[cups.bugs] [LOW] STR #1176: Cancel any job via web-frontend seems
jsmeix.suse
jsmeix at suse.de
Tue May 10 13:23:03 PDT 2005
[STR New]
On the one hand any user is allowed to cancel any job via command line
cancel -u <job-owner> <queue>-<job-id>
(in particular with "-u root" there is no need to care about user names).
On the other hand it seems to be a bit awkward when the same should
be allowed via web-frontend.
At least it seems
<Location /jobs>
....
Allow From @LOCAL
Satisfy any
</Location>
does no longer work.
If I remember correctly this has worked in one of the previous CUPS
versions.
But now it results "client-error-forbidden" and in error_log there is:
cancel_job: "user1" not authorized to delete job id 123 owned by "user2"!
I tried a workaround by using explicite autentification:
<Location /jobs>
AuthType BasicDigest
AuthClass User
</Location>
and put a user into CUPS's system group:
lppasswd -g sys -a <user>
But this fails too with the same error messages as above.
This is strange because this <user> can create or remove
queues via web-interface but cancelling jobs is forbidden.
I think the users which belong to CUPS's system group
should be allowed to do anything.
It seems it works (only?) for the group "lp" - i.e.:
after adding all users (except "root") to the CUPS group "lp" by
lppasswd -g lp -a <user1>
lppasswd -g lp -a <user2>
....
any user can cancel any job but authentication is required
in any case (even for the "cancel" command).
By default we use
User lp
Group lp
RunAsUser Yes
but I got the same results when I disabled it and let cupsd run as root.
Link: http://www.cups.org/str.php?L1176
Version: 1.1.23
More information about the cups-devel
mailing list