diff -up cups-1.6.3/notifier/rss.c.str4461 cups-1.6.3/notifier/rss.c

--- cups-1.6.3/notifier/rss.c.str4461	2013-06-07 02:12:52.000000000 +0100

+++ cups-1.6.3/notifier/rss.c	2014-09-02 12:14:40.911974011 +0100

@@ -1,27 +1,16 @@

 /*

  * "$Id: rss.c 7824 2008-08-01 21:11:55Z mike $"

  *

- *   RSS notifier for CUPS.

+ * RSS notifier for CUPS.

  *

- *   Copyright 2007-2012 by Apple Inc.

- *   Copyright 2007 by Easy Software Products.

+ * Copyright 2007-2014 by Apple Inc.

+ * Copyright 2007 by Easy Software Products.

  *

- *   These coded instructions, statements, and computer programs are the

- *   property of Apple Inc. and are protected by Federal copyright

- *   law.  Distribution and use rights are outlined in the file "LICENSE.txt"

- *   which should have been included with this file.  If this file is

- *   file is missing or damaged, see the license at "http://www.cups.org/".

- *

- * Contents:

- *

- *   main()           - Main entry for the test notifier.

- *   compare_rss()    - Compare two messages.

- *   delete_message() - Free all memory used by a message.

- *   load_rss()       - Load an existing RSS feed file.

- *   new_message()    - Create a new RSS message.

- *   password_cb()    - Return the cached password.

- *   save_rss()       - Save messages to a RSS file.

- *   xml_escape()     - Copy a string, escaping &, <, and > as needed.

+ * These coded instructions, statements, and computer programs are the

+ * property of Apple Inc. and are protected by Federal copyright

+ * law.  Distribution and use rights are outlined in the file "LICENSE.txt"

+ * which should have been included with this file.  If this file is

+ * file is missing or damaged, see the license at "http://www.cups.org/".

  */

 /*

@@ -29,6 +18,7 @@

  */

 #include <cups/cups.h>

+#include <sys/stat.h>

 #include <cups/language.h>

 #include <cups/string-private.h>

 #include <cups/array.h>

@@ -629,6 +619,8 @@ save_rss(cups_array_t *rss,		/* I - RSS

     return (0);

   }

+  fchmod(fileno(fp), 0644);

+

   fputs("\n", fp);

   fputs("<rss version=\"2.0\">\n", fp);

   fputs("  <channel>\n", fp);

diff -up cups-1.6.3/scheduler/client.c.str4461 cups-1.6.3/scheduler/client.c

--- cups-1.6.3/scheduler/client.c.str4461	2014-09-02 12:12:39.165354482 +0100

+++ cups-1.6.3/scheduler/client.c	2014-09-02 12:13:49.131710518 +0100

@@ -3133,6 +3133,7 @@ get_file(cupsd_client_t *con,		/* I  - C

   char		*ptr;			/* Pointer info filename */

   int		plen;			/* Remaining length after pointer */

   char		language[7];		/* Language subdirectory, if any */

+  int		perm_check = 1;		/* Do permissions check? */

  /*

@@ -3142,17 +3143,27 @@ get_file(cupsd_client_t *con,		/* I  - C

   language[0] = '\0';

   if (!strncmp(con->uri, "/ppd/", 5) && !strchr(con->uri + 5, '/'))

+  {

     snprintf(filename, len, "%s%s", ServerRoot, con->uri);

+

+    perm_check = 0;

+  }

   else if (!strncmp(con->uri, "/icons/", 7) && !strchr(con->uri + 7, '/'))

   {

     snprintf(filename, len, "%s/%s", CacheDir, con->uri + 7);

     if (access(filename, F_OK) < 0)

       snprintf(filename, len, "%s/images/generic.png", DocumentRoot);

+

+    perm_check = 0;

   }

   else if (!strncmp(con->uri, "/rss/", 5) && !strchr(con->uri + 5, '/'))

     snprintf(filename, len, "%s/rss/%s", CacheDir, con->uri + 5);

-  else if (!strncmp(con->uri, "/admin/conf/", 12))

-    snprintf(filename, len, "%s%s", ServerRoot, con->uri + 11);

+  else if (!strcmp(con->uri, "/admin/conf/cupsd.conf"))

+  {

+    strlcpy(filename, ConfigurationFile, len);

+

+    perm_check = 0;

+  }

   else if (!strncmp(con->uri, "/admin/log/", 11))

   {

     if (!strncmp(con->uri + 11, "access_log", 10) && AccessLog[0] == '/')

@@ -3163,6 +3174,8 @@ get_file(cupsd_client_t *con,		/* I  - C

       strlcpy(filename, PageLog, len);

     else

       return (NULL);

+

+    perm_check = 0;

   }

   else if (con->language)

   {

@@ -3228,7 +3241,7 @@ get_file(cupsd_client_t *con,		/* I  - C

   * not allow access...

   */

-  if (!status && !(filestats->st_mode & S_IROTH))

+  if (!status && perm_check && !(filestats->st_mode & S_IROTH))

   {

     cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);

     return (NULL);

@@ -3336,7 +3349,7 @@ get_file(cupsd_client_t *con,		/* I  - C

     * not allow access...

     */

-    if (!status && !(filestats->st_mode & S_IROTH))

+    if (!status && perm_check && !(filestats->st_mode & S_IROTH))

     {

       cupsdLogMessage(CUPSD_LOG_INFO, "[Client %d] Files/directories such as \"%s\" must be world-readable.", con->http.fd, filename);

       return (NULL);

diff -up cups-1.6.3/scheduler/conf.c.str4461 cups-1.6.3/scheduler/conf.c

--- cups-1.6.3/scheduler/conf.c.str4461	2014-09-02 12:12:39.143354370 +0100

+++ cups-1.6.3/scheduler/conf.c	2014-09-02 12:12:39.169354502 +0100

@@ -1116,7 +1116,7 @@ cupsdReadConfiguration(void)

   if ((cupsdCheckPermissions(RequestRoot, NULL, 0710, RunUser,

 			     Group, 1, 1) < 0 ||

-       cupsdCheckPermissions(CacheDir, NULL, 0775, RunUser,

+       cupsdCheckPermissions(CacheDir, NULL, 0770, RunUser,

 			     Group, 1, 1) < 0 ||

        cupsdCheckPermissions(temp, NULL, 0775, RunUser,

 			     Group, 1, 1) < 0 ||

diff -up cups-1.6.3/scheduler/ipp.c.str4461 cups-1.6.3/scheduler/ipp.c

--- cups-1.6.3/scheduler/ipp.c.str4461	2014-09-02 12:12:39.150354405 +0100

+++ cups-1.6.3/scheduler/ipp.c	2014-09-02 12:12:57.752449066 +0100

@@ -2777,7 +2777,6 @@ add_printer(cupsd_client_t  *con,	/* I -

 	cupsdLogMessage(CUPSD_LOG_DEBUG,

 			"Copied PPD file successfully");

-	chmod(dstfile, 0644);

       }

       else

       {

@@ -4726,7 +4725,7 @@ copy_model(cupsd_client_t *con,		/* I -

   * Open the destination file for a copy...

   */

-  if ((dst = cupsFileOpen(to, "wb")) == NULL)

+  if ((dst = cupsdCreateConfFile(to, ConfigFilePerm)) == NULL)

   {

     cupsFreeOptions(num_defaults, defaults);

     cupsFileClose(src);

@@ -4781,7 +4780,7 @@ copy_model(cupsd_client_t *con,		/* I -

   unlink(tempfile);

-  return (cupsFileClose(dst));

+  return (cupsdCloseCreatedConfFile(dst, to));

 }

diff -up cups-1.6.3/scheduler/Makefile.str4461 cups-1.6.3/scheduler/Makefile

--- cups-1.6.3/scheduler/Makefile.str4461	2014-09-02 12:12:39.171354512 +0100

+++ cups-1.6.3/scheduler/Makefile	2014-09-02 12:14:04.265787530 +0100

@@ -174,7 +174,7 @@ install-data:

 	echo Creating $(REQUESTS)/tmp...

 	$(INSTALL_DIR) -m 1770 -g $(CUPS_GROUP) $(REQUESTS)/tmp

 	echo Creating $(CACHEDIR)...

-	$(INSTALL_DIR) -m 775 -g $(CUPS_GROUP) $(CACHEDIR)

+	$(INSTALL_DIR) -m 770 -g $(CUPS_GROUP) $(CACHEDIR)

 	if test "x$(INITDIR)" != x; then \

 		echo Installing init scripts...; \

 		$(INSTALL_DIR) -m 755 $(BUILDROOT)$(INITDIR)/init.d; \