[cups.development] [RFE] STR #2399: Require user @CONSOLE
twaugh.redhat
twaugh at redhat.com
Mon May 28 04:48:40 PDT 2007
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
I would like console users to be able to perform system administration for
CUPS using a program that makes use of the CUPS API. The object is to
allow any user logged in at the console to (for instance) add a printer,
but to disallow that action to users not logged in at the console (except
root).
PAM has a pam_console.so module which I thought might be helpful, but in
fact I can't see an easy way to use it with the current CUPS code, other
than having the entire client program run as root. There are two ways I
can see to achieve what I want:
1. Add 'Require user @CONSOLE' syntax to the CUPS scheduler, with the
implementation being to check whether the authenticated user name matches
that in /var/run/console/console.lock (this is where PAM stores the
console user name). The client program would authenticate as the real
user name of the current user.
~or~
2. Modify the CUPS API to allow the caller to provide a certificate. The
client program would authenticate as 'root' and provide the
/var/run/cups/certs/0 certificate via a helper program.
Option 1 has the benefit that the lpadmin program would do the right
thing.
Link: http://www.cups.org/str.php?L2399
Version: -feature
More information about the cups-devel
mailing list