One quick fix to prevent write access to the CUPS spool directory.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11943 a1ca3aef-8c08-0410-bb20-df032aa958be
author: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> 2014-06-24 16:02:51 +0000
committer: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> 2014-06-24 16:02:51 +0000
commit: 6e4925fbe63edc68e0e9aaf443b00ef949d32950 (patch)
tree: 338ad4d6d031d49269c55bf382595639194fb12c /scheduler/process.c
parent: 99328a65fc234ba3478252b53d31fac720ac5da9 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/scheduler/process.c b/scheduler/process.c
index b25ac5674..a036dfa07 100644
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -290,6 +290,10 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
 		   "))\n",
 		   testroot);
   }
+  cupsFilePrintf(fp,
+		 "(deny file-write* file-read-data file-read-metadata\n"
+		 "       (regex #\"^%s$\" #\"^%s/\"))\n",
+		 request, request);
   if (job_id)
   {
     /* Allow job filters to read the current job files... */
author	msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>	2014-06-24 16:02:51 +0000
committer	msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>	2014-06-24 16:02:51 +0000
commit	6e4925fbe63edc68e0e9aaf443b00ef949d32950 (patch)
tree	338ad4d6d031d49269c55bf382595639194fb12c /scheduler/process.c
parent	99328a65fc234ba3478252b53d31fac720ac5da9 (diff)