Bug 481303

Summary: cupsd.conf directive "Satisfy Any" broken when upgrading from CUPS v1.2.4 to CUPS v1.3.7
Product: Red Hat Enterprise Linux 5 Reporter: Eskil Brun <eskil>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact: desktop-bugs <desktop-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 5.3CC: ophers, pknirsch, syeghiay, ykopkova
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The CUPS configuration file directive "Satisfy Any" was not correctly implemented, causing access to be restricted in situations where it should not have been.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 11:25:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 513501    
Attachments:
Description Flags
cups-str2782.patch none

Description Eskil Brun 2009-01-23 14:37:37 UTC 
Description of problem:

When upgrading from version 1.2.4 to 1.3.7 of CUPS, the
"Satisfy Any" directive in cupsd.conf was broken.

How reproducible: Very

We used to use something like this until the update:

<Location />
  # Restrict access to the server...
  Satisfy Any
  Order Allow, Deny
  Allow from 127.0.0.1
  Allow from a.b.c.0/24
  Allow from d.e.f.0/24
  AuthType Basic
</Location>

Which would allow clients with addresses a.b.c.nnn and d.e.f.nnn
to print jobs without authenticating. All others would have to
authenticate in order to print jobs.

This was broken in the upgrade to RHEL5.3 and CUPS version 1.3.7

This following web page pretty much sums up the problem and points to a
patch (str2782.patch) to fix the "Satisfy Any" directive.

  https://bugs.launchpad.net/ubuntu/+source/cupsys/+bug/247687

At our site we have now disabled printing from laptops to our CUPS server
over IPP. We wait for a fix that will restore the functionality we had
with RHEL5.2 and CUPS 1.2.4

Eskil...
:-)
Comment 1 Tim Waugh 2009-01-23 15:11:54 UTC 
Created attachment 329844 [details]
cups-str2782.patch
Comment 2 Tim Waugh 2009-01-23 15:13:39 UTC 
Thanks for reporting this, and apologies for not catching it before RHEL-5.3 was released.
Comment 9 RHEL Program Management 2009-01-28 18:01:12 UTC 
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.
Comment 12 Tim Waugh 2009-02-02 17:11:56 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
The CUPS configuration file directive "Satisfy Any" was not correctly implemented, causing access to be restricted in situations where it should not have been.
Comment 13 Eskil Brun 2009-03-30 12:32:50 UTC 
As far as I can see, there still has been no updates to the CUPS software
and we still cannot print from our sites laptops to our IPP server
because of this.

Must I apply the patches myself?

This is somewhat dissapointing.

Eskil...
:-)
Comment 14 Phil Knirsch 2009-03-30 12:40:59 UTC 
The fix will be included in RHEL-5.4.

Thanks & regards, Phil
Comment 15 Tim Waugh 2009-04-27 12:05:29 UTC 
*** Bug 497620 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2009-09-02 11:25:27 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1360.html