Mercurial > illumos > illumos-gate
changeset 3999:666384b31577
6222297 lpsched and lpshut should be corrected/removed from exec_attr
6454630 print subsystem enable and disable commands not RBAC capable
6538881 lpadmin cannot create queue even with Print Management profile
6539897 uri interface script should handle common device-uri forms
author | jacobs |
---|---|
date | Mon, 09 Apr 2007 17:13:22 -0700 |
parents | e0575d2275f8 |
children | 282750a23d97 |
files | usr/src/cmd/lp/cmd/lpsched/server.xml usr/src/cmd/lp/model/uri usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml usr/src/cmd/print/lpset/Makefile usr/src/cmd/print/lpset/lpset.c usr/src/cmd/print/scripts/lpadmin usr/src/lib/libsecdb/exec_attr.txt usr/src/lib/libsecdb/prof_attr.txt usr/src/lib/print/mod_ipp/ipp-listener.xml |
diffstat | 9 files changed, 94 insertions(+), 63 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/lp/cmd/lpsched/server.xml Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/cmd/lp/cmd/lpsched/server.xml Mon Apr 09 17:13:22 2007 -0700 @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -39,6 +38,7 @@ type='service' version='1'> + <create_default_instance enabled='false' /> <single_instance /> <dependency @@ -99,7 +99,13 @@ <propval name='reserved_fds' type='count' value='0' /> </property_group> - <instance name='default' enabled='false' /> + <property_group name='general' type='framework'> + <!-- to start/stop spooling daemon --> + <propval name='action_authorization' type='astring' + value='solaris.print.admin' /> + <propval name='value_authorization' type='astring' + value='solaris.print.admin' /> + </property_group> <stability value='Unstable' />
--- a/usr/src/cmd/lp/model/uri Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/cmd/lp/model/uri Mon Apr 09 17:13:22 2007 -0700 @@ -3,9 +3,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -21,7 +20,7 @@ # CDDL HEADER END # # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" @@ -56,6 +55,7 @@ EXIT_RETRY=129 fail() { # exit-code "message" + logger -p lpr.error -t ${TAG} "${2}" echo ${2} >&5 exit ${1} } @@ -196,6 +196,20 @@ IO_HANDLER_ARGS="${request_id} ${user} \"${title}\" 1 \"${options}\"" ;; + tcp|socket) + URI_HOST=$(expr "${DEVICE_URI}" : ".*://\([^:/]*\)") + URI_PORT=$(expr "${DEVICE_URI}" : ".*://.*:\([^/]*\)") + if [[ -z "${URI_HOST}" ]] ; then + fail ${EXIT_FATAL} "invalid device-uri: ${DEVICE_URI}, reset with lpadmin -v" + fi + URI_PORT=${URI_PORT:-"9100"} + IO_HANDLER="telnet" + IO_HANDLER_ARGS="-c -E ${URI_HOST} ${URI_PORT}" + ;; + lpd|ipp) + IO_HANDLER="lp" + IO_HANDLER_ARGS="-s -d ${DEVICE_URI}" + ;; *) IO_HANDLER=${URI_SCHEME} IO_HANDLER_ARGS=""
--- a/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/cmd/print/bsd-sysv-commands/rfc1179.xml Mon Apr 09 17:13:22 2007 -0700 @@ -80,6 +80,14 @@ <propval name='proto' type='astring' value='tcp6' /> </property_group> + <property_group name='general' type='framework'> + <!-- to start/stop rfc1179 listening --> + <propval name='action_authorization' type='astring' + value='solaris.print.admin' /> + <propval name='value_authorization' type='astring' + value='solaris.print.admin' /> + </property_group> + <stability value='Unstable' /> <template>
--- a/usr/src/cmd/print/lpset/Makefile Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/cmd/print/lpset/Makefile Mon Apr 09 17:13:22 2007 -0700 @@ -2,9 +2,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -20,8 +19,8 @@ # CDDL HEADER END # # -# Copyright (c) 1994, 1995, 1996 by Sun Microsystems, Inc. -# All Rights Reserved +# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" # @@ -42,7 +41,7 @@ OWNER= root CPPFLAGS += -I$(NPRTINC) -LDLIBS += $(LIBNPRT) +LDLIBS += $(LIBNPRT) -lsecdb .KEEP_STATE:
--- a/usr/src/cmd/print/lpset/lpset.c Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/cmd/print/lpset/lpset.c Mon Apr 09 17:13:22 2007 -0700 @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -50,6 +50,34 @@ static void _decode_ldapResult(int result, char *printerName); +static int +authorized() +{ + struct passwd *pw; + uid_t uid; + gid_t list[NGROUPS_MAX]; + int len; + + if ((uid = getuid()) == 0) + return (1); /* "root" is authorized */ + + if (((pw = getpwnam("lp")) != NULL) && (uid == pw->pw_uid)) + return (1); /* "lp" is authorized */ + + if ((pw = getpwuid(uid)) == NULL) + return (0); /* intruders are not authorized */ + + if (chkauthattr("solaris.print.admin", pw->pw_name) == 1) + return (1); /* "solaris.print.admin" is authorized */ + + if ((len = getgroups(sizeof (list), list)) != -1) + for (; len >= 0; len--) + if (list[len] == 14) + return (1); /* group 14 is authorized */ + + return (0); /* nobody else is authorized */ +} + static void Usage(char *name) { @@ -162,33 +190,10 @@ (void) setuid(getuid()); ons = "user"; } else if (strcasecmp("files", ons) == 0) { - struct passwd *pw = getpwnam("lp"); - uid_t uid, lpuid = 0; - - if (pw != NULL) - lpuid = pw->pw_uid; - uid = getuid(); - if ((uid != 0) && (uid != lpuid)) { - int len; - gid_t list[NGROUPS_MAX]; - - len = getgroups(sizeof (list), list); - if (len == -1) { - (void) fprintf(stderr, gettext( - "Call to getgroups failed with " - "errno %d\n"), errno); - return (1); - } - - for (; len >= 0; len--) - if (list[len] == 14) - break; - - if (len == -1) { - (void) fprintf(stderr, gettext( - "Permission denied: not in group 14\n")); - return (1); - } + if (authorized() == 0) { + (void) fprintf(stderr, gettext( + "Permission denied: not authorized\n")); + return (1); } ons = "files"; } else if (strcasecmp("nisplus", ons) == 0) {
--- a/usr/src/cmd/print/scripts/lpadmin Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/cmd/print/scripts/lpadmin Mon Apr 09 17:13:22 2007 -0700 @@ -32,10 +32,12 @@ TEXTDOMAIN="SUNW_OST_OSCMD" export TEXTDOMAIN +PFEXEC=/usr/bin/pfexec LPSET=/usr/bin/lpset LPGET=/usr/bin/lpget LPSTAT=/usr/bin/lpstat LPADMIN=/usr/lib/lp/local/lpadmin +LPFILTER=/usr/sbin/lpfilter COMM=/usr/bin/comm PPDMGR=/usr/sbin/ppdmgr @@ -58,7 +60,7 @@ lp_config_filters() { if [[ ! -f /etc/lp/filter.table ]] ; then cd /etc/lp/fd ; for filter in *.fd ; do - /usr/sbin/lpfilter \ + ${PFEXEC} ${LPFILTER} \ -f $(/usr/bin/basename $filter .fd) \ -F $filter done @@ -107,7 +109,7 @@ # $2 - label name (optional) add_new_ppd_file() { # Add new ppd file and echo full path it was actually saved to - ppdmgrcmd="${PPDMGR} -a ${1} -w" + ppdmgrcmd="${PFEXEC} ${PPDMGR} -a ${1} -w" ppderrfile=/tmp/lpadminerror.$$ ppd_file=$(${ppdmgrcmd} 2>${ppderrfile}) @@ -308,7 +310,7 @@ fi # modify LP destination(s) - CMD=${LPADMIN} + CMD="${PFEXEC} ${LPADMIN}" while [[ -n "$*" ]] ; do # to deal with multi-word arguments CMD="$CMD \"$1\"" # replace the ppd_file originally specified with the -n option
--- a/usr/src/lib/libsecdb/exec_attr.txt Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/lib/libsecdb/exec_attr.txt Mon Apr 09 17:13:22 2007 -0700 @@ -1,6 +1,3 @@ -# -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. # # CDDL HEADER START # @@ -21,6 +18,9 @@ # # CDDL HEADER END # +# Copyright 2007 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# # /etc/security/exec_attr # # execution attributes for profiles. see exec_attr(4) @@ -224,22 +224,11 @@ Object Access Management:suser:cmd:::/usr/bin/chown:euid=0 Object Access Management:suser:cmd:::/usr/bin/getfacl:euid=0 Object Access Management:suser:cmd:::/usr/bin/setfacl:euid=0 -Printer Management:suser:cmd:::/usr/bin/cancel:euid=lp;uid=lp -Printer Management:suser:cmd:::/usr/bin/lpset:egid=14 -Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0 -Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lp -Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=8 -Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0 -Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp;uid=lp -Printer Management:suser:cmd:::/usr/sbin/lpadmin:egid=14;uid=lp;gid=8 +Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=lp Printer Management:suser:cmd:::/usr/sbin/lpfilter:euid=lp;uid=lp Printer Management:suser:cmd:::/usr/sbin/lpforms:euid=lp -Printer Management:suser:cmd:::/usr/sbin/lpmove:euid=lp -Printer Management:suser:cmd:::/usr/sbin/lpshut:euid=lp Printer Management:suser:cmd:::/usr/sbin/lpusers:euid=lp Printer Management:suser:cmd:::/usr/sbin/ppdmgr:euid=0 -Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0 -Printer Management:suser:cmd:::/usr/ucb/lprm:euid=0 Process Management:solaris:cmd:::/usr/bin/kill:privs=proc_owner Process Management:solaris:cmd:::/usr/bin/nice:privs=proc_owner,proc_priocntl Process Management:solaris:cmd:::/usr/bin/pcred:privs=proc_owner
--- a/usr/src/lib/libsecdb/prof_attr.txt Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/lib/libsecdb/prof_attr.txt Mon Apr 09 17:13:22 2007 -0700 @@ -36,7 +36,7 @@ Audit Review:::Review BSM auditing logs:auths=solaris.audit.read;help=RtAuditReview.html Contract Observer:::Reliably observe any/all contract events:help=RtContractObserver.html Device Management:::Control Access to Removable Media:auths=solaris.device.*;help=RtDeviceMngmnt.html -Printer Management:::Manage printers, daemons, spooling:help=RtPrntAdmin.html +Printer Management:::Manage printers, daemons, spooling:auths=solaris.print.admin:help=RtPrntAdmin.html Cron Management:::Manage at and cron jobs:auths=solaris.jobs.*,solaris.smf.manage.cron;help=RtCronMngmnt.html Log Management:::Manage log files:help=RtLogMngmnt.html Basic Solaris User:::Automatically assigned rights:auths=solaris.profmgr.read,solaris.jobs.user,solaris.mail.mailq,solaris.device.mount.removable;profiles=All;help=RtDefault.html
--- a/usr/src/lib/print/mod_ipp/ipp-listener.xml Mon Apr 09 16:04:26 2007 -0700 +++ b/usr/src/lib/print/mod_ipp/ipp-listener.xml Mon Apr 09 17:13:22 2007 -0700 @@ -34,6 +34,8 @@ type='service' version='1'> + <create_default_instance enabled='false' /> + <dependency name='print-service' grouping='require_any' restart_on='refresh' @@ -53,7 +55,13 @@ exec='/bin/pkill -f httpd-standalone-ipp.conf' timeout_seconds='5' /> - <instance name='default' enabled='false' /> + <property_group name='general' type='framework'> + <!-- to start/stop IPP listening service--> + <propval name='action_authorization' type='astring' + value='solaris.print.admin' /> + <propval name='value_authorization' type='astring' + value='solaris.print.admin' /> + </property_group> <stability value='Unstable' />