cupsd(8).
It is normally located in the /etc/cups directory.
Each line in the file can be a configuration directive, a blank line, or a comment.
+Configuration directives typically consist of a name and zero or more values separated by whitespace.
+The configuration directive name and values are case-insensitive.
Comment lines start with the # character.
The following directives are understood by
cupsd(8):
-
AccessLog filename
-
AccessLog [ filename ]
+
AccessLog
+
AccessLog filename
AccessLog syslog
Defines the access log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
Specifying a blank filename disables access log generation.
+The value "syslog" causes log entries to be sent to the system log daemon.
The server name may be included in filenames using the string "%s", for example:
AccessLog /var/log/cups/%s-access_log
+The default is "/var/log/cups/access_log".
ConfigFilePerm mode
Specifies the permissions for all configuration files that the scheduler writes.
-The default is 0644 on OS X and 0640 on all other operating systems.
-Note: The permissions for the printers.conf file are currently masked to only allow access from the scheduler user (typically root).
+The default is "0644" on OS X and "0640" on all other operating systems.
+Note: The permissions for the printers.conf file are currently masked to only allow access from the scheduler user (typically root).
This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system.
There is no way to disable this security feature.
DataDir path
-
Specifies the directory where data files can be found. The default is usually /usr/share/cups.
+
Specifies the directory where data files can be found.
+The default is usually "/usr/share/cups".
DocumentRoot directory
-
Specifies the root directory for the CUPS web interface content. The default is usually /usr/share/doc/cups.
-
ErrorLog [ filename ]
+
Specifies the root directory for the CUPS web interface content.
+The default is usually "/usr/share/doc/cups".
+
ErrorLog
+
ErrorLog filename
ErrorLog syslog
Defines the error log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
Specifying a blank filename disables error log generation.
+The value "syslog" causes log entries to be sent to the system log daemon.
The server name may be included in filenames using the string "%s", for example:
ErrorLog /var/log/cups/%s-error_log
+The default is "/var/log/cups/error_log".
FatalErrors none
-
FatalErrors all -kind [ ... -kind ]
-
FatalErrors kind [ ... kind ]
+
FatalErrors all -kind [ ... -kind ]
+
FatalErrors kind [ ... kind ]
Specifies which errors are fatal, causing the scheduler to exit.
-The default setting is "config".
+The default is "config".
The kind strings are:
Specifies whether the file pseudo-device can be used for new printer queues.
The URI "file:///dev/null" is always allowed.
-
FontPath directory[:...:directory]
-
Specifies the search path for fonts.
-This directive is deprecated and will no longer be supported in a future release of CUPS.
Group group-name-or-number
Specifies the group name or ID that will be used when executing external programs.
-The default group is operating system specific but is usually lp or nobody.
+The default group is operating system specific but is usually "lp" or "nobody".
LogFilePerm mode
-
Specifies the permissions of all log files that the scheduler writes. The default is 0644.
+
Specifies the permissions of all log files that the scheduler writes.
+The default is "0644".
PageLog [ filename ]
PageLog syslog
Defines the page log filename.
@@ -98,37 +103,43 @@
Defines the printcap filename that the scheduler automatically updates with the current list of available printers, which is sometimes used by legacy applications.
-Specifying a blank filename disables printcap generation.
-This directive is deprecated and will no longer be supported in a future release of CUPS.
+The default is "/var/log/cups/page_log".
RemoteRoot username
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
+The default is "remroot".
RequestRoot directory
Specifies the directory that contains print jobs and other HTTP request data.
+The default is "/var/spool/cups".
Sandboxing off
Sandboxing relaxed
Sandboxing strict
Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler.
The default is "strict".
-This directive is currently only used on OS X.
+This directive is currently only used/supported on OS X.
ServerBin directory
Specifies the directory containing the backends, CGI programs, filters, helper programs, notifiers, and port monitors.
+The default is "/usr/lib/cups" or "/usr/libexec/cups" depending on the platform.
ServerKeychain path
Specifies the location of TLS certificates and private keys.
+The default is "/Library/Keychains/System.keychain" on OS X and "/etc/cups/ssl" on all other operating systems.
ServerRoot directory
Specifies the directory containing the server configuration files.
+The default is "/etc/cups".
SyncOnClose Yes
SyncOnClose No
Specifies whether the scheduler calls
fsync(2)
-after writing configuration or state files. The default is No.
-
SystemGroup group-name [ ... group-name ]
+after writing configuration or state files.
+The default is "No".
+
SystemGroup group-name [ ... group-name ]
Specifies the group(s) to use for @SYSTEM group authentication.
+The default contains "admin", "lpadmin", "root", "sys", and/or "system".
TempDir directory
Specifies the directory where temporary files are stored.
+The default is "/var/spool/cups/tmp".
User username
Specifies the user name or ID that is used when running external programs.
+The default is "lp".
cupsd(8).
It is normally located in the
/etc/cups
-directory. Note: File, directory, and user configuration directives that used to be allowed in the cupsd.conf file are now stored in the cups-files.conf(5) instead in order to prevent certain types of privilege escalation attacks.
-
Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the popular Apache web server software and are described below.
-
-The following directives are understood by
-cupsd(8).
-Consult the online help (http://localhost:631/help) for detailed descriptions:
+directory.
+Note: File, directory, and user configuration directives that used to be allowed in the cupsd.conf file are now stored in the
+cups-files.conf(5)
+file instead in order to prevent certain types of privilege escalation attacks.
+
Each line in the file can be a configuration directive, a blank line, or a comment.
+Configuration directives typically consist of a name and zero or more values separated by whitespace.
+The configuration directive name and values are case-insensitive.
+Comment lines start with the # character.
+
+The following top-level directives are understood by
+cupsd(8):
-
AccessLogLevel config
-
AccessLogLevel actions
-
AccessLogLevel all
+
AccessLogLevel config
+
AccessLogLevel actions
+
AccessLogLevel all
Specifies the logging level for the AccessLog file.
-
AutoPurgeJobs Yes
-
AutoPurgeJobs No
+The "config" level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated.
+The "actions" level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for "config".
+The "all" level logs all requests.
+The default access log level is "actions".
+
AutoPurgeJobs Yes
+
AutoPurgeJobs No
-Specifies whether to purge job history data automatically when
-it is no longer required for quotas.
-
BrowseLocalProtocols [
-
All
-] [
-DNSSD
-]
-Specifies the protocols to use for local printer sharing.
-
BrowseWebIF Yes
-
BrowseWebIF No
+Specifies whether to purge job history data automatically when it is no longer required for quotas.
+The default is "No".
+
BrowseLocalProtocols all
+
BrowseLocalProtocols dnssd
+
BrowseLocalProtocols none
+
Specifies which protocols to use for local printer sharing.
+The default is "dnssd" on systems that support Bonjour and "none" otherwise.
+
BrowseWebIF Yes
+
BrowseWebIF No
-Specifies whether the CUPS web interface is advertised via DNS-SD.
-
Browsing Yes
-
Browsing No
+Specifies whether the CUPS web interface is advertised.
+The default is "No".
+
Browsing Yes
+
Browsing No
-Specifies whether or not shared printers should be advertised.
-
Classification banner
+Specifies whether shared printers are advertised.
+The default is "No".
+
Classification banner
Specifies the security classification of the server.
-
ClassifyOverride Yes
-
ClassifyOverride No
+Any valid banner name can be used, including "classified", "confidential", "secret", "topsecret", and "unclassified", or the banner can be omitted to disable secure printing functions.
+The default is no classification banner.
+
ClassifyOverride Yes
+
ClassifyOverride No
-Specifies whether to allow users to override the classification
-of individual print jobs.
-
DefaultAuthType Basic
-
DefaultAuthType Negotiate
+Specifies whether users may override the classification (cover page) of individual print jobs using the "job-sheets" option.
+The default is "No".
+
DefaultAuthType Basic
+
DefaultAuthType Negotiate
Specifies the default type of authentication to use.
-
DefaultEncryption Never
-
DefaultEncryption IfRequested
-
DefaultEncryption Required
-
Specifies the type of encryption to use for authenticated requests.
-
DefaultLanguage locale
+The default is "Basic".
+
DefaultEncryption Never
+
DefaultEncryption IfRequested
+
DefaultEncryption Required
+
Specifies whether encryption will be used for authenticated requests.
+The default is "Required".
+
DefaultLanguage locale
Specifies the default language to use for text and web content.
-
DefaultPaperSize Auto
-
DefaultPaperSize None
-
DefaultPaperSize sizename
-
Specifies the default paper size for new print queues. "Auto" uses a locale-
-specific default, while "None" specifies there is no default paper size.
-
DefaultPolicy policy-name
+The default is "en".
+
DefaultPaperSize Auto
+
DefaultPaperSize None
+
DefaultPaperSize sizename
+
Specifies the default paper size for new print queues. "Auto" uses a locale-specific default, while "None" specifies there is no default paper size.
+Specific size names are typically "Letter" or "A4".
+The default is "Auto".
+
DefaultPolicy policy-name
Specifies the default access policy to use.
-
DefaultShared Yes
-
DefaultShared No
+The default access policy is "default".
+
DefaultShared Yes
+
DefaultShared No
Specifies whether local printers are shared by default.
-
DirtyCleanInterval seconds
-
Specifies the delay for updating of configuration and state files. A value of 0
-causes the update to happen as soon as possible, typically within a few
-milliseconds.
-
FilterLimit limit
-
Specifies the maximum cost of filters that are run concurrently.
-
FilterNice nice-value
-
Specifies the scheduling priority ("nice" value) of filters that
-are run to print a job.
-
GSSServiceName name
-
Specifies the service name when using Kerberos authentication. The default
-service name is "http".
-
HostNameLookups On
-
HostNameLookups Off
-
HostNameLookups Double
-
Specifies whether or not to do reverse lookups on client addresses.
-
Include filename
-
Includes the named file.
-
JobKillDelay seconds
-
Specifies the number of seconds to wait before killing the filters and backend
-associated with a canceled or held job.
-
JobRetryInterval seconds
+The default is "Yes".
+
DirtyCleanInterval seconds
+
Specifies the delay for updating of configuration and state files.
+A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds.
+The default value is "30".
+
FilterLimit limit
+
Specifies the maximum cost of filters that are run concurrently, which can be used to minimize disk, memory, and CPU resource problems.
+A limit of 0 disables filter limiting.
+An average print to a non-PostScript printer needs a filter limit of about 200.
+A PostScript printer needs about half that (100).
+Setting the limit below these thresholds will effectively limit the scheduler to printing a single job at any time.
+The default limit is "0".
+
FilterNice nice-value
+
Specifies the scheduling priority (
+nice(8)
+value) of filters that are run to print a job.
+The nice value ranges from 0, the highest priority, to 19, the lowest priority.
+The default is 0.
+
GSSServiceName name
+
Specifies the service name when using Kerberos authentication.
+The default service name is "http."
+
HostNameLookups On
+
HostNameLookups Off
+
HostNameLookups Double
+
Specifies whether to do reverse lookups on connecting clients.
+The "Double" setting causes
+cupsd(8)
+to verify that the hostname resolved from the address matches one of the addresses returned for that hostname.
+Double lookups also prevent clients with unregistered addresses from connecting to your server.
+The default is "Off" to avoid the potential server performance problems with hostname lookups.
+Only set this option to "On" or "Double" if absolutely required.
+
JobKillDelay seconds
+
Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job.
+The default is "30".
+
JobRetryInterval seconds
Specifies the interval between retries of jobs in seconds.
-
JobRetryLimit count
+This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
+The default is "30".
+
JobRetryLimit count
Specifies the number of retries that are done for jobs.
-
KeepAlive Yes
-
KeepAlive No
+This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
+The default is "5".
+
KeepAlive Yes
+
KeepAlive No
Specifies whether to support HTTP keep-alive connections.
-
KeepAliveTimeout seconds
-
Specifies the amount of time that connections are kept alive.
-
<Limit operations> ... </Limit>
-
Specifies the IPP operations that are being limited inside a policy.
-
<Limit methods> ... </Limit>
-
<LimitExcept methods> ... </LimitExcept>
-
Specifies the HTTP methods that are being limited inside a location.
-
LimitRequestBody
-
Specifies the maximum size of any print job request.
-
Listen ip-address:port
-
Listen *:port
-
Listen /path/to/domain/socket
-
Listens to the specified address and port or domain socket path.
-
<Location /path> ... </Location>
+The default is "Yes".
+
KeepAliveTimeout seconds
+
Specifies how long an idle client connection remains open.
+The default is "30".
+
<Limit operation ...> ... </Limit>
+
Specifies the IPP operations that are being limited inside a Policy section. IPP operation names are listed below in the section "IPP OPERATIONS".
+
<Limit method ...> ... </Limit>
+
<LimitExcept method ...> ... </LimitExcept>
+
Specifies the HTTP methods that are being limited inside a Location section. HTTP method names are listed below in the section "HTTP METHODS".
+
LimitRequestBody size
+
Specifies the maximum size of print files, IPP requests, and HTML form data.
+The default is "0" which disables the limit check.
+
Listen ipv4-address:port
+
Listen [ipv6-address]:port
+
Listen *:port
+
Listen /path/to/domain/socket
+
Listens to the specified address and port or domain socket path for connections.
+Multiple Listen directives can be provided to listen on multiple addresses.
+The Listen directive is similar to the Port directive but allows you to restrict access to specific interfaces or networks.
+
ListenBackLog number
+
Specifies the number of pending connections that will be allowed.
+This normally only affects very busy servers that have reached the MaxClients limit, but can also be triggered by large numbers of simultaneous connections.
+When the limit is reached, the operating system will refuse additional connections until the scheduler can accept the pending ones.
+The default is the OS-defined default limit, typically either "5" for older operating systems or "128" for newer operating systems.
+
<Location /path> ... </Location>
Specifies access control for the named location.
-
LogDebugHistory #-messages
-
Specifies the number of debugging messages that are logged when an error
-occurs in a print job.
-
LogLevel alert
-
LogLevel crit
-
LogLevel debug2
-
LogLevel debug
-
LogLevel emerg
-
LogLevel error
-
LogLevel info
-
LogLevel none
-
LogLevel notice
-
LogLevel warn
-
Specifies the logging level for the ErrorLog file.
-
LogTimeFormat standard
-
LogTimeFormat usecs
+Paths are documented below in the section "LOCATION PATHS".
+
LogDebugHistory number
+
Specifies the number of debugging messages that are retained for logging if an error occurs in a print job. Debug messages are logged regardless of the LogLevel setting.
+
LogLevel none
+
LogLevel emerg
+
LogLevel alert
+
LogLevel crit
+
LogLevel error
+
LogLevel warn
+
LogLevel notice
+
LogLevel info
+
LogLevel debug
+
LogLevel debug2
+
Specifies the level of logging for the ErrorLog file.
+The value "none" stops all logging while "debug2" logs everything.
+The default is "warn".
+
LogTimeFormat standard
+
LogTimeFormat usecs
Specifies the format of the date and time in the log files.
-
MaxClients number
-
Specifies the maximum number of simultaneous clients to support.
-
MaxClientsPerHost number
-
Specifies the maximum number of simultaneous clients to support from a
+The value "standard" is the default and logs whole seconds while "usecs" logs microseconds.
+
MaxClients number
+
Specifies the maximum number of simultaneous clients that are allowed by the scheduler.
+The default is "100".
+
MaxClientsPerHost number
+
Specifies the maximum number of simultaneous clients that are allowed from a
single address.
-
MaxCopies number
+The default is the MaxClients value.
+
MaxCopies number
Specifies the maximum number of copies that a user can print of each job.
-
MaxHoldTime seconds
-
Specifies the maximum time a job may remain in the "indefinite" hold state
-before it is canceled. Set to 0 to disable cancellation of held jobs.
-
MaxJobs number
-
Specifies the maximum number of simultaneous jobs to support.
-
MaxJobsPerPrinter number
-
Specifies the maximum number of simultaneous jobs per printer to support.
-
MaxJobsPerUser number
-
Specifies the maximum number of simultaneous jobs per user to support.
-
MaxJobTime seconds
-
Specifies the maximum time a job may take to print before it is canceled. The
-default is 10800 seconds (3 hours). Set to 0 to disable cancellation of "stuck"
-jobs.
-
MaxLogSize number-bytes
-
Specifies the maximum size of the log files before they are
-rotated (0 to disable rotation)
-
MaxRequestSize number-bytes
-
Specifies the maximum request/file size in bytes (0 for no limit)
-
MultipleOperationTimeout seconds
-
Specifies the maximum amount of time to allow between files in a multiple file
-print job.
-
PageLogFormat format string
-
Specifies the format of page log lines.
-
PassEnv variable [... variable]
+The default is "9999".
+
MaxHoldTime seconds
+
Specifies the maximum time a job may remain in the "indefinite" hold state before it is canceled.
+The default is "0" which disables cancellation of held jobs.
+
MaxJobs number
+
Specifies the maximum number of simultaneous jobs that are allowed.
+Set to "0" to allow an unlimited number of jobs.
+The default is "500".
+
MaxJobsPerPrinter number
+
Specifies the maximum number of simultaneous jobs that are allowed per printer.
+The default is "0" which allows up to MaxJobs jobs per printer.
+
MaxJobsPerUser number
+
Specifies the maximum number of simultaneous jobs that are allowed per user.
+The default is "0" which allows up to MaxJobs jobs per user.
+
MaxJobTime seconds
+
Specifies the maximum time a job may take to print before it is canceled.
+Set to "0" to disable cancellation of "stuck" jobs.
+The default is "10800" (3 hours).
+
MaxLogSize size
+
Specifies the maximum size of the log files before they are rotated.
+The value "0" disables log rotation.
+The default is "1048576" (1MB).
+
MultipleOperationTimeout seconds
+
Specifies the maximum amount of time to allow between files in a multiple file print job.
+The default is "300" (5 minutes).
+
PageLogFormat format-string
+
Specifies the format of PageLog lines.
+Sequences beginning with percent (%) characters are replaced with the corresponding information, while all other characters are copied literally.
+The following percent sequences are recognized:
+
+
+ "%%" inserts a single percent character.
+ "%{name}" inserts the value of the specified IPP attribute.
+ "%C" inserts the number of copies for the current page.
+ "%P" inserts the current page number.
+ "%T" inserts the current date and time in common log format.
+ "%j" inserts the job ID.
+ "%p" inserts the printer name.
+ "%u" inserts the username.
+
+
Passes the specified environment variable(s) to child processes.
-
<Policy name> ... </Policy>
+
<Policy name> ... </Policy>
Specifies access control for the named policy.
-
Port number
-
Specifies a port number to listen to for HTTP requests.
-
PreserveJobFiles Yes
-
PreserveJobFiles No
-
Specifies whether or not to preserve job files after they are printed.
-
PreserveJobHistory Yes
-
PreserveJobHistory No
-
Specifies whether or not to preserve the job history after they are
-printed.
-
PrintcapFormat bsd
-
PrintcapFormat plist
-
PrintcapFormat solaris
-
Specifies the format of the printcap file.
-
ReloadTimeout seconds
-
Specifies the amount of time to wait for job completion before
-restarting the scheduler.
-
RIPCache bytes
-
Specifies the maximum amount of memory to use when converting images
-and PostScript files to bitmaps for a printer.
-
Satisfy all
-
Satisfy any
-
Specifies whether all or any limits set for a Location must be
-satisfied to allow access.
-
ServerAdmin user@domain.com
+
Port number
+
Listens to the specified port number for connections.
+
PreserveJobFiles Yes
+
PreserveJobFiles No
+
PreserveJobFiles seconds
+
Specifies whether job files (documents) are preserved after a job is printed.
+If a numeric value is specified, job files are preserved for the indicated number of seconds after printing.
+The default is "86400" (preserve 1 day).
+
PreserveJobHistory Yes
+
PreserveJobHistory No
+
PreserveJobHistory seconds
+
Specifies whether the job history is preserved after a job is printed.
+If a numeric value is specified, the job history is preserved for the indicated number of seconds after printing.
+If "Yes", the job history is preserved until the MaxJobs limit is reached.
+The default is "Yes".
+
ReloadTimeout seconds
+
Specifies the amount of time to wait for job completion before restarting the scheduler.
+The default is "30".
+
RIPCache size
+
Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.
+The default is "128m".
+
ServerAdmin email-address
Specifies the email address of the server administrator.
-
ServerAlias hostname [... hostname]
-
ServerAlias *
-
Specifies an alternate name that the server is known by. The special name "*"
-allows any name to be used.
-
ServerName hostname-or-ip-address
+The default value is "root@ServerName".
+
ServerAlias hostname [ ... hostname ]
+
ServerAlias *
+
The ServerAlias directive is used for HTTP Host header validation when clients connect to the scheduler from external interfaces.
+Using the special name "*" can expose your system to known browser-based DNS rebinding attacks, even when accessing sites through a firewall.
+If the auto-discovery of alternate names does not work, we recommend listing each alternate name with a ServerAlias directive instead of using "*".
+
ServerName hostname
Specifies the fully-qualified hostname of the server.
-
ServerTokens Full
-
ServerTokens Major
-
ServerTokens Minimal
-
ServerTokens Minor
-
ServerTokens None
-
ServerTokens OS
-
ServerTokens ProductOnly
-
Specifies what information is included in the Server header of HTTP
-responses.
-
SetEnv variable value
+The default is the value reported by the
+hostname(1)
+command.
+
ServerTokens None
+
ServerTokens ProductOnly
+
ServerTokens Major
+
ServerTokens Minor
+
ServerTokens Minimal
+
ServerTokens OS
+
ServerTokens Full
+
Specifies what information is included in the Server header of HTTP responses.
+"None" disables the Server header.
+"ProductOnly" reports "CUPS".
+"Major" reports "CUPS 2".
+"Minor" reports "CUPS 2.0".
+"Minimal" reports "CUPS 2.0.0".
+"OS" reports "CUPS 2.0.0 (UNAME)" where UNAME is the output of the
+uname(1)
+command.
+"Full" reports "CUPS 2.0.0 (UNAME) IPP/2.0".
+The default is "Minimal".
+
SetEnv variable value
Set the specified environment variable to be passed to child processes.
-
SSLListen
+
SSLListen ipv4-address:port
+
SSLListen [ipv6-address]:port
+
SSLListen *:port
Listens on the specified address and port for encrypted connections.
-
SSLPort
+
SSLPort port
Listens on the specified port for encrypted connections.
-
StrictConformance Yes
-
StrictConformance No
-
Specifies whether the scheduler requires clients to strictly adhere to the IPP
-specifications. The default is No.
-
Timeout seconds
-
Specifies the HTTP request timeout in seconds.
-
WebInterface yes
-
WebInterface no
+
StrictConformance Yes
+
StrictConformance No
+
Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications.
+The default is "No".
+
Timeout seconds
+
Specifies the HTTP request timeout.
+The default is "300" (5 minutes).
+
WebInterface yes
+
WebInterface no
Specifies whether the web interface is enabled.
+The default is "No".
+
Specifies an access list for a job's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
-
Specifies an access list for a subscription's private values. The "default"
-access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's
-requesting-user-name-allowed or requesting-user-name-denied values.
-
Specifies the list of job values to make private. The "default" values are
-"notify-events", "notify-pull-method", "notify-recipient-uri",
-"notify-subscriber-user-name", and "notify-user-data".
+
Allow all
+
Allow none
+
Allow host.domain.com
+
Allow *.domain.com
+
Allow ipv4-address
+
Allow ipv4-address/netmask
+
Allow ipv4-address/mm
+
Allow [ipv6-address]
+
Allow [ipv6-address]/mm
+
Allow @IF(name)
+
Allow @LOCAL
+
Allows access from the named hosts, domains, addresses, or interfaces.
+The Order directive controls whether Allow lines are evaluated before or after Deny lines.
+
AuthType None
+
AuthType Basic
+
AuthType Default
+
AuthType Negotiate
+
Specifies the type of authentication required.
+The value "Default" corresponds to the DefaultAuthType value.
+
Deny all
+
Deny none
+
Deny host.domain.com
+
Deny *.domain.com
+
Deny ipv4-address
+
Deny ipv4-address/netmask
+
Deny ipv4-address/mm
+
Deny [ipv6-address]
+
Deny [ipv6-address]/mm
+
Deny @IF(name)
+
Deny @LOCAL
+
Denies access from the named hosts, domains, addresses, or interfaces.
+The Order directive controls whether Deny lines are evaluated before or after Allow lines.
+
Encryption IfRequested
+
Encryption Never
+
Encryption Required
+
Specifies the level of encryption that is required for a particular location.
+The default value is "IfRequested".
+
Order allow,deny
+
Specifies that access is denied by default. Allow lines are then processed followed by Deny lines to determine whether a client may access a particular resource.
+
Order deny,allow
+
Specifies that access is allowed by default. Deny lines are then processed followed by Allow lines to determine whether a client may access a particular resource.
+
Require group group-name [ group-name ... ]
+
Specifies that an authenticated user must be a member of one of the named groups.
+
Require user {user-name|@group-name} ...
+
Specifies that an authenticated user must match one of the named users or be a member of one of the named groups.
+The group name "@SYSTEM" corresponds to the list of groups defined by the SystemGroup directive in the
+cups-files.conf(5)
+file.
+The group name "@OWNER" corresponds to the owner of the resource, for example the person that submitted a print job.
+
Require valid-user
+
Specifies that any authenticated user is acceptable.
+
Satisfy all
+
Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
+
Satisfy any
+
Specifies that any a client may access a resource if either the authentication (AuthType/Require) or address (Allow/Deny/Order) conditions are satisfied.
+For example, this can be used to require authentication only for remote accesses.
Specifies an access list for a job's private values.
+The "default" access list is "@OWNER @SYSTEM".
+"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+"@OWNER" maps to the job's owner.
+"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
+cups-files.conf(5)
+file.
+
Specifies the list of job values to make private.
+The "default" values are "job-name", "job-originating-host-name", "job-originating-user-name", and "phone".
+
Specifies an access list for a subscription's private values.
+The "default" access list is "@OWNER @SYSTEM".
+"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+"@OWNER" maps to the job's owner.
+"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
+cups-files.conf(5)
+file.
+
Specifies the list of subscription values to make private.
+The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data".
+
The CUPS scheduler (cupsd) uses the
-/etc/cups/classes.conf file to store the list of
-available classes. This file contains only locally defined
-classes, not remote classes that are created automatically via
-browsing. Each directive is listed on a line by itself followed
-by its value. Comments are introduced using the number sign ("#")
-character at the beginning of a line.
-
-
While the class configuration file consists of plain text and
-can be modified using your favorite text editor, you should
-normally use the lpadmin(8)
-command, web interface, or any of the available GUIs to manage
-your classes instead. If you do choose to edit this file
-manually, you will need to stop the scheduler first, make your
-changes, and then start the scheduler to make them active.
The Accepting directive defines the initial state
-of the printer-is-accepting-jobs attribute. This state
-is also set by the accept(8) and
-reject(8) commands:
The DefaultClass directive begins a class
-definition as the default server destination. The default server
-destination can be set using the lpadmin(8)
-command:
-
-
-/usr/sbin/lpadmin -d classname
-
-
-
Note that the server default destination settings can be
-overridden by the user's default destination settings which are
-normally set using the lpoptions(1) command.
The JobSheets directive specifies the default
-banner pages to print before and after a print job. In the above
-example, only a standard banner will print after each
-job. The lpadmin(8) command is normally used to set
-the default banners:
-
-
If only one banner file is specified, it will be printed
-before the files in the job. If a second banner file is
-specified, it is printed after the files in the job.
-
-
The available banner pages depend on the local system
-configuration; CUPS includes the following standard banner
-files:
-
-
-
-
none - Do not produce a banner
- page.
-
-
classified - A banner page with a
- "classified" label at the top and bottom.
-
-
confidential - A banner page with a
- "confidential" label at the top and bottom.
-
-
secret - A banner page with a
- "secret" label at the top and bottom.
-
-
standard - A banner page with no label
- at the top and bottom.
-
-
topsecret - A banner page with a
- "top secret" label at the top and bottom.
-
-
unclassified - A banner page with an
- "unclassified" label at the top and bottom.
-<Class name>
- ...
- Option name value
- Option scaling 100
- Option page-left 72
-</Class>
-
-
-
Description
-
-
The Option directive specifies a default job
-template attribute value. It is mapped to
-name-default in the printer attributes and applied
-to jobs as name.
The QuotaPeriod directive defines the value of
-the job-quota-period attribute. Typical values are
-86400 (1 day), 604800 (1 week), 2592000 (1 month), and 31536000
-(1 year). It is set using the lpadmin(8)
-command:
The Shared directive defines the initial value of
-the printer-is-shared attribute. The strings
-yes and no correspond to the true and false
-values, respectively. The lpadmin(8) command sets
-the current state:
The State directive defines the initial value of
-the printer-state attribute. The strings
-idle and stopped correspond to the IPP
-enumeration values 3 and 5, respectively. The
-cupsenable(8) and cupsdisable(8)
-commands set the current state:
-<Class name>
- ...
- StateMessage Class is lonely.
-</Class>
-
-
-
Description
-
-
The StateMessage directive defines the initial
-string for the printer-state-message attribute. The
-following are some example messages:
-
-
-StateMessage Connected to host_name...
-StateMessage Connecting to printer_queue on port port_number...
-StateMessage Network host host_name is busy; will retry in 30 seconds...
-StateMessage Class busy; will retry in 10 seconds...
-StateMessage Class is busy; retrying print job...
-StateMessage Print file accepted - job ID id_number.
-StateMessage Waiting for job to complete
-
The StateTime directive defines the UNIX time
-(seconds since Jan 1, 1970) for the last state change of the
-queue. It is mapped to the printer-state-change-time
-attribute.
The /etc/cups/cupsd.conf file contains
-configuration directives that control how the server
-functions. Each directive is listed on a line by itself followed
-by its value. Comments are introduced using the number sign ("#")
-character at the beginning of a line.
-
-
Since the server configuration file consists of plain text,
-you can use your favorite text editor to make changes to it.
-After making any changes, restart the cupsd(8)
-process using the startup script for your operating system:
You can also edit this file from the CUPS web interface, which
-automatically handles restarting the scheduler.
-
-
Note:
-
-
The specification of time units ("w" for weeks, "h" for hours, etc.) in the various time interval directives is new in CUPS 1.6/OS X 10.8. Prior releases of CUPS only supported time intervals in seconds.
-<Location /path>
- ...
- Allow from All
- Allow from None
- Allow from *.example.com
- Allow from .example.com
- Allow from host.example.com
- Allow from nnn.*
- Allow from nnn.nnn.*
- Allow from nnn.nnn.nnn.*
- Allow from nnn.nnn.nnn.nnn
- Allow from nnn.nnn.nnn.nnn/mm
- Allow from nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm
- Allow from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]
- Allow from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/mmm
- Allow from @LOCAL
- Allow from @IF(name)
-</Location>
-
-
-
Description
-
-
The Allow directive specifies a hostname, IP
-address, or network that is allowed access to the server.
-Allow directives are cumulative, so multiple
-Allow directives can be used to allow access for
-multiple hosts or networks.
-
-
Host and domain name matching require that you enable the HostNameLookups
-directive.
-
-
The /mm notation specifies a CIDR netmask, as shown in
-Table 1.
The @LOCAL name will allow access from all local
-interfaces. The @IF(name) name will allow access
-from the named interface. In both cases, CUPS only allows access
-from the network that the interface(s) are configured for -
-requests arriving on the interface from a foreign network will
-not be accepted.
-
-
The Allow directive must appear inside a Location or Limit section.
The AuthType directive defines the type of
-authentication to perform:
-
-
-
-
None - No authentication should be
- performed (default)
-
-
Basic - Basic authentication should be
- performed using the UNIX password and group files
-
-
Digest - Digest authentication should be
- performed using the /etc/cups/passwd.md5
- file
-
-
BasicDigest - Basic authentication
- should be performed using the
- /etc/cups/passwd.md5 file
-
-
Negotiate - Kerberos authentication
- should be performed
-
-
-
-
When using Basic, Digest,
-BasicDigest, or Negotiate authentication,
-clients connecting through the localhost interface can
-also authenticate using certificates.
-
-
The AuthType directive must appear inside a Location or Limit section.
The AutoPurgeJobs directive specifies whether or
-not to purge completed jobs once they are no longer required for
-quotas. This option has no effect if quotas are not enabled. The
-default setting is No.
-BrowseLocalProtocols all
-BrowseLocalProtocols none
-BrowseLocalProtocols dnssd
-
-
-
Description
-
-
The BrowseLocalProtocols directive specifies the protocols to use when advertising local shared printers on the network. Multiple protocols can be specified by separating them with spaces. The default is "dnssd" on systems that support Bonjour and "none" on all others.
The Classification directive sets the
-classification level on the server. When this option is set, at
-least one of the banner pages is forced to the classification
-level, and the classification is placed on each page of output.
-The default is no classification level.
The ClassifyOverride directive specifies whether
-users can override the default classification level on the
-server. When the server classification is set, users can change
-the classification using the job-sheets option and
-can choose to only print one security banner before or after the
-job. If the job-sheets option is set to
-none then the server default classification is
-used.
-
-
The default is to not allow classification overrides.
-DefaultLanguage de
-DefaultLanguage en
-DefaultLanguage es
-DefaultLanguage fr
-DefaultLanguage it
-
-
-
Description
-
-
The DefaultLanguage directive specifies the
-default language to use for client connections. Setting the
-default language also sets the default character set if a
-language localization file exists for it. The default language
-is "en" for English.
-DefaultPaperSize Letter
-DefaultPaperSize A4
-DefaultPaperSize Auto
-DefaultPaperSize None
-
-
-
Description
-
-
The DefaultPaperSize directive specifies the default paper
-size to use when creating new printers. The default is Auto
-which uses a paper size appropriate for the system default locale. A value
-of None tells the scheduler to not set the default paper
-size.
The DefaultPolicy directive specifies the default
-policy to use for IPP operation. The default is
-default. CUPS also includes a policy called
-authenticated that requires a username and password for printing
-and other job operations.
-<Location /path>
- ..
- Deny from All
- Deny from None
- Deny from *.example.com
- Deny from .example.com
- Deny from host.example.com
- Deny from nnn.*
- Deny from nnn.nnn.*
- Deny from nnn.nnn.nnn.*
- Deny from nnn.nnn.nnn.nnn
- Deny from nnn.nnn.nnn.nnn/mm
- Deny from nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm
- Deny from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]
- Deny from [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/mmm
- Deny from @LOCAL
- Deny from @IF(name)
-</Location>
-
-
-
Description
-
-
The Deny directive specifies a hostname, IP
-address, or network that is denied access to the server.
-Deny directives are cumulative, so multiple
-Deny directives can be used to deny access for
-multiple hosts or networks.
-
-
Host and domain name matching require that you enable the HostNameLookups
-directive.
-
-
The /mm notation specifies a CIDR netmask, a shown in
-Table 1.
-
-
The @LOCAL name will deny access from all local
-interfaces. The @IF(name) name will deny access from
-the named interface. In both cases, CUPS only denies access from
-the network that the interface(s) are configured for - requests
-arriving on the interface from a foreign network will
-not be denied.
-
-
The Deny directive must appear inside a Location or Limit section.
The DirtyCleanInterval directive specifies the amount of time to wait before updating configuration and state files for printers, classes, subscriptions, and jobs in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix). A value of 0 causes the update to occur as soon as possible, typically within a few milliseconds.
The Encryption directive must appear instead a Location or Limit section and specifies the
-encryption settings for that location. The default setting is
-IfRequested for all locations.
The FilterLimit directive sets the maximum cost
-of all running job filters. It can be used to limit the number of
-filter programs that are run on a server to minimize disk,
-memory, and CPU resource problems. A limit of 0 disables filter
-limiting.
-
-
An average print to a non-PostScript printer needs a filter
-limit of about 200. A PostScript printer needs about half that
-(100). Setting the limit below these thresholds will effectively
-limit the scheduler to printing a single job at any time.
The FilterNice directive sets the nice(1)
-value to assign to filter processes. The nice value ranges from
-0, the highest priority, to 19, the lowest priority. The default
-is 0.
-HostNameLookups On
-HostNameLookups Off
-HostNameLookups Double
-
-
-
Description
-
-
The HostNameLookups directive controls whether or
-not CUPS looks up the hostname for connecting clients. The
-Double setting causes CUPS to verify that the
-hostname resolved from the address matches one of the addresses
-returned for that hostname. Double lookups also
-prevent clients with unregistered addresses from connecting to
-your server.
-
-
The default is Off to avoid the potential server
-performance problems with hostname lookups. Set this option to
-On or Double only if absolutely
-required.
The Include directive includes the named file in
-the cupsd.conf file. If no leading path is provided,
-the file is assumed to be relative to the ServerRoot directory.
-JobPrivateAccess all
-JobPrivateAccess default
-JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+
-
-
-
Description
-
-
The JobPrivateAccess directive specifies the access list for a
-job's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps
-to the printer's requesting-user-name-allowed or requesting-user-name-denied
-values.
-
-
The JobPrivateAccess directive must appear inside a Policy section.
The JobPrivateValues directive specifies the list of job values
-to make private. The "default" values are "job-name",
-"job-originating-host-name", "job-originating-user-name", and "phone".
-
-
The JobPrivateValues directive must appear inside a Policy section.
The JobRetryInterval directive specifies the amount of time to wait before retrying a job in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix). This is typically used for fax queues but can also be used with normal print queues whose error policy is retry-job or retry-current-job.
The JobKillDelay directive specifies the amount of time to wait before killing the filters and backend associated with a canceled or held job in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
The JobRetryLimit directive specifies the maximum
-number of times the scheduler will try to print a job. This is
-typically used for fax queues but can also be used with normal
-print queues whose error policy is retry-job. The
-default is 5 times.
The KeepAlive directive controls whether or not
-to support persistent HTTP connections. The default is
-On.
-
-
HTTP/1.1 clients automatically support persistent connections,
-while HTTP/1.0 clients must specifically request them using the
-Keep-Alive attribute in the Connection:
-field of each request.
The KeepAliveTimeout directive controls how long a persistent HTTP connection will remain open after the last request in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
The Limit directive groups access control
-directives for specific types of HTTP requests and must appear
-inside a Location section.
-Access can be limited for individual request types
-(DELETE, GET, HEAD,
-OPTIONS, POST, PUT, and
-TRACE) or for all request types (ALL).
-The request type names are case-sensitive for compatibility with
-Apache.
When included in Policy
-sections, the Limit directive groups access control
-directives for specific IPP operations. Multiple operations can
-be listed, separated by spaces. Table 2 lists the supported
-operations.
The LimitExcept directive groups access control
-directives for specific types of HTTP requests and must appear
-inside a Location section.
-Unlike the Limit directive,
-LimitExcept restricts access for all requests
-except those listed on the LimitExcept
-line.
The LimitRequestBody directive controls the
-maximum size of print files, IPP requests, and HTML form data in
-HTTP POST requests. The default limit is 0 which disables the
-limit check.
The Listen directive specifies a network address
-and port to listen for connections. Multiple Listen
-directives can be provided to listen on multiple addresses.
-
-
The Listen directive is similar to the Port directive but allows you to
-restrict access to specific interfaces or networks.
The ListenBackLog directive sets the maximum
-number of pending connections the scheduler will allow. This
-normally only affects very busy servers that have reached the MaxClients limit, but can
-also be triggered by large numbers of simultaneous connections.
-When the limit is reached, the operating system will refuse
-additional connections until the scheduler can accept the pending
-ones. The default is the OS-defined default limit, typically
-either 5 for older operating systems or 128 for newer operating
-systems.
The Location directive specifies access control
-and authentication options for the specified HTTP resource or
-path. The Allow, AuthType, Deny, Encryption, Limit, LimitExcept, Order, Require, and Satisfy directives may all
-appear inside a location.
-
-
Note that more specific resources override the less specific
-ones. So the directives inside the /printers/name
-location will override ones from /printers.
-Directives inside /printers will override ones from
-/. None of the directives are inherited.
When LogLevel is not set to
-debug or debug2, the LogDebugHistory
-directive specifies the number of debugging messages that are logged when an
-error occurs during printing. The default is 200 messages. A value of 0
-disables debugging history entirely and is not recommended.
The LogLevel directive specifies the level of
-logging for the ErrorLog
-file. The following values are recognized (each level logs
-everything under the preceding levels):
-
-
-
-
none - Log nothing
-
-
emerg - Log emergency conditions that
- prevent the server from running
-
-
alert - Log alerts that must be handled
- immediately
-
-
crit - Log critical errors that don't
- prevent the server from running
The LogTimeFormat directive specifies the format used for the
-date and time in the log files. Standard uses the standard Apache
-Common Log Format date and time while usecs adds microseconds.
-The default is standard.
The MaxClients directive controls the maximum
-number of simultaneous clients that will be allowed by the
-server. The default is 100 clients.
-
-
Note:
-
-
Since each print job requires a file descriptor for the status
-pipe, the scheduler internally limits the MaxClients
-value to 1/3 of the available file descriptors to avoid possible
-problems when printing large numbers of jobs.
The MaxClientsPerHost directive controls the
-maximum number of simultaneous clients that will be allowed from
-a single host by the server. The default is the
-MaxClients value.
-
-
This directive provides a small measure of protection against
-Denial of Service attacks from a single host.
The MaxHoldTime directive controls the maximum number of seconds allowed for a job to remain in the "indefinite" hold state. The job is canceled automatically if it remains held indefinitely longer than the specified time interval in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
-
-
The default setting is 0 which disables this functionality.
The MaxJobs directive controls the maximum number
-of jobs that are kept in memory. Once the number of jobs reaches
-the limit, the oldest completed job is automatically purged from
-the system to make room for the new one. If all of the known jobs
-are still pending or active then the new job will be
-rejected.
-
-
Setting the maximum size to 0 disables this functionality. The
-default setting is 500.
The MaxJobsPerPrinter directive controls the
-maximum number of active jobs that are allowed for each printer
-or class. Once a printer or class reaches the limit, new jobs
-will be rejected until one of the active jobs is completed,
-stopped, aborted, or canceled.
-
-
Setting the maximum to 0 disables this functionality. The
-default setting is 0.
The MaxJobsPerUser directive controls the maximum
-number of active jobs that are allowed for each user. Once a user
-reaches the limit, new jobs will be rejected until one of the
-active jobs is completed, stopped, aborted, or canceled.
-
-
Setting the maximum to 0 disables this functionality. The
-default setting is 0.
The MaxJobTime directive controls the maximum number of
-seconds allowed for a job to complete printing before it is considered "stuck".
-The job is canceled automatically if it takes longer than the specified time to complete in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
-
-
Setting the maximum time to 0 disables this functionality. The default setting is 3h (3 hours).
The MaxLogSize directive controls the maximum
-size of each log file. Once a log file reaches or exceeds the
-maximum size it is closed and renamed to filename.O.
-This allows you to rotate the logs automatically. The default
-size is 1048576 bytes (1MB).
-
-
Setting the maximum size to 0 disables log rotation.
The MaxRequestSize directive controls the maximum
-size of print files, IPP requests, and HTML form data in HTTP
-POST requests. The default limit is 0 which disables the limit
-check.
-
-
This directive is deprecated and will be removed in a
-future CUPS release. Use the LimitRequestBody
-directive instead.
The MultipleOperationTimeout directive sets the maximum amount of time between files in a multi-file print job in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
The PageLogFormat directive sets the format of lines
-that are logged to the page log file. Sequences beginning with percent (%)
-characters are replaced with the corresponding information, while all other
-characters are copied literally. The following percent sequences are
-recognized:
-
-
-
-
%%: Inserts a single percent character.
-
-
%{name}: Inserts the value of the specified IPP
- attribute.
-
-
%C: Inserts the number of copies for the current page.
-
-
%P: Inserts the current page number.
-
-
%T: Inserts the current date and time in common log
- format.
-
-
%j: Inserts the job ID.
-
-
%p: Inserts the printer name.
-
-
%u: Inserts the username.
-
-
-
-
The default is "%p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}".
The PassEnv directive specifies an environment
-variable that should be passed to child processes. Normally, the
-scheduler only passes the DYLD_LIBRARY_PATH,
-LD_ASSUME_KERNEL, LD_LIBRARY_PATH,
-LD_PRELOAD, NLSPATH,
-SHLIB_PATH, TZ, and VGARGS
-environment variables to child processes.
The Policy directive specifies IPP operation
-access control limits. Each policy contains 1 or more Limit sections to set the
-access control limits for specific operations - user limits,
-authentication, encryption, and allowed/denied addresses,
-domains, or hosts. The <Limit All> section
-specifies the default access control limits for operations that
-are not listed.
-
-
Policies are named and associated with printers via the
-printer's operation policy setting
-(printer-op-policy). The default policy for the
-scheduler is specified using the DefaultPolicy
-directive.
The Port directive specifies a port to listen on.
-Multiple Port lines can be specified to listen on
-multiple ports. The Port directive is equivalent to
-"Listen *:nnn". The default port is 631.
-
-
Note:
-
-
On systems that support IPv6, this directive will bind to both
-the IPv4 and IPv6 wildcard address.
-PreserveJobHistory On
-PreserveJobHistory Off
-PreserveJobHistory 1w
-PreserveJobHistory 7d
-PreserveJobHistory 168h
-PreserveJobHistory 10080m
-PreserveJobHistory 604800
-
-
-
Description
-
-
The PreserveJobHistory directive controls whether the history of completed, canceled, or aborted print jobs is retained by the scheduler. A value of On preserves job information until the administrator purges it with the cancel command. A value of Off removes the job information as soon as each job is completed, canceled, or aborted. Numeric values preserve job information for the specified number of seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
-PreserveJobFiles On
-PreserveJobFiles Off
-PreserveJobFiles 1w
-PreserveJobFiles 7d
-PreserveJobFiles 168h
-PreserveJobFiles 10080m
-PreserveJobFiles 604800
-
-
-
Description
-
-
The PreserveJobFiles directive controls whether the document files of completed, canceled, or aborted print jobs are retained. Jobs can be restarted (and reprinted) as desired until they are purged.
-
-
A value of On preserves job files until the administrator purges them with the cancel command. A value of Off removes the job files as soon as each job is completed, canceled, or aborted. Numeric values preserve job files for the specified number of seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
The ReloadTimeout directive specifies the number
-of seconds the scheduler will wait for active jobs to complete
-before doing a restart. The default is 30 seconds.
-<Location /path>
- ...
- Require group foo bar
- Require user john mary
- Require valid-user
- Require user @groupname
- Require user @SYSTEM
- Require user @OWNER
-</Location>
-
-
-
Description
-
-
The Require directive specifies that
-authentication is required for the resource. The
-group keyword specifies that the authenticated user
-must be a member of one or more of the named groups that
-follow.
-
-
The user keyword specifies that the
-authenticated user must be one of the named users or groups that
-follow. Group names are specified using the "@" prefix.
-
-
The valid-user keyword specifies that any
-authenticated user may access the resource.
-
-
The default is to do no authentication. This directive must
-appear inside a Location or
-Limit section.
The RIPCache directive sets the size of the
-memory cache used by Raster Image Processor ("RIP") filters such
-as imagetoraster and pstoraster. The
-size can be suffixed with a "k" for kilobytes, "m" for megabytes,
-or "g" for gigabytes. The default cache size is "128m", or 128
-megabytes.
The RootCertDuration directive specifies the amount of time the root certificate remains valid in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix). The scheduler will generate a new certificate as needed when the given time interval has expired. If set to 0, the root certificate is generated only once on startup or on a restart.
-<Location /path>
- ...
- Satisfy all
- Satisfy any
-</Location>
-
-
-
Description
-
-
The Satisfy directive specifies whether all
-conditions must be satisfied to allow access to the resource. If
-set to all, then all authentication and access
-control conditions must be satisfied to allow access.
-
-
Setting Satisfy to any allows a user
-to gain access if the authentication or access control
-requirements are satisfied. For example, you might require
-authentication for remote access, but allow local access without
-authentication.
-
-
The default is all. This directive must appear
-inside a Location or Limit section.
The ServerAdmin directive identifies the email
-address for the administrator on the system. By default the
-administrator email address is root@server, where
-server is the ServerName.
The ServerAlias directive specifies alternate names that the server is known by. By default it contains a list of all aliases associated with the ServerName. The special name "*" can be used to allow any hostname when accessing CUPS via an external network interfaces.
-
-
Note
-
-
The ServerAlias directive is used for HTTP Host header
-validation when clients connect to the scheduler from external interfaces.
-Using the special name "*" can expose your system to known browser-based
-DNS rebinding attacks, even when accessing sites through a firewall. If the
-auto-discovery of alternate names does not work, we recommend listing each
-alternate name with a ServerAlias directive instead of using "*".
-ServerTokens None
-ServerTokens ProductOnly
-ServerTokens Major
-ServerTokens Minor
-ServerTokens Minimal
-ServerTokens OS
-ServerTokens Full
-
-
-
Description
-
-
The ServerTokens directive specifies the
-information that is included in the Server: header
-of all HTTP responses. Table 4 lists the token name along with
-the text that is returned. The default is
-Minimal.
The SSLListen directive specifies a network
-address and port to listen for secure connections. Multiple
-SSLListen directives can be provided to listen on
-multiple addresses.
-
-
The SSLListen directive is similar to the SSLPort directive but allows you
-to restrict access to specific interfaces or networks.
The StrictConformance directive specifies whether the scheduler
-requires strict IPP conformance for client requests, for example to not allow
-document attributes in a Create-Job request. The default is
-No.
-SubscriptionPrivateAccess all
-SubscriptionPrivateAccess default
-SubscriptionPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+
-
-
-
Description
-
-
The SubscriptionPrivateAccess directive specifies the access list for a
-subscription's private values. The "default" access list is "@OWNER @SYSTEM".
-"@ACL" maps to the printer's requesting-user-name-allowed or
-requesting-user-name-denied values.
-
-
The SubscriptionPrivateAccess directive must appear inside a Policy section.
The SubscriptionPrivateValues directive specifies the list of
-subscription values to make private. The "default" values are "notify-events",
-"notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and
-"notify-user-data".
-
-
The SubscriptionPrivateValues directive must appear inside a Policy section.
The Timeout directive controls the amount of time
-to wait before an active HTTP or IPP request times out in seconds (no suffix), minutes ("m" suffix), hours ("h" suffix), days ("d" suffix), or weeks ("w" suffix).
The /etc/cups/mailto.conf file contains several
-directives that defines the local mail server and email
-notification preferences for CUPS. Each directive is listed on a
-line by itself followed by its value. Comments are introduced
-using the number sign ("#") character at the beginning of a
-line.
-Cc bigbrother@example.com
-Cc John Doe <jd@example.com>
-
-
-
Description
-
-
The Cc directive specifies an additional
-recipient ("carbon copy") for all email notifications. The
-default is to not send a copy to anyone but the subscriber.
The Sendmail directive specifies the command to
-run to deliver an email locally. This directive cannot be used
-with the SMTPServer directive, and if both
-Sendmail and SMTPServer lines appear in the
-mailto.conf file, only the last line is used. The
-default is /usr/sbin/sendmail.
The SMTPServer directive specifies a hostname or
-IP address of a (possibly remote) SMTP mail server. This
-directive cannot be used with the Sendmail directive,
-and if both Sendmail and SMTPServer lines
-appear in the mailto.conf file, only the last line is
-used. The default is to use the Sendmail command
-instead.
The CUPS scheduler (cupsd) uses the
-/etc/cups/printers.conf file to store the list of
-available printers. This file contains only locally defined
-printers, not remote printers that are created automatically via
-browsing. Each directive is listed on a line by itself followed
-by its value. Comments are introduced using the number sign ("#")
-character at the beginning of a line.
-
-
While the printer configuration file consists of plain text
-and can be modified using your favorite text editor, you should
-normally use the lpadmin(8)
-command, web interface, or any of the available GUIs to manage
-your printers instead. If you do choose to edit this file
-manually, you will need to stop the scheduler first, make your
-changes, and then start the scheduler to make them active.
The Accepting directive defines the initial state
-of the printer-is-accepting-jobs attribute. This state
-is also set by the cupsaccept(8) and
-cupsreject(8) commands:
The DefaultPrinter directive begins a printer
-definition as the default server destination. The default server
-destination can be set using the lpadmin(8)
-command:
-
-
-/usr/sbin/lpadmin -d printername
-
-
-
Note that the server default destination settings can be
-overridden by the user's default destination settings which are
-normally set using the lpoptions(1) command.
The ErrorPolicy directive defines the policy that
-is used when a backend is unable to send a print job to the
-printer. The lpadmin(8) command sets the current
-error policy:
The JobSheets directive specifies the default
-banner pages to print before and after a print job. In the above
-example, only a standard banner will print after each
-job. The lpadmin(8) command is normally used to set
-the default banners:
-
-
If only one banner file is specified, it will be printed
-before the files in the job. If a second banner file is
-specified, it is printed after the files in the job.
-
-
The available banner pages depend on the local system
-configuration; CUPS includes the following standard banner
-files:
-
-
-
-
none - Do not produce a banner
- page.
-
-
classified - A banner page with a
- "classified" label at the top and bottom.
-
-
confidential - A banner page with a
- "confidential" label at the top and bottom.
-
-
secret - A banner page with a
- "secret" label at the top and bottom.
-
-
standard - A banner page with no label
- at the top and bottom.
-
-
topsecret - A banner page with a
- "top secret" label at the top and bottom.
-
-
unclassified - A banner page with an
- "unclassified" label at the top and bottom.
-<Printer name>
- ...
- Option name value
- Option scaling 100
- Option page-left 72
-</Printer>
-
-
-
Description
-
-
The Option directive specifies a default job
-template attribute value. It is mapped to
-name-default in the printer attributes and applied
-to jobs as name.
The PortMonitor directive sets the filter program that
-is used for every print job, typically to encode or package the print
-data in a format acceptable for a particular printer interface. It is
-set using the lpadmin(8) command:
The QuotaPeriod directive defines the value of
-the job-quota-period attribute. Typical values are
-86400 (1 day), 604800 (1 week), 2592000 (1 month), and 31536000
-(1 year). It is set using the lpadmin(8)
-command:
The Shared directive defines the initial value of
-the printer-is-shared attribute. The strings
-yes and no correspond to the true and false
-values, respectively. The lpadmin(8) command sets
-the current state:
The State directive defines the initial value of
-the printer-state attribute. The strings
-idle and stopped correspond to the IPP
-enumeration values 3 and 5, respectively. The
-cupsenable(8) and cupsdisable(8)
-commands set the current state:
The StateMessage directive defines the initial
-string for the printer-state-message attribute. The
-following are some example messages:
-
-
-StateMessage Connected to host_name...
-StateMessage Connecting to printer_queue on port port_number...
-StateMessage Network host host_name is busy; will retry in 30 seconds...
-StateMessage Printer busy; will retry in 10 seconds...
-StateMessage Printer is busy; retrying print job...
-StateMessage Print file accepted - job ID id_number.
-StateMessage Waiting for job to complete
-
The StateTime directive defines the UNIX time
-(seconds since Jan 1, 1970) for the last state change of the
-queue. It is mapped to the printer-state-change-time
-attribute.
The /etc/cups/snmp.conf file contains several
-directives that determine how the SNMP printer discovery backend
-behaves. Each directive is listed on a line by itself followed
-by its value. Comments are introduced using the number sign ("#")
-character at the beginning of a line.
-
-
The SNMP backend uses the SNMPv1 protocol to discover network
-printers, collecting information from the Host MIB along with
-intelligent port probes to determine the correct device URI and
-make and model for each printer. Future versions of CUPS will
-likely support the new Port Monitor MIB as well.
The Address directive specifies a broadcast
-address to use when discovering printers. Multiple
-Address lines can be provided to scan different
-subnets.
-
-
The default address is @LOCAL, which broadcasts to
-all LANs.
The DebugLevel directive specifies the debugging
-level to use when searching for network printers. Level 0
-produces no debugging information. Level 1 produces basic
-debugging information. Level 2 adds printing of the SNMP
-messages. Level 3 adds a hex dump of the network data.
The DeviceURI directive specifies a regular expression
-(enclosed in double quotes) that is matched against the SNMP device
-description OID returned by a printer. If the description matches the
-regular expression, each device URI that follows the regular expression
-is listed by the backend, with any occurrences of %s
-replaced by the device's hostname or IP address. If no URIs are listed,
-the device is ignored.
-
-
The DeviceURI directives are processed serially in
-the order specified in the snmp.conf file until a match
-is found.
The CUPS scheduler (cupsd) uses the
-/etc/cups/subscriptions.conf file to store the list
-of active subscriptions. Each directive is listed on a line by
-itself followed by its value. Comments are introduced using the
-number sign ("#") character at the beginning of a line.
-
-
While the subscriptions configuration file consists of plain
-text and can be modified using your favorite text editor, you
-should normally use the command-line programs (lp(1) and lpr(1)) or specific applications via IPP
-requests to manage your subscriptions.
The ExpirationTime directive specifies the
-expiration time of the subscription as a UNIX time value. It is 0
-for subscriptions with no predefined expiration time.
-
-
The ExpirationTime directive must appear inside a
-Subscription
-section.
The LeaseDuration directive specifies the number
-of seconds that the subscription is valid. A value of 0 means
-that the subscription will last forever or the life of the print
-job the subscription is attached to.
-
-
The LeaseDuration directive must appear inside a Subscription section.
The NextEventId directive specifies the
-notify-sequence-number value for the next
-notification event. It starts at 1 and increases for every event
-that is delivered for the subscription.
-
-
The NextEventId directive must appear inside a Subscription section.
The Recipient directive specifies the
-notify-recipient-uri value for push-type
-notifications. The URI scheme name determines which notifier
-program is used to send the event(s).
-
-
The Recipient directive must appear inside a Subscription section.
The UserData directive specifies the
-notify-user-data value, which is normally the "to"
-address used in mailto notifications. Binary values
-are introduced by encoding the bytes as hexadecimal values inside
-angle brackets, e.g. "<1234>".
-
-
The UserData directive must appear inside a Subscription section.
-
-
-
diff --git a/man/Makefile b/man/Makefile
index 3e3ada05bb..75f9dce649 100644
--- a/man/Makefile
+++ b/man/Makefile
@@ -61,6 +61,7 @@ MAN8 = cupsaccept.$(MAN8EXT) \
cups-snmp.$(MAN8EXT) \
cupsd.$(MAN8EXT) \
cupsd-helper.$(MAN8EXT) \
+ cupsd-logs.$(MAN8EXT) \
cupsenable.$(MAN8EXT) \
lpadmin.$(MAN8EXT) \
lpinfo.$(MAN8EXT) \
diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in
index cc0788b15c..49fadd4fef 100644
--- a/man/cups-files.conf.man.in
+++ b/man/cups-files.conf.man.in
@@ -12,7 +12,7 @@
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cups-files.conf 5 "CUPS" "15 April 2014" "Apple Inc."
+.TH cups-files.conf 5 "CUPS" "11 June 2014" "Apple Inc."
.SH NAME
cups\-files.conf \- file and directory configuration file for cups
.SH DESCRIPTION
@@ -21,59 +21,68 @@ The \fBcups\-files.conf\fR file configures the files and directories used by the
It is normally located in the \fI/etc/cups\fR directory.
.LP
Each line in the file can be a configuration directive, a blank line, or a comment.
+Configuration directives typically consist of a name and zero or more values separated by whitespace.
+The configuration directive name and values are case-insensitive.
Comment lines start with the # character.
.SS DIRECTIVES
The following directives are understood by
.BR cupsd (8):
.TP 5
-\fBAccessLog \fIfilename\fR
+\fBAccessLog\fR
.TP 5
-\fBAccessLog \fR[ \fIfilename\fR ]
+\fBAccessLog \fIfilename\fR
.TP 5
\fBAccessLog syslog\fR
Defines the access log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
Specifying a blank filename disables access log generation.
+The value "syslog" causes log entries to be sent to the system log daemon.
The server name may be included in filenames using the string "%s", for example:
.nf
AccessLog /var/log/cups/%s-access_log
.fi
+The default is "/var/log/cups/access_log".
.TP 5
\fBConfigFilePerm \fImode\fR
Specifies the permissions for all configuration files that the scheduler writes.
-The default is 0644 on OS X and 0640 on all other operating systems.
-\fBNote:\fR The permissions for the printers.conf file are currently masked to only allow access from the scheduler user (typically root).
+The default is "0644" on OS X and "0640" on all other operating systems.
+.IP
+\fBNote:\fR The permissions for the \fIprinters.conf\fR file are currently masked to only allow access from the scheduler user (typically root).
This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system.
There is no way to disable this security feature.
.TP 5
\fBDataDir \fIpath\fR
-Specifies the directory where data files can be found. The default is usually \fI/usr/share/cups\fR.
+Specifies the directory where data files can be found.
+The default is usually "/usr/share/cups".
.TP 5
\fBDocumentRoot \fIdirectory\fR
-Specifies the root directory for the CUPS web interface content. The default is usually \fI/usr/share/doc/cups\fR.
+Specifies the root directory for the CUPS web interface content.
+The default is usually "/usr/share/doc/cups".
+.TP 5
+\fBErrorLog\fR
.TP 5
-\fBErrorLog \fR[ \fIfilename\fR ]
+\fBErrorLog \fIfilename\fR
.TP 5
\fBErrorLog syslog\fR
Defines the error log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
Specifying a blank filename disables error log generation.
+The value "syslog" causes log entries to be sent to the system log daemon.
The server name may be included in filenames using the string "%s", for example:
.nf
ErrorLog /var/log/cups/%s-error_log
.fi
+The default is "/var/log/cups/error_log".
.TP 5
\fBFatalErrors none\fR
.TP 5
-\fBFatalErrors all \fI\-kind \fR[ \fI... \-kind \fR]
+\fBFatalErrors all \fI\-kind \fR[ ... \fI\-kind \fR]
.TP 5
-\fBFatalErrors \fIkind \fR[ \fI... kind \fR]
+\fBFatalErrors \fIkind \fR[ ... \fIkind \fR]
Specifies which errors are fatal, causing the scheduler to exit.
-The default setting is "config".
+The default is "config".
The \fIkind\fR strings are:
.RS 5
.TP 5
@@ -105,16 +114,13 @@ Bad startup file permissions are fatal, for example shared TLS certificate and k
Specifies whether the file pseudo-device can be used for new printer queues.
The URI "file:///dev/null" is always allowed.
.TP 5
-\fBFontPath \fIdirectory\fR[:\fI...\fR:\fIdirectory\fR]
-Specifies the search path for fonts.
-\fBThis directive is deprecated and will no longer be supported in a future release of CUPS.\fR
-.TP 5
\fBGroup \fIgroup-name-or-number\fR
Specifies the group name or ID that will be used when executing external programs.
-The default group is operating system specific but is usually \fIlp\fR or \fInobody\fR.
+The default group is operating system specific but is usually "lp" or "nobody".
.TP 5
\fBLogFilePerm \fImode\fR
-Specifies the permissions of all log files that the scheduler writes. The default is 0644.
+Specifies the permissions of all log files that the scheduler writes.
+The default is "0644".
.TP 5
\fBPageLog \fR[ \fIfilename\fR ]
.TP 5
@@ -128,17 +134,15 @@ The server name may be included in filenames using the string "%s", for example:
PageLog /var/log/cups/%s-page_log
.fi
-.TP 5
-\fBPrintcap \fR[ \fIfilename\fR ]
-Defines the printcap filename that the scheduler automatically updates with the current list of available printers, which is sometimes used by legacy applications.
-Specifying a blank filename disables printcap generation.
-\fBThis directive is deprecated and will no longer be supported in a future release of CUPS.\fR
+The default is "/var/log/cups/page_log".
.TP 5
\fBRemoteRoot \fIusername\fR
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
+The default is "remroot".
.TP 5
\fBRequestRoot \fIdirectory\fR
Specifies the directory that contains print jobs and other HTTP request data.
+The default is "/var/spool/cups".
.TP 5
\fBSandboxing off\fR
.TP 5
@@ -147,32 +151,39 @@ Specifies the directory that contains print jobs and other HTTP request data.
\fBSandboxing strict\fR
Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler.
The default is "strict".
-This directive is currently only used on OS X.
+This directive is currently only used/supported on OS X.
.TP 5
\fBServerBin \fIdirectory\fR
Specifies the directory containing the backends, CGI programs, filters, helper programs, notifiers, and port monitors.
+The default is "/usr/lib/cups" or "/usr/libexec/cups" depending on the platform.
.TP 5
\fBServerKeychain \fIpath\fR
Specifies the location of TLS certificates and private keys.
+The default is "/Library/Keychains/System.keychain" on OS X and "/etc/cups/ssl" on all other operating systems.
.TP 5
\fBServerRoot \fIdirectory\fR
Specifies the directory containing the server configuration files.
+The default is "/etc/cups".
.TP 5
\fBSyncOnClose Yes\fR
.TP 5
\fBSyncOnClose No\fR
Specifies whether the scheduler calls
.BR fsync (2)
-after writing configuration or state files. The default is No.
+after writing configuration or state files.
+The default is "No".
.TP 5
-\fBSystemGroup \fIgroup-name \fR[ \fI... group-name\fR ]
+\fBSystemGroup \fIgroup-name \fR[ ... \fIgroup-name\fR ]
Specifies the group(s) to use for \fI@SYSTEM\fR group authentication.
+The default contains "admin", "lpadmin", "root", "sys", and/or "system".
.TP 5
\fBTempDir \fIdirectory\fR
Specifies the directory where temporary files are stored.
+The default is "/var/spool/cups/tmp".
.TP 5
\fBUser \fIusername\fR
Specifies the user name or ID that is used when running external programs.
+The default is "lp".
.SH SEE ALSO
.BR classes.conf (5),
.BR cups (1),
diff --git a/man/cupsd-logs.man b/man/cupsd-logs.man
new file mode 100644
index 0000000000..7d2cfefeaf
--- /dev/null
+++ b/man/cupsd-logs.man
@@ -0,0 +1,94 @@
+.\"
+.\" "$Id$"
+.\"
+.\" cupsd-helper man page for CUPS.
+.\"
+.\" Copyright 2007-2014 by Apple Inc.
+.\" Copyright 1997-2006 by Easy Software Products.
+.\"
+.\" These coded instructions, statements, and computer programs are the
+.\" property of Apple Inc. and are protected by Federal copyright
+.\" law. Distribution and use rights are outlined in the file "LICENSE.txt"
+.\" which should have been included with this file. If this file is
+.\" file is missing or damaged, see the license at "http://www.cups.org/".
+.\"
+.TH cupsd-helper 8 "CUPS" "15 April 2014" "Apple Inc."
+.SH NAME
+cupsd\-helper \- cupsd helper programs
+.SH SYNOPSIS
+.B cups\-deviced
+.I request-id
+.I limit
+.I user-id
+.I options
+.br
+.B cups\-driverd
+.B cat
+.I ppd-name
+.br
+.B cups\-driverd
+.B list
+.I request_id
+.I limit
+.I options
+.br
+.B cups\-exec
+.I sandbox-profile
+[
+.I \-g
+.I group-id
+] [
+.I \-n
+.I nice-value
+] [
+.I \-u
+.I user-id
+]
+.I /path/to/program
+.I argv0
+.I ...
+.I argvN
+.SH DESCRIPTION
+The \fBcupsd\-helper\fR programs perform long-running operations on behalf of the scheduler,
+.BR cupsd (8).
+The \fBcups-deviced\fR helper program runs each CUPS
+.BR backend (7)
+with no arguments in order to discover the available printers.
+.LP
+The \fBcups-driverd\fR helper program lists all available printer drivers, a subset of "matching" printer drivers, or a copy of a specific driver PPD file.
+.LP
+The \fBcups-exec\fR helper program runs backends, filters, and other programs. On OS X these programs are run in a secure sandbox.
+.SH FILES
+The \fBcups-driverd\fR program looks for PPD and driver information files in the following directories:
+.nf
+
+ \fI/Library/Printers\fR
+ \fI/opt/share/ppd\fR
+ \fI/System/Library/Printers\fR
+ \fI/usr/local/share/ppd\fR
+ \fI/usr/share/cups/drv\fR
+ \fI/usr/share/cups/model\fR
+ \fI/usr/share/ppd\fR
+.fi
+.LP
+PPD files can be compressed using the
+.BR gzip (1)
+program or placed in compressed
+.BR tar (1)
+archives to further reduce their size.
+.LP
+Driver information files must conform to the format defined in
+.BR ppdcfile (5).
+.SH SEE ALSO
+.BR backend (7),
+.BR cups (1),
+.BR cupsd (8),
+.BR cupsd.conf (5),
+.BR filter (7),
+.BR ppdcfile (5),
+CUPS Online Help (http://localhost:631/help)
+.SH COPYRIGHT
+Copyright \[co] 2007-2014 by Apple Inc.
+.\"
+.\" End of "$Id$".
+.\"
diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in
index 40fe9bdc1b..dd19a4e0aa 100644
--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
@@ -12,7 +12,7 @@
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cupsd.conf 5 "CUPS" "28 March 2014" "Apple Inc."
+.TH cupsd.conf 5 "CUPS" "11 June 2014" "Apple Inc."
.SH NAME
cupsd.conf \- server configuration file for cups
.SH DESCRIPTION
@@ -22,426 +22,770 @@ file configures the CUPS scheduler,
.BR cupsd (8).
It is normally located in the
.I /etc/cups
-directory. \fBNote:\fR File, directory, and user configuration directives that used to be allowed in the \fIcupsd.conf\fR file are now stored in the \fIcups-files.conf(5)\fR instead in order to prevent certain types of privilege escalation attacks.
+directory.
+\fBNote:\fR File, directory, and user configuration directives that used to be allowed in the \fBcupsd.conf\fR file are now stored in the
+.BR cups-files.conf (5)
+file instead in order to prevent certain types of privilege escalation attacks.
.LP
-Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the popular Apache web server software and are described below.
-.SH TOP-LEVEL DIRECTIVES
-The following directives are understood by
-.B cupsd (8).
-Consult the online help (http://localhost:631/help) for detailed descriptions:
+Each line in the file can be a configuration directive, a blank line, or a comment.
+Configuration directives typically consist of a name and zero or more values separated by whitespace.
+The configuration directive name and values are case-insensitive.
+Comment lines start with the # character.
+.SS TOP-LEVEL DIRECTIVES
+The following top-level directives are understood by
+.BR cupsd (8):
.TP 5
-AccessLogLevel config
+\fBAccessLogLevel config\fR
.TP 5
-AccessLogLevel actions
+\fBAccessLogLevel actions\fR
.TP 5
-AccessLogLevel all
+\fBAccessLogLevel all\fR
Specifies the logging level for the AccessLog file.
+The "config" level logs when printers and classes are added, deleted, or modified and when configuration files are accessed or updated.
+The "actions" level logs when print jobs are submitted, held, released, modified, or canceled, and any of the conditions for "config".
+The "all" level logs all requests.
+The default access log level is "actions".
.TP 5
-AutoPurgeJobs Yes
+\fBAutoPurgeJobs Yes\fR
.TP 5
-AutoPurgeJobs No
+\fBAutoPurgeJobs No\fR
.br
-Specifies whether to purge job history data automatically when
-it is no longer required for quotas.
+Specifies whether to purge job history data automatically when it is no longer required for quotas.
+The default is "No".
.TP 5
-BrowseLocalProtocols [
-.I All
-] [
-.I DNSSD
-]
-Specifies the protocols to use for local printer sharing.
+\fBBrowseLocalProtocols all\fR
.TP 5
-BrowseWebIF Yes
+\fBBrowseLocalProtocols dnssd\fR
.TP 5
-BrowseWebIF No
+\fBBrowseLocalProtocols none\fR
+Specifies which protocols to use for local printer sharing.
+The default is "dnssd" on systems that support Bonjour and "none" otherwise.
+.TP 5
+\fBBrowseWebIF Yes\fR
+.TP 5
+\fBBrowseWebIF No\fR
.br
-Specifies whether the CUPS web interface is advertised via DNS-SD.
+Specifies whether the CUPS web interface is advertised.
+The default is "No".
.TP 5
-Browsing Yes
+\fBBrowsing Yes\fR
.TP 5
-Browsing No
+\fBBrowsing No\fR
.br
-Specifies whether or not shared printers should be advertised.
+Specifies whether shared printers are advertised.
+The default is "No".
.TP 5
-Classification banner
+\fBClassification \fIbanner\fR
.br
Specifies the security classification of the server.
+Any valid banner name can be used, including "classified", "confidential", "secret", "topsecret", and "unclassified", or the banner can be omitted to disable secure printing functions.
+The default is no classification banner.
.TP 5
-ClassifyOverride Yes
+\fBClassifyOverride Yes\fR
.TP 5
-ClassifyOverride No
+\fBClassifyOverride No\fR
.br
-Specifies whether to allow users to override the classification
-of individual print jobs.
+Specifies whether users may override the classification (cover page) of individual print jobs using the "job-sheets" option.
+The default is "No".
.TP 5
-DefaultAuthType Basic
+\fBDefaultAuthType Basic\fR
.TP 5
-DefaultAuthType Negotiate
+\fBDefaultAuthType Negotiate\fR
.br
Specifies the default type of authentication to use.
+The default is "Basic".
.TP 5
-DefaultEncryption Never
+\fBDefaultEncryption Never\fR
.TP 5
-DefaultEncryption IfRequested
+\fBDefaultEncryption IfRequested\fR
.TP 5
-DefaultEncryption Required
-Specifies the type of encryption to use for authenticated requests.
+\fBDefaultEncryption Required\fR
+Specifies whether encryption will be used for authenticated requests.
+The default is "Required".
.TP 5
-DefaultLanguage locale
+\fBDefaultLanguage \fIlocale\fR
Specifies the default language to use for text and web content.
+The default is "en".
.TP 5
-DefaultPaperSize Auto
+\fBDefaultPaperSize Auto\fR
.TP 5
-DefaultPaperSize None
+\fBDefaultPaperSize None\fR
.TP 5
-DefaultPaperSize sizename
-Specifies the default paper size for new print queues. "Auto" uses a locale-
-specific default, while "None" specifies there is no default paper size.
+\fBDefaultPaperSize \fIsizename\fR
+Specifies the default paper size for new print queues. "Auto" uses a locale-specific default, while "None" specifies there is no default paper size.
+Specific size names are typically "Letter" or "A4".
+The default is "Auto".
.TP 5
-DefaultPolicy policy-name
+\fBDefaultPolicy \fIpolicy-name\fR
Specifies the default access policy to use.
+The default access policy is "default".
.TP 5
-DefaultShared Yes
+\fBDefaultShared Yes\fR
.TP 5
-DefaultShared No
+\fBDefaultShared No\fR
Specifies whether local printers are shared by default.
+The default is "Yes".
+.TP 5
+\fBDirtyCleanInterval \fIseconds\fR
+Specifies the delay for updating of configuration and state files.
+A value of 0 causes the update to happen as soon as possible, typically within a few milliseconds.
+The default value is "30".
+.TP 5
+\fBFilterLimit \fIlimit\fR
+Specifies the maximum cost of filters that are run concurrently, which can be used to minimize disk, memory, and CPU resource problems.
+A limit of 0 disables filter limiting.
+An average print to a non-PostScript printer needs a filter limit of about 200.
+A PostScript printer needs about half that (100).
+Setting the limit below these thresholds will effectively limit the scheduler to printing a single job at any time.
+The default limit is "0".
+.TP 5
+\fBFilterNice \fInice-value\fR
+Specifies the scheduling priority (
+.BR nice (8)
+value) of filters that are run to print a job.
+The nice value ranges from 0, the highest priority, to 19, the lowest priority.
+The default is 0.
+.TP 5
+\fBGSSServiceName \fIname\fR
+Specifies the service name when using Kerberos authentication.
+The default service name is "http."
+.TP 5
+\fBHostNameLookups On\fR
+.TP 5
+\fBHostNameLookups Off\fR
+.TP 5
+\fBHostNameLookups Double\fR
+Specifies whether to do reverse lookups on connecting clients.
+The "Double" setting causes
+.BR cupsd (8)
+to verify that the hostname resolved from the address matches one of the addresses returned for that hostname.
+Double lookups also prevent clients with unregistered addresses from connecting to your server.
+The default is "Off" to avoid the potential server performance problems with hostname lookups.
+Only set this option to "On" or "Double" if absolutely required.
+.TP 5
+\fBJobKillDelay \fIseconds\fR
+Specifies the number of seconds to wait before killing the filters and backend associated with a canceled or held job.
+The default is "30".
+.TP 5
+\fBJobRetryInterval \fIseconds\fR
+Specifies the interval between retries of jobs in seconds.
+This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
+The default is "30".
.TP 5
-DirtyCleanInterval seconds
-Specifies the delay for updating of configuration and state files. A value of 0
-causes the update to happen as soon as possible, typically within a few
-milliseconds.
+\fBJobRetryLimit \fIcount\fR
+Specifies the number of retries that are done for jobs.
+This is typically used for fax queues but can also be used with normal print queues whose error policy is "retry-job" or "retry-current-job".
+The default is "5".
.TP 5
-FilterLimit limit
-Specifies the maximum cost of filters that are run concurrently.
+\fBKeepAlive Yes\fR
.TP 5
-FilterNice nice-value
-Specifies the scheduling priority ("nice" value) of filters that
-are run to print a job.
+\fBKeepAlive No\fR
+Specifies whether to support HTTP keep-alive connections.
+The default is "Yes".
.TP 5
-GSSServiceName name
-Specifies the service name when using Kerberos authentication. The default
-service name is "http".
+\fBKeepAliveTimeout \fIseconds\fR
+Specifies how long an idle client connection remains open.
+The default is "30".
.TP 5
-HostNameLookups On
+\fB \fR... \fB\fR
+Specifies the IPP operations that are being limited inside a Policy section. IPP operation names are listed below in the section "IPP OPERATIONS".
.TP 5
-HostNameLookups Off
+\fB \fR... \fB\fR
.TP 5
-HostNameLookups Double
-Specifies whether or not to do reverse lookups on client addresses.
+\fB \fR... \fB\fR
+Specifies the HTTP methods that are being limited inside a Location section. HTTP method names are listed below in the section "HTTP METHODS".
.TP 5
-Include filename
-Includes the named file.
+\fBLimitRequestBody \fIsize\fR
+Specifies the maximum size of print files, IPP requests, and HTML form data.
+The default is "0" which disables the limit check.
.TP 5
-JobKillDelay seconds
-Specifies the number of seconds to wait before killing the filters and backend
-associated with a canceled or held job.
+\fBListen \fIipv4-address\fB:\fIport\fR
.TP 5
-JobRetryInterval seconds
-Specifies the interval between retries of jobs in seconds.
+\fBListen [\fIipv6-address\fB]:\fIport\fR
.TP 5
-JobRetryLimit count
-Specifies the number of retries that are done for jobs.
+\fBListen *:\fIport\fR
.TP 5
-KeepAlive Yes
+\fBListen \fI/path/to/domain/socket\fR
+Listens to the specified address and port or domain socket path for connections.
+Multiple Listen directives can be provided to listen on multiple addresses.
+The Listen directive is similar to the Port directive but allows you to restrict access to specific interfaces or networks.
.TP 5
-KeepAlive No
-Specifies whether to support HTTP keep-alive connections.
+\fBListenBackLog \fInumber\fR
+Specifies the number of pending connections that will be allowed.
+This normally only affects very busy servers that have reached the MaxClients limit, but can also be triggered by large numbers of simultaneous connections.
+When the limit is reached, the operating system will refuse additional connections until the scheduler can accept the pending ones.
+The default is the OS-defined default limit, typically either "5" for older operating systems or "128" for newer operating systems.
.TP 5
-KeepAliveTimeout seconds
-Specifies the amount of time that connections are kept alive.
+\fB \fR... \fB\fR
+Specifies access control for the named location.
+Paths are documented below in the section "LOCATION PATHS".
.TP 5
- ...
-Specifies the IPP operations that are being limited inside a policy.
+\fBLogDebugHistory \fInumber\fR
+Specifies the number of debugging messages that are retained for logging if an error occurs in a print job. Debug messages are logged regardless of the LogLevel setting.
.TP 5
- ...
+\fBLogLevel \fRnone
.TP 5
- ...
-Specifies the HTTP methods that are being limited inside a location.
+\fBLogLevel \fRemerg
.TP 5
-LimitRequestBody
-Specifies the maximum size of any print job request.
+\fBLogLevel \fRalert
.TP 5
-Listen ip-address:port
+\fBLogLevel \fRcrit
.TP 5
-Listen *:port
+\fBLogLevel \fRerror
.TP 5
-Listen /path/to/domain/socket
-Listens to the specified address and port or domain socket path.
+\fBLogLevel \fRwarn
.TP 5
- ...
-Specifies access control for the named location.
+\fBLogLevel \fRnotice
.TP 5
-LogDebugHistory #-messages
-Specifies the number of debugging messages that are logged when an error
-occurs in a print job.
+\fBLogLevel \fRinfo
.TP 5
-LogLevel alert
+\fBLogLevel \fRdebug
.TP 5
-LogLevel crit
+\fBLogLevel \fRdebug2
+Specifies the level of logging for the ErrorLog file.
+The value "none" stops all logging while "debug2" logs everything.
+The default is "warn".
.TP 5
-LogLevel debug2
+\fBLogTimeFormat \fRstandard
.TP 5
-LogLevel debug
+\fBLogTimeFormat \fRusecs
+Specifies the format of the date and time in the log files.
+The value "standard" is the default and logs whole seconds while "usecs" logs microseconds.
.TP 5
-LogLevel emerg
+\fBMaxClients \fInumber\fR
+Specifies the maximum number of simultaneous clients that are allowed by the scheduler.
+The default is "100".
.TP 5
-LogLevel error
+\fBMaxClientsPerHost \fInumber\fR
+Specifies the maximum number of simultaneous clients that are allowed from a
+single address.
+The default is the MaxClients value.
.TP 5
-LogLevel info
+\fBMaxCopies \fInumber\fR
+Specifies the maximum number of copies that a user can print of each job.
+The default is "9999".
+.TP 5
+\fBMaxHoldTime \fIseconds\fR
+Specifies the maximum time a job may remain in the "indefinite" hold state before it is canceled.
+The default is "0" which disables cancellation of held jobs.
+.TP 5
+\fBMaxJobs \fInumber\fR
+Specifies the maximum number of simultaneous jobs that are allowed.
+Set to "0" to allow an unlimited number of jobs.
+The default is "500".
+.TP 5
+\fBMaxJobsPerPrinter \fInumber\fR
+Specifies the maximum number of simultaneous jobs that are allowed per printer.
+The default is "0" which allows up to MaxJobs jobs per printer.
+.TP 5
+\fBMaxJobsPerUser \fInumber\fR
+Specifies the maximum number of simultaneous jobs that are allowed per user.
+The default is "0" which allows up to MaxJobs jobs per user.
+.TP 5
+\fBMaxJobTime \fIseconds\fR
+Specifies the maximum time a job may take to print before it is canceled.
+Set to "0" to disable cancellation of "stuck" jobs.
+The default is "10800" (3 hours).
+.TP 5
+\fBMaxLogSize \fIsize\fR
+Specifies the maximum size of the log files before they are rotated.
+The value "0" disables log rotation.
+The default is "1048576" (1MB).
+.TP 5
+\fBMultipleOperationTimeout \fIseconds\fR
+Specifies the maximum amount of time to allow between files in a multiple file print job.
+The default is "300" (5 minutes).
+.TP 5
+\fBPageLogFormat \fIformat-string\fR
+Specifies the format of PageLog lines.
+Sequences beginning with percent (%) characters are replaced with the corresponding information, while all other characters are copied literally.
+The following percent sequences are recognized:
+.nf
+
+ "%%" inserts a single percent character.
+ "%{name}" inserts the value of the specified IPP attribute.
+ "%C" inserts the number of copies for the current page.
+ "%P" inserts the current page number.
+ "%T" inserts the current date and time in common log format.
+ "%j" inserts the job ID.
+ "%p" inserts the printer name.
+ "%u" inserts the username.
+
+.fi
+The default is "%p %u %j %T %P %C %{job-billing} %{job-originating-host-name} %{job-name} %{media} %{sides}".
+.TP 5
+\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
+Passes the specified environment variable(s) to child processes.
.TP 5
-LogLevel none
+\fB \fR... \fB\fR
+Specifies access control for the named policy.
.TP 5
-LogLevel notice
+\fBPort \fInumber\fR
+Listens to the specified port number for connections.
.TP 5
-LogLevel warn
-Specifies the logging level for the ErrorLog file.
+\fBPreserveJobFiles Yes\fR
.TP 5
-LogTimeFormat standard
+\fBPreserveJobFiles No\fR
.TP 5
-LogTimeFormat usecs
-Specifies the format of the date and time in the log files.
+\fBPreserveJobFiles \fIseconds\fR
+Specifies whether job files (documents) are preserved after a job is printed.
+If a numeric value is specified, job files are preserved for the indicated number of seconds after printing.
+The default is "86400" (preserve 1 day).
.TP 5
-MaxClients number
-Specifies the maximum number of simultaneous clients to support.
+\fBPreserveJobHistory Yes\fR
.TP 5
-MaxClientsPerHost number
-Specifies the maximum number of simultaneous clients to support from a
-single address.
+\fBPreserveJobHistory No\fR
.TP 5
-MaxCopies number
-Specifies the maximum number of copies that a user can print of each job.
+\fBPreserveJobHistory \fIseconds\fR
+Specifies whether the job history is preserved after a job is printed.
+If a numeric value is specified, the job history is preserved for the indicated number of seconds after printing.
+If "Yes", the job history is preserved until the MaxJobs limit is reached.
+The default is "Yes".
.TP 5
-MaxHoldTime seconds
-Specifies the maximum time a job may remain in the "indefinite" hold state
-before it is canceled. Set to 0 to disable cancellation of held jobs.
+\fBReloadTimeout \fIseconds\fR
+Specifies the amount of time to wait for job completion before restarting the scheduler.
+The default is "30".
.TP 5
-MaxJobs number
-Specifies the maximum number of simultaneous jobs to support.
+\fBRIPCache \fIsize\fR
+Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.
+The default is "128m".
.TP 5
-MaxJobsPerPrinter number
-Specifies the maximum number of simultaneous jobs per printer to support.
+\fBServerAdmin \fIemail-address\fR
+Specifies the email address of the server administrator.
+The default value is "root@ServerName".
.TP 5
-MaxJobsPerUser number
-Specifies the maximum number of simultaneous jobs per user to support.
+\fBServerAlias \fIhostname \fR[ ... \fIhostname \fR]
.TP 5
-MaxJobTime seconds
-Specifies the maximum time a job may take to print before it is canceled. The
-default is 10800 seconds (3 hours). Set to 0 to disable cancellation of "stuck"
-jobs.
+\fBServerAlias *\fR
+The ServerAlias directive is used for HTTP Host header validation when clients connect to the scheduler from external interfaces.
+Using the special name "*" can expose your system to known browser-based DNS rebinding attacks, even when accessing sites through a firewall.
+If the auto-discovery of alternate names does not work, we recommend listing each alternate name with a ServerAlias directive instead of using "*".
.TP 5
-MaxLogSize number-bytes
-Specifies the maximum size of the log files before they are
-rotated (0 to disable rotation)
+\fBServerName \fIhostname\fR
+Specifies the fully-qualified hostname of the server.
+The default is the value reported by the
+.BR hostname (1)
+command.
.TP 5
-MaxRequestSize number-bytes
-Specifies the maximum request/file size in bytes (0 for no limit)
+\fBServerTokens None\fR
.TP 5
-MultipleOperationTimeout seconds
-Specifies the maximum amount of time to allow between files in a multiple file
-print job.
+\fBServerTokens ProductOnly\fR
.TP 5
-PageLogFormat format string
-Specifies the format of page log lines.
+\fBServerTokens Major\fR
.TP 5
-PassEnv variable [... variable]
-Passes the specified environment variable(s) to child processes.
+\fBServerTokens Minor\fR
.TP 5
- ...
-Specifies access control for the named policy.
+\fBServerTokens Minimal\fR
.TP 5
-Port number
-Specifies a port number to listen to for HTTP requests.
+\fBServerTokens OS\fR
.TP 5
-PreserveJobFiles Yes
+\fBServerTokens Full\fR
+Specifies what information is included in the Server header of HTTP responses.
+"None" disables the Server header.
+"ProductOnly" reports "CUPS".
+"Major" reports "CUPS 2".
+"Minor" reports "CUPS 2.0".
+"Minimal" reports "CUPS 2.0.0".
+"OS" reports "CUPS 2.0.0 (UNAME)" where UNAME is the output of the
+.BR uname (1)
+command.
+"Full" reports "CUPS 2.0.0 (UNAME) IPP/2.0".
+The default is "Minimal".
.TP 5
-PreserveJobFiles No
-Specifies whether or not to preserve job files after they are printed.
+\fBSetEnv \fIvariable value\fR
+Set the specified environment variable to be passed to child processes.
.TP 5
-PreserveJobHistory Yes
.TP 5
-PreserveJobHistory No
-Specifies whether or not to preserve the job history after they are
-printed.
+\fBSSLListen \fIipv4-address\fB:\fIport\fR
.TP 5
-PrintcapFormat bsd
+\fBSSLListen [\fIipv6-address\fB]:\fIport\fR
.TP 5
-PrintcapFormat plist
+\fBSSLListen *:\fIport\fR
+Listens on the specified address and port for encrypted connections.
.TP 5
-PrintcapFormat solaris
-Specifies the format of the printcap file.
+\fBSSLPort \fIport\fR
+Listens on the specified port for encrypted connections.
.TP 5
-ReloadTimeout seconds
-Specifies the amount of time to wait for job completion before
-restarting the scheduler.
+\fBStrictConformance Yes\fR
.TP 5
-RIPCache bytes
-Specifies the maximum amount of memory to use when converting images
-and PostScript files to bitmaps for a printer.
+\fBStrictConformance No\fR
+Specifies whether the scheduler requires clients to strictly adhere to the IPP specifications.
+The default is "No".
.TP 5
-Satisfy all
+\fBTimeout \fIseconds\fR
+Specifies the HTTP request timeout.
+The default is "300" (5 minutes).
.TP 5
-Satisfy any
-Specifies whether all or any limits set for a Location must be
-satisfied to allow access.
+\fBWebInterface yes\fR
.TP 5
-ServerAdmin user@domain.com
-Specifies the email address of the server administrator.
+\fBWebInterface no\fR
+Specifies whether the web interface is enabled.
+The default is "No".
+.SS HTTP METHOD NAMES
+The following HTTP methods are supported by
+.BR cupsd (8):
.TP 5
-ServerAlias hostname [... hostname]
+GET
+Used by a client to download icons and other printer resources and to access the CUPS web interface.
.TP 5
-ServerAlias *
-Specifies an alternate name that the server is known by. The special name "*"
-allows any name to be used.
+HEAD
+Used by a client to get the type, size, and modification date of resources.
.TP 5
-ServerName hostname-or-ip-address
-Specifies the fully-qualified hostname of the server.
+OPTIONS
+Used by a client to establish a secure (SSL/TLS) connection.
.TP 5
-ServerTokens Full
+POST
+Used by a client to submit IPP requests and HTML forms from the CUPS web interface.
.TP 5
-ServerTokens Major
+PUT
+Used by a client to upload configuration files.
+.SS IPP OPERATION NAMES
+The following IPP operations are supported by
+.BR cupsd (8):
.TP 5
-ServerTokens Minimal
+CUPS\-Accept\-Jobs
+Allows a printer to accept new jobs.
.TP 5
-ServerTokens Minor
+CUPS\-Add\-Modify\-Class
+Adds or modifies a printer class.
.TP 5
-ServerTokens None
+CUPS\-Add\-Modify\-Printer
+Adds or modifies a printer.
.TP 5
-ServerTokens OS
+CUPS\-Authenticate\-Job
+Releases a job that is held for authentication.
.TP 5
-ServerTokens ProductOnly
-Specifies what information is included in the Server header of HTTP
-responses.
+CUPS\-Delete\-Class
+Deletes a printer class.
.TP 5
-SetEnv variable value
-Set the specified environment variable to be passed to child processes.
+CUPS\-Delete\-Printer
+Deletes a printer.
.TP 5
-SSLListen
-Listens on the specified address and port for encrypted connections.
+CUPS\-Get\-Classes
+Gets a list of printer classes.
.TP 5
-SSLPort
-Listens on the specified port for encrypted connections.
+CUPS\-Get\-Default
+Gets the server default printer or printer class.
.TP 5
-StrictConformance Yes
+CUPS\-Get\-Devices
+Gets a list of devices that are currently available.
.TP 5
-StrictConformance No
-Specifies whether the scheduler requires clients to strictly adhere to the IPP
-specifications. The default is No.
+CUPS\-Get\-Document
+Gets a document file for a job.
.TP 5
-Timeout seconds
-Specifies the HTTP request timeout in seconds.
+CUPS\-Get\-PPD
+Gets a PPD file.
.TP 5
-WebInterface yes
+CUPS\-Get\-PPDs
+Gets a list of installed PPD files.
.TP 5
-WebInterface no
-Specifies whether the web interface is enabled.
-.SH DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS
-The following directives may be placed inside Location and Limit sections in the \fIcupsd.conf\fR file:
+CUPS\-Get\-Printers
+Gets a list of printers.
+.TP 5
+CUPS\-Move\-Job
+Moves a job.
+.TP 5
+CUPS\-Reject\-Jobs
+Prevents a printer from accepting new jobs.
+.TP 5
+CUPS\-Set\-Default
+Sets the server default printer or printer class.
+.TP 5
+Cancel\-Job
+Cancels a job.
+.TP 5
+Cancel\-Jobs
+Cancels one or more jobs.
+.TP 5
+Cancel\-My\-Jobs
+Cancels one or more jobs creates by a user.
+.TP 5
+Cancel\-Subscription
+Cancels a subscription.
+.TP 5
+Close\-Job
+Closes a job that is waiting for more documents.
+.TP 5
+Create\-Job
+Creates a new job with no documents.
+.TP 5
+Create\-Job\-Subscriptions
+Creates a subscription for job events.
+.TP 5
+Create\-Printer\-Subscriptions
+Creates a subscription for printer events.
+.TP 5
+Get\-Job\-Attributes
+Gets information about a job.
+.TP 5
+Get\-Jobs
+Gets a list of jobs.
+.TP 5
+Get\-Notifications
+Gets a list of event notifications for a subscription.
+.TP 5
+Get\-Printer\-Attributes
+Gets information about a printer or printer class.
+.TP 5
+Get\-Subscription\-Attributes
+Gets information about a subscription.
+.TP 5
+Get\-Subscriptions
+Gets a list of subscriptions.
+.TP 5
+Hold\-Job
+Holds a job from printing.
+.TP 5
+Hold\-New\-Jobs
+Holds all new jobs from printing.
+.TP 5
+Pause\-Printer
+Stops processing of jobs by a printer or printer class.
+.TP 5
+Pause\-Printer\-After\-Current\-Job
+Stops processing of jobs by a printer or printer class after the current job is finished.
+.TP 5
+Print\-Job
+Creates a new job with a single document.
+.TP 5
+Purge\-Jobs
+Cancels one or more jobs and deletes the job history.
+.TP 5
+Release\-Held\-New\-Jobs
+Allows previously held jobs to print.
+.TP 5
+Release\-Job
+Allows a job to print.
+.TP 5
+Renew\-Subscription
+Renews a subscription.
+.TP 5
+Restart\-Job
+Reprints a job, if possible.
+.TP 5
+Send\-Document
+Adds a document to a job.
+.TP 5
+Set\-Job\-Attributes
+Changes job information.
+.TP 5
+Set\-Printer\-Attributes
+Changes printer or printer class information.
+.TP 5
+Validate\-Job
+Validates options for a new job.
+.SS LOCATION PATHS
+The following paths are commonly used when configuring
+.BR cupsd (8):
+.TP 5
+/
+The path for all get operations (get-printers, get-jobs, etc.)
+.TP 5
+/admin
+The path for all administration operations (add-printer, delete-printer, start-printer, etc.)
+.TP 5
+/admin/conf
+The path for access to the CUPS configuration files (cupsd.conf, client.conf, etc.)
+.TP 5
+/admin/log
+The path for access to the CUPS log files (access_log, error_log, page_log)
+.TP 5
+/classes
+The path for all printer classes
+.TP 5
+/classes/name
+The resource for the named printer class
+.TP 5
+/jobs
+The path for all jobs (hold-job, release-job, etc.)
+.TP 5
+/jobs/id
+The path for the specified job.
+.TP 5
+/printers
+The path for all printers
+.TP 5
+/printers/name
+The path for the named printer
+.TP 5
+/printers/name.png
+The icon file path for the named printer
+.TP 5
+/printers/name.ppd
+The PPD file path for the named printer
+.SS DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS
+The following directives may be placed inside Location and Limit sections in the \fBcupsd.conf\fR file:
+.TP 5
+\fBAllow all\fR
+.TP 5
+\fBAllow none\fR
+.TP 5
+\fBAllow \fIhost.domain.com\fR
+.TP 5
+\fBAllow *.\fIdomain.com\fR
+.TP 5
+\fBAllow \fIipv4-address\fR
+.TP 5
+\fBAllow \fIipv4-address\fB/\fInetmask\fR
+.TP 5
+\fBAllow \fIipv4-address\fB/\fImm\fR
.TP 5
-Allow all
+\fBAllow [\fIipv6-address\fB]\fR
.TP 5
-Allow none
+\fBAllow [\fIipv6-address\fB]/\fImm\fR
.TP 5
-Allow host.domain.com
+\fBAllow @IF(\fIname\fB)\fR
.TP 5
-Allow *.domain.com
+\fBAllow @LOCAL\fR
+Allows access from the named hosts, domains, addresses, or interfaces.
+The Order directive controls whether Allow lines are evaluated before or after Deny lines.
.TP 5
-Allow ip-address
+\fBAuthType None\fR
.TP 5
-Allow ip-address/netmask
+\fBAuthType Basic\fR
.TP 5
-Allow ip-address/mm
+\fBAuthType Default\fR
.TP 5
-Allow @IF(name)
+\fBAuthType Negotiate\fR
+Specifies the type of authentication required.
+The value "Default" corresponds to the DefaultAuthType value.
.TP 5
-Allow @LOCAL
-Allows access from the named hosts or addresses.
+\fBDeny all\fR
.TP 5
-AuthType None
+\fBDeny none\fR
.TP 5
-AuthType Basic
+\fBDeny \fIhost.domain.com\fR
.TP 5
-AuthType Negotiate
-Specifies the authentication type (None, Basic, or Negotiate)
+\fBDeny *.\fIdomain.com\fR
.TP 5
-Deny all
+\fBDeny \fIipv4-address\fR
.TP 5
-Deny none
+\fBDeny \fIipv4-address\fB/\fInetmask\fR
.TP 5
-Deny host.domain.com
+\fBDeny \fIipv4-address\fB/\fImm\fR
.TP 5
-Deny *.domain.com
+\fBDeny [\fIipv6-address\fB]\fR
.TP 5
-Deny ip-address
+\fBDeny [\fIipv6-address\fB]/\fImm\fR
.TP 5
-Deny ip-address/netmask
+\fBDeny @IF(\fIname\fB)\fR
.TP 5
-Deny ip-address/mm
+\fBDeny @LOCAL\fR
+Denies access from the named hosts, domains, addresses, or interfaces.
+The Order directive controls whether Deny lines are evaluated before or after Allow lines.
.TP 5
-Deny @IF(name)
+\fBEncryption IfRequested\fR
.TP 5
-Deny @LOCAL
-Denies access to the named host or address.
+\fBEncryption Never\fR
.TP 5
-Encryption IfRequested
+\fBEncryption Required\fR
+Specifies the level of encryption that is required for a particular location.
+The default value is "IfRequested".
.TP 5
-Encryption Never
+\fBOrder allow,deny\fR
+Specifies that access is denied by default. Allow lines are then processed followed by Deny lines to determine whether a client may access a particular resource.
.TP 5
-Encryption Required
-Specifies the level of encryption that is required for a particular
-location.
+\fBOrder deny,allow\fR
+Specifies that access is allowed by default. Deny lines are then processed followed by Allow lines to determine whether a client may access a particular resource.
.TP 5
-Order allow,deny
+\fBRequire group \fIgroup-name \fR[ \fIgroup-name \fR... ]
+Specifies that an authenticated user must be a member of one of the named groups.
.TP 5
-Order deny,allow
-Specifies the order of HTTP access control (allow,deny or deny,allow)
+\fBRequire user {\fIuser-name\fR|\fB@\fIgroup-name\fR} ...
+Specifies that an authenticated user must match one of the named users or be a member of one of the named groups.
+The group name "@SYSTEM" corresponds to the list of groups defined by the SystemGroup directive in the
+.BR cups-files.conf (5)
+file.
+The group name "@OWNER" corresponds to the owner of the resource, for example the person that submitted a print job.
.TP 5
-Require group group-name-list
+\fBRequire valid-user\fR
+Specifies that any authenticated user is acceptable.
.TP 5
-Require user user-name-list
+\fBSatisfy all\fR
+Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
.TP 5
-Require valid-user
-Specifies that user or group authentication is required.
-.SH DIRECTIVES VALID WITHIN POLICY SECTIONS
-The following directives may be placed inside Policy sections in the \fIcupsd.conf\fR file:
+\fBSatisfy any\fR
+Specifies that any a client may access a resource if either the authentication (AuthType/Require) or address (Allow/Deny/Order) conditions are satisfied.
+For example, this can be used to require authentication only for remote accesses.
+.SS DIRECTIVES VALID WITHIN POLICY SECTIONS
+The following directives may be placed inside Policy sections in the \fBcupsd.conf\fR file:
.TP 5
-JobPrivateAccess all
+\fBJobPrivateAccess all\fR
.TP 5
-JobPrivateAccess default
+\fBJobPrivateAccess default\fR
.TP 5
-JobPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+
-Specifies an access list for a job's private values. The "default" access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+\fBJobPrivateAccess \fR{\fIuser\fR|\fB@\fIgroup\fR|\fB@ACL\fR|\fB@OWNER\fR|\fB@SYSTEM\fR} ...
+Specifies an access list for a job's private values.
+The "default" access list is "@OWNER @SYSTEM".
+"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+"@OWNER" maps to the job's owner.
+"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
+.BR cups-files.conf (5)
+file.
.TP 5
-JobPrivateValues all
+\fBJobPrivateValues all\fR
.TP 5
-JobPrivateValues default
+\fBJobPrivateValues default\fR
.TP 5
-JobPrivateValues none
+\fBJobPrivateValues none\fR
.TP 5
-JobPrivateValues attribute-name-1 [ ... attribute-name-N ]
-Specifies the list of job values to make private. The "default" values are "job-name", "job-originating-host-name", and "job-originating-user-name".
+\fBJobPrivateValues \fIattribute-name \fR[ ... \fIattribute-name \fR]
+Specifies the list of job values to make private.
+The "default" values are "job-name", "job-originating-host-name", "job-originating-user-name", and "phone".
.TP 5
-SubscriptionPrivateAccess all
+\fBSubscriptionPrivateAccess all\fR
.TP 5
-SubscriptionPrivateAccess default
+\fBSubscriptionPrivateAccess default\fR
.TP 5
-SubscriptionPrivateAccess {user|@group|@ACL|@OWNER|@SYSTEM}+
-Specifies an access list for a subscription's private values. The "default"
-access list is "@OWNER @SYSTEM". "@ACL" maps to the printer's
-requesting-user-name-allowed or requesting-user-name-denied values.
+\fBSubscriptionPrivateAccess \fR{\fIuser\fR|\fB@\fIgroup\fR|\fB@ACL\fR|\fB@OWNER\fR|\fB@SYSTEM\fR} ...
+Specifies an access list for a subscription's private values.
+The "default" access list is "@OWNER @SYSTEM".
+"@ACL" maps to the printer's requesting-user-name-allowed or requesting-user-name-denied values.
+"@OWNER" maps to the job's owner.
+"@SYSTEM" maps to the groups listed for the SystemGroup directive in the
+.BR cups-files.conf (5)
+file.
.TP 5
-SubscriptionPrivateValues all
+\fBSubscriptionPrivateValues all\fR
.TP 5
-SubscriptionPrivateValues default
+\fBSubscriptionPrivateValues default\fR
.TP 5
-SubscriptionPrivateValues none
+\fBSubscriptionPrivateValues none\fR
.TP 5
-SubscriptionPrivateValues attribute-name-1 [ ... attribute-name-N ]
-Specifies the list of job values to make private. The "default" values are
-"notify-events", "notify-pull-method", "notify-recipient-uri",
-"notify-subscriber-user-name", and "notify-user-data".
+\fBSubscriptionPrivateValues \fIattribute-name \fR[ ... \fIattribute-name \fR]
+Specifies the list of subscription values to make private.
+The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data".
+.SH CONFORMING TO
+The \fBcupsd.conf\fR file format is based on the Apache HTTP Server configuration file format.
+.SH EXAMPLES
+Log everything with a maximum log file size of 32 megabytes:
+.nf
+
+ AccessLogLevel all
+ LogLevel debug2
+ MaxLogSize 32m
+
+.fi
+Require authentication for accesses from outside the 10. network:
+.nf
+
+
+ Order allow,deny
+ Allow from 10./8
+ AuthType Basic
+ Require valid-user
+ Satisfy any
+
+.fi
.SH SEE ALSO
-.BR classes.conf (5), cups-files.conf (5), cupsd (8), mime.convs (5), mime.types (5), printers.conf (5), subscriptions.conf (5),
-http://localhost:631/help
+.BR classes.conf (5),
+.BR cups-files.conf (5),
+.BR cupsd (8),
+.BR mime.convs (5),
+.BR mime.types (5),
+.BR printers.conf (5),
+.BR subscriptions.conf (5),
+CUPS Online Help (http://localhost:631/help)
.SH COPYRIGHT
Copyright \[co] 2007-2014 by Apple Inc.
.\"
diff --git a/man/cupsd.man.in b/man/cupsd.man.in
index 58c09393ca..7709943a83 100644
--- a/man/cupsd.man.in
+++ b/man/cupsd.man.in
@@ -12,7 +12,7 @@
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH cupsd 8 "CUPS" "3 April 2014" "Apple Inc."
+.TH cupsd 8 "CUPS" "10 June 2014" "Apple Inc."
.SH NAME
cupsd \- cups scheduler
.SH SYNOPSIS
@@ -75,6 +75,7 @@ Test the configuration file for syntax errors.
.I /usr/share/cups/mime/mime.convs
.I /usr/share/cups/mime/mime.types
.I /etc/cups/printers.conf
+.I /etc/cups/subscriptions.conf
.fi
.SH CONFORMING TO
.B cupsd
diff --git a/scheduler/conf.c b/scheduler/conf.c
index 5da2249c90..a07baaa450 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -1299,6 +1299,7 @@ cupsdReadConfiguration(void)
cupsdAddString(&(p->job_attrs), "job-name");
cupsdAddString(&(p->job_attrs), "job-originating-host-name");
cupsdAddString(&(p->job_attrs), "job-originating-user-name");
+ cupsdAddString(&(p->job_attrs), "phone");
cupsdLogMessage(CUPSD_LOG_INFO, "SubscriptionPrivateAccess default");
cupsdAddString(&(p->sub_access), "@OWNER");