[Pkg-cups-devel] r470 - in cupsys/trunk/debian: . patches
Martin Pitt
mpitt at alioth.debian.org
Mon Apr 30 13:52:06 UTC 2007
Author: mpitt
Date: Mon Apr 30 13:52:05 2007
New Revision: 470
Added:
cupsys/trunk/debian/patches/10_external_pam_helper.dpatch (contents, props changed)
Modified:
cupsys/trunk/debian/changelog
cupsys/trunk/debian/cupsys-client.postinst
cupsys/trunk/debian/cupsys.files
cupsys/trunk/debian/cupsys.init.d
cupsys/trunk/debian/cupsys.logrotate
cupsys/trunk/debian/cupsys.postinst
cupsys/trunk/debian/patches/00list
cupsys/trunk/debian/rules
Log:
* Run the backend as non-root system user to confine the impact of security
vulnerabilities:
- Add debian/patches/10_external_pam_helper.dpatch:
+ Add a helper program 'cups-check-pam-auth' which performs PAM
authentication and returns the status as exit code.
+ scheduler/auth.c, cupsdAuthorize(): Attempt to use
cups-check-pam-auth before trying native PAM.
+ With this we do not need to put the cupsys user into the shadow group.
- debian/cupsys.files: Install PAM helper.
- debian/cupsys.postinst: Set permissions of PAM helper to cupsys:shadow
2754, alter permissions of some configuration files and directories to
work with non-root cupsd.
- debian/cupsys.postinst: Fix /var/cache/cups/ permissions for upgrades
which might have written cache files as root.
- debian/cupsys.logrotate: Save log files as cupsys:lpadmin.
- debian/cupsys.init.d: Disable 'reload'; change force-reload to restart,
since cupsd cannot reload as non-root.
- debian/cupsys.init.d: Set up proper permissions of log files.
- debian/rules: Enable --enable-privilege-dropping configure option.
- debian/rules: Install lpd backend suid root, so that it can bind to
ports < 1024 (really silly, but required for RFC compliance).
- debian/cupsys-client.postinst, debian/cupsys.postinst: Set up cupsys
system user.
Modified: cupsys/trunk/debian/changelog
==============================================================================
--- cupsys/trunk/debian/changelog (original)
+++ cupsys/trunk/debian/changelog Mon Apr 30 13:52:05 2007
@@ -78,8 +78,31 @@
* debian/cupsys.init.d: Give proper permissions to /usr/share/ppd/custom/:
root:lpadmin 3775. Drop the obsolete chmod/chowning of
/usr/share/cups/model.
+ * Run the backend as non-root system user to confine the impact of security
+ vulnerabilities:
+ - Add debian/patches/10_external_pam_helper.dpatch:
+ + Add a helper program 'cups-check-pam-auth' which performs PAM
+ authentication and returns the status as exit code.
+ + scheduler/auth.c, cupsdAuthorize(): Attempt to use
+ cups-check-pam-auth before trying native PAM.
+ + With this we do not need to put the cupsys user into the shadow group.
+ - debian/cupsys.files: Install PAM helper.
+ - debian/cupsys.postinst: Set permissions of PAM helper to cupsys:shadow
+ 2754, alter permissions of some configuration files and directories to
+ work with non-root cupsd.
+ - debian/cupsys.postinst: Fix /var/cache/cups/ permissions for upgrades
+ which might have written cache files as root.
+ - debian/cupsys.logrotate: Save log files as cupsys:lpadmin.
+ - debian/cupsys.init.d: Disable 'reload'; change force-reload to restart,
+ since cupsd cannot reload as non-root.
+ - debian/cupsys.init.d: Set up proper permissions of log files.
+ - debian/rules: Enable --enable-privilege-dropping configure option.
+ - debian/rules: Install lpd backend suid root, so that it can bind to
+ ports < 1024 (really silly, but required for RFC compliance).
+ - debian/cupsys-client.postinst, debian/cupsys.postinst: Set up cupsys
+ system user.
- -- Martin Pitt <mpitt at debian.org> Mon, 30 Apr 2007 14:50:15 +0200
+ -- Martin Pitt <mpitt at debian.org> Mon, 30 Apr 2007 15:28:14 +0200
cupsys (1.2.7-4) unstable; urgency=high
Modified: cupsys/trunk/debian/cupsys-client.postinst
==============================================================================
--- cupsys/trunk/debian/cupsys-client.postinst (original)
+++ cupsys/trunk/debian/cupsys-client.postinst Mon Apr 30 13:52:05 2007
@@ -27,7 +27,23 @@
if [ -z "`getent group lpadmin`" ]; then
addgroup --system lpadmin
fi
- chown lp:lpadmin /usr/bin/lppasswd
+
+ # Set up cupsys user.
+ if [ -z "`getent passwd cupsys`" ]; then
+ adduser --quiet --system --no-create-home --ingroup lpadmin cupsys
+ fi
+
+ # necessary for access to local parallel and usb printers
+ adduser --quiet cupsys lp
+ # necessary for access to local serial printers
+ adduser --quiet cupsys dialout
+ # necessary for access to printer/scanner combo devices
+ if [ -z "`getent group scanner`" ]; then
+ addgroup --system scanner
+ fi
+ adduser --quiet cupsys scanner
+
+ chown cupsys:lpadmin /usr/bin/lppasswd
chmod u+s /usr/bin/lppasswd
;;
Modified: cupsys/trunk/debian/cupsys.files
==============================================================================
--- cupsys/trunk/debian/cupsys.files (original)
+++ cupsys/trunk/debian/cupsys.files Mon Apr 30 13:52:05 2007
@@ -9,6 +9,7 @@
usr/lib/cups/daemon/cups-polld
usr/lib/cups/daemon/cups-deviced
usr/lib/cups/daemon/cups-driverd
+usr/lib/cups/daemon/cups-check-pam-auth
usr/lib/cups/filter/gziptoany
usr/lib/cups/filter/hpgltops
usr/lib/cups/filter/imagetops
Modified: cupsys/trunk/debian/cupsys.init.d
==============================================================================
--- cupsys/trunk/debian/cupsys.init.d (original)
+++ cupsys/trunk/debian/cupsys.init.d Mon Apr 30 13:52:05 2007
@@ -37,7 +37,22 @@
modprobe -q lp || true
modprobe -q ppdev || true
fi
+ chown cupsys:lp `dirname "$PIDFILE"`
+
+ # create the logs file since cupsd can't
+ for l in access_log page_log error_log; do
+ [ -e /var/log/cups/$l ] || touch /var/log/cups/$l
+ chmod 640 /var/log/cups/$l
+ chown cupsys:lpadmin /var/log/cups/$l
+ done
+
start-stop-daemon --start --quiet --oknodo --pidfile "$PIDFILE" --exec $DAEMON
+
+ # Correct the permissions after starting the CUPS daemon
+ for l in access_log page_log error_log; do
+ chmod 640 /var/log/cups/$l || true
+ chown cupsys:lpadmin /var/log/cups/$l || true
+ done
log_end_msg $?
;;
stop)
@@ -45,15 +60,15 @@
start-stop-daemon --stop --quiet --retry 5 --oknodo --pidfile $PIDFILE --name $NAME
log_end_msg $?
;;
- reload|force-reload)
- log_begin_msg "Reloading $DESC: $NAME"
- start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --signal 1
- log_end_msg $?
- ;;
- restart)
+ restart|force-reload)
log_begin_msg "Restarting $DESC: $NAME"
if start-stop-daemon --stop --quiet --retry 5 --oknodo --pidfile $PIDFILE --name $NAME; then
start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec $DAEMON
+ # Correct the permissions after starting the CUPS daemon
+ for l in access_log page_log error_log; do
+ chmod 640 /var/log/cups/$l || true
+ chown cupsys:lpadmin /var/log/cups/$l || true
+ done
fi
log_end_msg $?
;;
Modified: cupsys/trunk/debian/cupsys.logrotate
==============================================================================
--- cupsys/trunk/debian/cupsys.logrotate (original)
+++ cupsys/trunk/debian/cupsys.logrotate Mon Apr 30 13:52:05 2007
@@ -11,5 +11,5 @@
endscript
compress
notifempty
- create 640 root lp
+ create 640 cupsys lpadmin
}
Modified: cupsys/trunk/debian/cupsys.postinst
==============================================================================
--- cupsys/trunk/debian/cupsys.postinst (original)
+++ cupsys/trunk/debian/cupsys.postinst Mon Apr 30 13:52:05 2007
@@ -45,6 +45,20 @@
deluser root lpadmin || true
fi
+ # Set up cupsys user.
+ if [ -z "`getent passwd cupsys`" ]; then
+ adduser --quiet --system --no-create-home --ingroup lpadmin cupsys
+ fi
+ # necessary for access to local parallel and usb printers
+ adduser --quiet cupsys lp
+ # necessary for access to local serial printers
+ adduser --quiet cupsys dialout
+ # necessary for access to printer/scanner combo devices
+ if [ -z "`getent group scanner`" ]; then
+ addgroup --system scanner
+ fi
+ adduser --quiet cupsys scanner
+
if [ -d /etc/cups/certs ]; then
rm -rf /etc/cups/certs
fi
@@ -195,10 +209,12 @@
# permission configuration
chown root:lp /etc/cups ; chmod 3755 /etc/cups
- chown root:lp /etc/cups/cupsd.conf ; chmod 640 /etc/cups/cupsd.conf
+ chown cupsys:root /etc/cups/cupsd.conf ; chmod 644 /etc/cups/cupsd.conf
chown root:lp /etc/cups/ppd ; chmod 755 /etc/cups/ppd
+ chown cupsys:shadow /usr/lib/cups/daemon/cups-check-pam-auth
+ chmod 2754 /usr/lib/cups/daemon/cups-check-pam-auth
if [ ! -d /var/run/cups/certs ]; then
- mkdir /var/run/cups/certs && chown lp:lpadmin /var/run/cups/certs \
+ mkdir /var/run/cups/certs && chown cupsys:lpadmin /var/run/cups/certs \
&& chmod 511 /var/run/cups/certs
fi
if [ -f /etc/cups/classes.conf ]; then
@@ -215,6 +231,11 @@
ln -s /opt/share/ppd /usr/share/ppd/2-third-party
fi
+ # fix permissions for upgrades which might have written cache files as
+ # root
+ if [ -d /var/cache/cups ]; then
+ chown -R cupsys:lp /var/cache/cups || true
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
Modified: cupsys/trunk/debian/patches/00list
==============================================================================
--- cupsys/trunk/debian/patches/00list (original)
+++ cupsys/trunk/debian/patches/00list Mon Apr 30 13:52:05 2007
@@ -5,6 +5,7 @@
07_removecvstag.dpatch
09_runasuser.dpatch
09_runasuser_autoconf.dpatch
+10_external_pam_helper.dpatch
11_pam.dpatch
12_quiesce_ipp_logging.dpatch
13_default_log_warn.dpatch
Added: cupsys/trunk/debian/patches/10_external_pam_helper.dpatch
==============================================================================
--- (empty file)
+++ cupsys/trunk/debian/patches/10_external_pam_helper.dpatch Mon Apr 30 13:52:05 2007
@@ -0,0 +1,298 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## ubuntu-external-pam-helper.dpatch by <martin.pitt at ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad cups-1.2-ubuntu~/scheduler/Makefile cups-1.2-ubuntu/scheduler/Makefile
+--- cups-1.2-ubuntu~/scheduler/Makefile 2006-07-13 21:59:36.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/Makefile 2006-07-26 17:50:33.000000000 +0200
+@@ -58,6 +58,7 @@
+ cups-driverd.o \
+ cups-lpd.o \
+ cups-polld.o \
++ cups-check-pam-auth.o \
+ testdirsvc.o \
+ testmime.o \
+ testspeed.o \
+@@ -68,6 +69,7 @@
+ cups-driverd \
+ cups-lpd \
+ cups-polld \
++ cups-check-pam-auth \
+ libmime.a \
+ testdirsvc \
+ testmime \
+@@ -116,6 +118,7 @@
+ $(INSTALL_BIN) cups-driverd $(SERVERBIN)/daemon
+ $(INSTALL_BIN) cups-lpd $(SERVERBIN)/daemon
+ $(INSTALL_BIN) cups-polld $(SERVERBIN)/daemon
++ $(INSTALL_BIN) cups-check-pam-auth $(SERVERBIN)/daemon
+ echo Creating $(SERVERBIN)/driver...
+ $(INSTALL_DIR) -m 755 $(SERVERBIN)/driver
+ echo Creating $(SERVERROOT)...
+@@ -161,6 +164,7 @@
+ $(RM) $(SERVERBIN)/daemon/cups-driverd
+ $(RM) $(SERVERBIN)/daemon/cups-lpd
+ $(RM) $(SERVERBIN)/daemon/cups-polld
++ $(RM) $(SERVERBIN)/daemon/cups-check-pam-auth
+ -$(RMDIR) $(STATEDIR)/certs
+ -$(RMDIR) $(STATEDIR)
+ -$(RMDIR) $(SERVERROOT)/ppd
+@@ -229,6 +233,13 @@
+ echo Linking $@...
+ $(CC) $(LDFLAGS) -o cups-polld cups-polld.o $(LIBS)
+
++#
++# Make the external PAM authentication helper, "cups-check-pam-auth".
++#
++
++cups-check-pam-auth: cups-check-pam-auth.o
++ echo Linking $@
++ $(CC) $(LDFLAGS) -o $@ $< -lpam
+
+ #
+ # libmime.a
+diff -urNad cups-1.2-ubuntu~/scheduler/auth.c cups-1.2-ubuntu/scheduler/auth.c
+--- cups-1.2-ubuntu~/scheduler/auth.c 2006-07-26 17:40:24.000000000 +0200
++++ cups-1.2-ubuntu/scheduler/auth.c 2006-07-26 17:40:50.000000000 +0200
+@@ -300,6 +300,59 @@
+ memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
+ }
+
++/*
++ * 'cupsdCallPamAuthHelper()' - Call external PAM helper to check given
++ * credentials. 0 == auth ok, 1 == auth failed,
++ * other values: internal error
++ */
++int
++cupsdCallPamAuthHelper(const char* username, const char* password)
++{
++ const char* authhelper = "/usr/lib/cups/daemon/cups-check-pam-auth";
++
++ int inp[2];
++ pid_t pid;
++ int status;
++
++ if (pipe(inp) != 0) {
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "cupsdCallPamAuthHelper: pipe() failed: %s\n", strerror(errno));
++ return 2;
++ }
++ pid = fork();
++ if (pid < 0) {
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "cupsdCallPamAuthHelper: fork() failed: %s\n", strerror(errno));
++ return 2;
++ }
++
++ if (!pid) {
++ char * const envp[] = { NULL };
++
++ /* child: route inp[1] to stdin and execute pam helper */
++ close (inp[1]);
++ dup2 (inp[0], 0);
++ execle (authhelper, authhelper, NULL, envp);
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "cupsdCallPamAuthHelper: execle() failed: %s\n", strerror(errno));
++ return 2;
++ }
++
++ close (inp[0]);
++
++ /* write username and password (including null terminators!) to helper */
++ write(inp[1], username, strlen(username)+1);
++ write(inp[1], password, strlen(password)+1);
++ close (inp[1]);
++
++ if (wait(&status) < 0 || !WIFEXITED (status)) {
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "cupsdCallPamAuthHelper: Could not wait for authentication helper\n");
++ return 2;
++ }
++
++ return WEXITSTATUS(status);
++}
+
+ /*
+ * 'cupsdAuthorize()' - Validate any authorization credentials.
+@@ -467,6 +520,26 @@
+ {
+ case AUTH_BASIC :
+ {
++ /* first, try whether the external PAM helper works */
++ int pam_auth_result = cupsdCallPamAuthHelper(username, password);
++ cupsdLogMessage(CUPSD_LOG_DEBUG,
++ "cupsdCallPamAuthHelper: authentication helper returned with %i\n",
++ pam_auth_result);
++ if (pam_auth_result == 0)
++ break; /* authentication succeeded */
++ else if (pam_auth_result == 1) {
++ /* authentication failed */
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "cupsdAuthorize: PAM authentication helper: wrong credentials\n");
++ return;
++ } else {
++ /* internal error when calling helper, fall back to standard
++ * methods */
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "cupsdAuthorize: PAM authentication helper failed with code %i\n",
++ pam_auth_result);
++ }
++
+ #if HAVE_LIBPAM
+ /*
+ * Only use PAM to do authentication. This supports MD5
+diff -urNad cups-1.2-ubuntu~/scheduler/cups-check-pam-auth.c cups-1.2-ubuntu/scheduler/cups-check-pam-auth.c
+--- cups-1.2-ubuntu~/scheduler/cups-check-pam-auth.c 1970-01-01 01:00:00.000000000 +0100
++++ cups-1.2-ubuntu/scheduler/cups-check-pam-auth.c 2006-07-26 17:41:35.000000000 +0200
+@@ -0,0 +1,148 @@
++/* setgid shadow PAM authentication helper for cupsd
++ *
++ * This program expects 'username\0password\0' on stdin, verifies whether these
++ * are valid authentication credentials.
++ * Exit codes:
++ * 0: authentication succeeded
++ * 1: authentication failed
++ * 2: invalid input
++ *
++ * (C) 2006 Canonical Ltd.
++ * Author: Martin Pitt <martin.pitt at ubuntu.com>
++ */
++
++#include <security/pam_appl.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdlib.h>
++#include <stdio.h>
++#include <sys/mman.h> /* mlock() */
++
++/* stolen and adapted from cups' scheduler/auth.c */
++static int /* O - Success or failure */
++pam_func(
++ int num_msg, /* I - Number of messages */
++ const struct pam_message **msg, /* I - Messages */
++ struct pam_response **resp, /* O - Responses */
++ void *appdata_ptr)
++ /* I - Pointer to connection */
++{
++ int i; /* Looping var */
++ struct pam_response *replies; /* Replies */
++ char *userpwd; /* Pointer to auth data */
++
++
++ /*
++ * Allocate memory for the responses...
++ */
++
++ if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL)
++ return (PAM_CONV_ERR);
++
++ /*
++ * Answer all of the messages...
++ */
++
++ userpwd = (char *)appdata_ptr;
++
++ for (i = 0; i < num_msg; i ++)
++ {
++ switch (msg[i]->msg_style)
++ {
++ case PAM_PROMPT_ECHO_ON:
++ replies[i].resp_retcode = PAM_SUCCESS;
++ replies[i].resp = strdup(userpwd);
++ break;
++
++ case PAM_PROMPT_ECHO_OFF:
++ replies[i].resp_retcode = PAM_SUCCESS;
++ replies[i].resp = strdup(userpwd + strlen(userpwd) + 1);
++ mlock(replies[i].resp, strlen(replies[i].resp));
++ break;
++
++ case PAM_TEXT_INFO:
++ case PAM_ERROR_MSG:
++ replies[i].resp_retcode = PAM_SUCCESS;
++ replies[i].resp = NULL;
++ break;
++
++ default:
++ free(replies);
++ return (PAM_CONV_ERR);
++ }
++ }
++
++ /*
++ * Return the responses back to PAM...
++ */
++
++ *resp = replies;
++
++ return (PAM_SUCCESS);
++}
++
++int main()
++{
++ char buffer[1000]; /* format: username <nul byte> <password> <nul byte> */
++ ssize_t size = 0, chunksize;
++ size_t len;
++ pam_handle_t *pamh;
++ struct pam_conv pamdata;
++ int auth;
++ char *p;
++ int offset;
++
++ // lock memory to prevent swapping out
++ if (mlock (buffer, sizeof (buffer)) != 0) {
++ perror("Could not mlock()");
++ return 2;
++ }
++
++ // read username and password from stdin
++ for(;;) {
++ chunksize = read (0, buffer+size, sizeof(buffer) - size);
++ if (chunksize < 0) {
++ perror("Could not read from stdin");
++ return 2;
++ }
++
++ size += chunksize;
++
++ /* check whether we have two NUL bytes in the input already */
++ p = memchr(buffer, 0, size);
++ if (p) {
++ offset = (p - buffer) + 1; /* position of char after first 0 byte */
++ if (offset < size && memchr(buffer+offset, 0, size-offset)) {
++ break;
++ }
++ }
++ }
++
++ if (size >= (ssize_t) sizeof(buffer)-1) {
++ fputs("Input overflow, aborting\n", stderr);
++ return 2;
++ }
++
++ /* sanity checks */
++ len = strlen(buffer);
++ if (len <= 0 || len >= (size_t) size) {
++ fputs("Invalid user name\n", stderr);
++ return 2;
++ }
++ if (strlen(buffer + len + 1) <= 0) {
++ fputs("Invalid password\n", stderr);
++ return 2;
++ }
++
++ /* create PAM request */
++ pamdata.conv = pam_func;
++ pamdata.appdata_ptr = buffer;
++
++ /* ask PAM to authenticate */
++ auth = pam_start("cups", buffer, &pamdata, &pamh) == PAM_SUCCESS &&
++ pam_authenticate(pamh, PAM_SILENT) == PAM_SUCCESS &&
++ pam_acct_mgmt(pamh, PAM_SILENT) == PAM_SUCCESS;
++ pam_end(pamh, PAM_SUCCESS);
++
++ return auth ? 0 : 1;
++}
Modified: cupsys/trunk/debian/rules
==============================================================================
--- cupsys/trunk/debian/rules (original)
+++ cupsys/trunk/debian/rules Mon Apr 30 13:52:05 2007
@@ -18,7 +18,7 @@
unpatch: deapply-dpatches
-DEB_CONFIGURE_EXTRA_FLAGS := --with-optim=$(DEB_OPTFLAGS) --libdir=/usr/lib --mandir=/usr/share/man --with-docdir=/usr/share/cups/doc-root --enable-slp --enable-libpaper --enable-ssl --enable-gnutls --disable-openssl --enable-threads --enable-static --enable-dbus --disable-pdftops --disable-launchd --with-cups-user=lp --with-cups-group=lp --with-system-groups=lpadmin
+DEB_CONFIGURE_EXTRA_FLAGS := --with-optim=$(DEB_OPTFLAGS) --libdir=/usr/lib --mandir=/usr/share/man --with-docdir=/usr/share/cups/doc-root --enable-slp --enable-libpaper --enable-ssl --enable-gnutls --disable-openssl --enable-threads --enable-static --enable-dbus --disable-pdftops --disable-launchd --with-cups-user=cupsys --with-cups-group=lp --with-system-groups=lpadmin --enable-privilege-dropping
DEB_MAKE_INSTALL_TARGET := install BUILDROOT=$(DEB_DESTDIR)
DEB_INSTALL_CHANGELOGS_ALL := CHANGES.txt
DEB_DH_STRIP_ARGS := --dbg-package=cupsys-dbg
@@ -31,6 +31,7 @@
(cd fonts && $(MAKE) install BUILDROOT=$(DEB_DESTDIR))
$(patsubst %,install/%,$(DEB_ALL_PACKAGES)) :: install/%:
dh_movefiles -p$(cdbs_curpkg)
+
binary-post-install/cupsys::
mv debian/cupsys/usr/lib/cups/backend/* debian/cupsys/usr/lib/cups/backend-available
install -o root -g root -m 644 doc/favicon.ico debian/cupsys/usr/share/cups/doc-root
@@ -42,6 +43,11 @@
install -o root -g root -m 644 debian/cupsys.default debian/cupsys/etc/default/cupsys
install -m 755 debian/local/browsing_status debian/local/enable_browsing debian/local/sharing_status debian/local/enable_sharing $(DEB_DESTDIR)/../cupsys/usr/share/cups
+ # install lpd backend suid root so that it can bind to port <
+ # 1024 (required for RFC compliance)
+ chown root:lp debian/cupsys/usr/lib/cups/backend-available/lpd
+ chmod 4754 debian/cupsys/usr/lib/cups/backend-available/lpd
+
# Install PPDs into /usr/share/ppd/cups-included/<Manufacturer>, see
# http://wiki.debian.org/PpdFileStructureSpecification
for i in $(DEB_DESTDIR)/../cupsys/usr/share/cups/model/*.ppd; do \
More information about the Pkg-cups-devel
mailing list