @@
 		<propval name='proto' type='astring' value='tcp6' />
 	</property_group>
 
+	<property_group name='general' type='framework'>
+		<!-- to start/stop rfc1179 listening -->
+		<propval name='action_authorization' type='astring'
+			value='solaris.print.admin' />
+		<propval name='value_authorization' type='astring'
+			value='solaris.print.admin' />
+	</property_group>
+
 	<stability value='Unstable' />
 
 	<template>

--- a/usr/src/cmd/print/lpset/Makefile	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/cmd/print/lpset/Makefile	Mon Apr 09 17:13:22 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,8 +19,8 @@
 # CDDL HEADER END
 #
 #
-# Copyright (c) 1994, 1995, 1996 by Sun Microsystems, Inc.
-# All Rights Reserved
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
 #
@@ -42,7 +41,7 @@
 OWNER=		root
 
 CPPFLAGS +=	-I$(NPRTINC)
-LDLIBS +=	$(LIBNPRT)
+LDLIBS +=	$(LIBNPRT) -lsecdb
 
 .KEEP_STATE:
 

--- a/usr/src/cmd/print/lpset/lpset.c	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/cmd/print/lpset/lpset.c	Mon Apr 09 17:13:22 2007 -0700
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -50,6 +50,34 @@
 
 static void _decode_ldapResult(int result, char *printerName);
 
+static int
+authorized()
+{
+	struct passwd *pw;
+	uid_t uid;
+	gid_t list[NGROUPS_MAX];
+	int len;
+
+	if ((uid = getuid()) == 0)
+		return (1);	/* "root" is authorized */
+
+	if (((pw = getpwnam("lp")) != NULL) && (uid == pw->pw_uid))
+		return (1);	/* "lp" is authorized */
+
+	if ((pw = getpwuid(uid)) == NULL)
+		return (0);	/* intruders are not authorized */
+
+	if (chkauthattr("solaris.print.admin", pw->pw_name) == 1)
+		return (1);	/* "solaris.print.admin" is authorized */
+
+	if ((len = getgroups(sizeof (list), list)) != -1)
+		for (; len >= 0; len--)
+			if (list[len] == 14)
+				return (1);	/* group 14 is authorized */
+
+	return (0);	/* nobody else is authorized */
+}
+
 static void
 Usage(char *name)
 {
@@ -162,33 +190,10 @@
 		(void) setuid(getuid());
 		ons = "user";
 	} else if (strcasecmp("files", ons) == 0) {
-		struct passwd *pw = getpwnam("lp");
-		uid_t uid, lpuid = 0;
-
-		if (pw != NULL)
-			lpuid = pw->pw_uid;
-		uid = getuid();
-		if ((uid != 0) && (uid != lpuid)) {
-			int len;
-			gid_t list[NGROUPS_MAX];
-
-			len = getgroups(sizeof (list), list);
-			if (len == -1) {
-				(void) fprintf(stderr, gettext(
-					"Call to getgroups failed with "
-					"errno %d\n"), errno);
-				return (1);
-			}
-
-			for (; len >= 0; len--)
-				if (list[len] == 14)
-					break;
-
-			if (len == -1) {
-				(void) fprintf(stderr, gettext(
-				    "Permission denied: not in group 14\n"));
-				return (1);
-			}
+		if (authorized() == 0) {
+			(void) fprintf(stderr, gettext(
+				"Permission denied: not authorized\n"));
+			return (1);
 		}
 		ons = "files";
 	} else if (strcasecmp("nisplus", ons) == 0) {

--- a/usr/src/cmd/print/scripts/lpadmin	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/cmd/print/scripts/lpadmin	Mon Apr 09 17:13:22 2007 -0700
@@ -32,10 +32,12 @@
 TEXTDOMAIN="SUNW_OST_OSCMD"
 export TEXTDOMAIN
 
+PFEXEC=/usr/bin/pfexec
 LPSET=/usr/bin/lpset
 LPGET=/usr/bin/lpget
 LPSTAT=/usr/bin/lpstat
 LPADMIN=/usr/lib/lp/local/lpadmin
+LPFILTER=/usr/sbin/lpfilter
 COMM=/usr/bin/comm
 PPDMGR=/usr/sbin/ppdmgr
 
@@ -58,7 +60,7 @@
 lp_config_filters() {
 	if [[ ! -f /etc/lp/filter.table ]] ; then
 		cd /etc/lp/fd ; for filter in *.fd ; do
-			/usr/sbin/lpfilter \
+			${PFEXEC} ${LPFILTER} \
 				-f $(/usr/bin/basename $filter .fd) \
 				-F $filter
 		done
@@ -107,7 +109,7 @@
 # $2  - label name (optional)
 add_new_ppd_file() {
 	# Add new ppd file and echo full path it was actually saved to
-	ppdmgrcmd="${PPDMGR} -a ${1} -w"
+	ppdmgrcmd="${PFEXEC} ${PPDMGR} -a ${1} -w"
 
 	ppderrfile=/tmp/lpadminerror.$$
 	ppd_file=$(${ppdmgrcmd} 2>${ppderrfile})
@@ -308,7 +310,7 @@
 	fi
 
 	# modify LP destination(s)
-	CMD=${LPADMIN}
+	CMD="${PFEXEC} ${LPADMIN}"
 	while [[ -n "$*" ]] ; do	# to deal with multi-word arguments
 		CMD="$CMD \"$1\""
 		# replace the ppd_file originally specified with the -n option

--- a/usr/src/lib/libsecdb/exec_attr.txt	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/lib/libsecdb/exec_attr.txt	Mon Apr 09 17:13:22 2007 -0700
@@ -1,6 +1,3 @@
-#
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
 #
 # CDDL HEADER START
 #
@@ -21,6 +18,9 @@
 #
 # CDDL HEADER END
 #
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
 # /etc/security/exec_attr
 #
 # execution attributes for profiles. see exec_attr(4)
@@ -224,22 +224,11 @@
 Object Access Management:suser:cmd:::/usr/bin/chown:euid=0
 Object Access Management:suser:cmd:::/usr/bin/getfacl:euid=0
 Object Access Management:suser:cmd:::/usr/bin/setfacl:euid=0
-Printer Management:suser:cmd:::/usr/bin/cancel:euid=lp;uid=lp
-Printer Management:suser:cmd:::/usr/bin/lpset:egid=14
-Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0
-Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lp
-Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=8 
-Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0
-Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp;uid=lp
-Printer Management:suser:cmd:::/usr/sbin/lpadmin:egid=14;uid=lp;gid=8 
+Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=lp 
 Printer Management:suser:cmd:::/usr/sbin/lpfilter:euid=lp;uid=lp
 Printer Management:suser:cmd:::/usr/sbin/lpforms:euid=lp
-Printer Management:suser:cmd:::/usr/sbin/lpmove:euid=lp
-Printer Management:suser:cmd:::/usr/sbin/lpshut:euid=lp
 Printer Management:suser:cmd:::/usr/sbin/lpusers:euid=lp
 Printer Management:suser:cmd:::/usr/sbin/ppdmgr:euid=0
-Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0
-Printer Management:suser:cmd:::/usr/ucb/lprm:euid=0
 Process Management:solaris:cmd:::/usr/bin/kill:privs=proc_owner
 Process Management:solaris:cmd:::/usr/bin/nice:privs=proc_owner,proc_priocntl
 Process Management:solaris:cmd:::/usr/bin/pcred:privs=proc_owner

--- a/usr/src/lib/libsecdb/prof_attr.txt	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/lib/libsecdb/prof_attr.txt	Mon Apr 09 17:13:22 2007 -0700
@@ -36,7 +36,7 @@
 Audit Review:::Review BSM auditing logs:auths=solaris.audit.read;help=RtAuditReview.html
 Contract Observer:::Reliably observe any/all contract events:help=RtContractObserver.html
 Device Management:::Control Access to Removable Media:auths=solaris.device.*;help=RtDeviceMngmnt.html
-Printer Management:::Manage printers, daemons, spooling:help=RtPrntAdmin.html
+Printer Management:::Manage printers, daemons, spooling:auths=solaris.print.admin:help=RtPrntAdmin.html
 Cron Management:::Manage at and cron jobs:auths=solaris.jobs.*,solaris.smf.manage.cron;help=RtCronMngmnt.html
 Log Management:::Manage log files:help=RtLogMngmnt.html
 Basic Solaris User:::Automatically assigned rights:auths=solaris.profmgr.read,solaris.jobs.user,solaris.mail.mailq,solaris.device.mount.removable;profiles=All;help=RtDefault.html

--- a/usr/src/lib/print/mod_ipp/ipp-listener.xml	Mon Apr 09 16:04:26 2007 -0700
+++ b/usr/src/lib/print/mod_ipp/ipp-listener.xml	Mon Apr 09 17:13:22 2007 -0700
@@ -34,6 +34,8 @@
     type='service'
     version='1'>
 
+	<create_default_instance enabled='false' />
+
 	<dependency name='print-service'
 	    grouping='require_any'
 	    restart_on='refresh'
@@ -53,7 +55,13 @@
 	    exec='/bin/pkill -f httpd-standalone-ipp.conf'
 	    timeout_seconds='5' />
 
-	<instance name='default' enabled='false' />
+	<property_group name='general' type='framework'>
+		<!-- to start/stop IPP listening service-->
+		<propval name='action_authorization' type='astring'
+			value='solaris.print.admin' />
+		<propval name='value_authorization' type='astring'
+			value='solaris.print.admin' />
+	</property_group>
 
 	<stability value='Unstable' />