Add /admin/log section to cupsd.conf so that remote admin also controls remote

access to the log files (<rdar://problem/23134415>)


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12938 a1ca3aef-8c08-0410-bb20-df032aa958be

3 files changed, 53 insertions, 3 deletions

diff --git a/CHANGES-2.1.txt b/CHANGES-2.1.txt
index 443557ad5..80fb00333 100644
--- a/CHANGES-2.1.txt
+++ b/CHANGES-2.1.txt
@@ -9,7 +9,7 @@ CHANGES IN CUPS V2.1.1
 	  <rdar://problem/23133393>, <rdar://problem/23133466>,
 	  <rdar://problem/23133833>, <rdar://problem/23133998>,
 	  <rdar://problem/23134228>, <rdar://problem/23134299>,
-	  <rdar://problem/23134356>)
+	  <rdar://problem/23134356>, <rdar://problem/23134415>)
 	- The cupsGetPPD* functions did not work with IPP printers (STR #4725)
 	- Some older HP LaserJet printers need a delayed close when printing
 	  using the libusb-based USB backend (STR #4549)
diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
index e17601446..2fd0de0c3 100644
--- a/conf/cupsd.conf.in
+++ b/conf/cupsd.conf.in
@@ -39,6 +39,13 @@ WebInterface @CUPS_WEBIF@
   Order allow,deny
 </Location>
 
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+</Location>
+
 # Set the default printer/job policies...
 <Policy default>
   # Job/subscription privacy...
diff --git a/cups/adminutil.c b/cups/adminutil.c
index 5a7dea092..424c02b4c 100644
--- a/cups/adminutil.c
+++ b/cups/adminutil.c
@@ -3,7 +3,7 @@
  *
  * Administration utility API definitions for CUPS.
  *
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2015 by Apple Inc.
  * Copyright 2001-2007 by Easy Software Products.
  *
  * These coded instructions, statements, and computer programs are the
@@ -1175,6 +1175,7 @@ cupsAdminSetServerSettings(
 		in_cancel_job,		/* In a cancel-job section? */
 		in_admin_location,	/* In the /admin location? */
 		in_conf_location,	/* In the /admin/conf location? */
+		in_log_location,	/* In the /admin/log location? */
 		in_root_location;	/* In the / location? */
   const char	*val;			/* Setting value */
   int		share_printers,		/* Share local printers */
@@ -1188,6 +1189,7 @@ cupsAdminSetServerSettings(
 		wrote_loglevel,		/* Wrote the LogLevel line? */
 		wrote_admin_location,	/* Wrote the /admin location? */
 		wrote_conf_location,	/* Wrote the /admin/conf location? */
+		wrote_log_location,	/* Wrote the /admin/log location? */
 		wrote_root_location;	/* Wrote the / location? */
   int		indent;			/* Indentation */
   int		cupsd_num_settings;	/* New number of settings */
@@ -1401,12 +1403,14 @@ cupsAdminSetServerSettings(
   in_conf_location     = 0;
   in_default_policy    = 0;
   in_location          = 0;
+  in_log_location      = 0;
   in_policy            = 0;
   in_root_location     = 0;
   linenum              = 0;
   wrote_admin_location = 0;
   wrote_browsing       = 0;
   wrote_conf_location  = 0;
+  wrote_log_location   = 0;
   wrote_loglevel       = 0;
   wrote_policy         = 0;
   wrote_port_listen    = 0;
@@ -1550,8 +1554,10 @@ cupsAdminSetServerSettings(
       indent += 2;
       if (!strcmp(value, "/admin"))
 	in_admin_location = 1;
-      if (!strcmp(value, "/admin/conf"))
+      else if (!strcmp(value, "/admin/conf"))
 	in_conf_location = 1;
+      else if (!strcmp(value, "/admin/log"))
+	in_log_location = 1;
       else if (!strcmp(value, "/"))
 	in_root_location = 1;
 
@@ -1593,6 +1599,23 @@ cupsAdminSetServerSettings(
 	  cupsFilePrintf(temp, "  Allow %s\n",
 	                 remote_any > 0 ? "all" : "@LOCAL");
       }
+      else if (in_log_location && remote_admin >= 0)
+      {
+	wrote_log_location = 1;
+
+	if (remote_admin)
+          cupsFilePuts(temp, "  # Allow remote access to the log "
+	                     "files...\n");
+	else
+          cupsFilePuts(temp, "  # Restrict access to the log "
+	                     "files...\n");
+
+        cupsFilePuts(temp, "  Order allow,deny\n");
+
+	if (remote_admin)
+	  cupsFilePrintf(temp, "  Allow %s\n",
+	                 remote_any > 0 ? "all" : "@LOCAL");
+      }
       else if (in_root_location &&
                (remote_admin >= 0 || remote_any > 0 || share_printers >= 0))
       {
@@ -1619,6 +1642,7 @@ cupsAdminSetServerSettings(
 
       in_admin_location = 0;
       in_conf_location  = 0;
+      in_log_location   = 0;
       in_root_location  = 0;
 
       cupsFilePuts(temp, "</Location>\n");
@@ -1867,6 +1891,25 @@ cupsAdminSetServerSettings(
     cupsFilePuts(temp, "</Location>\n");
   }
 
+  if (!wrote_log_location && remote_admin >= 0)
+  {
+    if (remote_admin)
+      cupsFilePuts(temp,
+                   "# Allow remote access to the log files...\n");
+    else
+      cupsFilePuts(temp, "# Restrict access to the log files...\n");
+
+    cupsFilePuts(temp, "<Location /admin/log>\n"
+                       "  AuthType Default\n"
+                       "  Require user @SYSTEM\n"
+                       "  Order allow,deny\n");
+
+    if (remote_admin)
+      cupsFilePrintf(temp, "  Allow %s\n", remote_any > 0 ? "all" : "@LOCAL");
+
+    cupsFilePuts(temp, "</Location>\n");
+  }
+
   if (!wrote_policy && user_cancel_any >= 0)
   {
     cupsFilePuts(temp, "<Policy default>\n"