[cups-devel] CUPS running on alternative port and alternative domain socket: Access via localhost restricted
Till Kamppeter
till.kamppeter at gmail.com
Tue Oct 11 19:57:11 PDT 2016
Hi,
I have an Ubuntu system and run 2 CUPS daemons on it simultaneously.
The first one is the standard one from Ubuntu, using port 631 and the
domain socket /var/run/cups/cups.sock. Commands and applications talk to
this daemon if no special parameters are supplied. It is running
permanently due to the fact that it is sharing printers.
The second one is running on port 10631 and uses the domain socket
/var/snap/cups/x1/var/run/cups.sock. This second daemon is installed via
a so-called snap, a container-based package format which allows
distribution-independent packages (http://snapcraft.io/create/). To talk
to this CUPS daemon one has to supply "-h localhost:10631" or "-h
/var/snap/cups/x1/var/run/cups.sock" to the command lines of the CUPS
command line tools. The web interface has the URL "http://localhost:10631".
The first CUPS daemon works perfectly well, including its cups-browsed.
Of the second CUPS daemon the web interface works correctly and all
read-only operations with CUPS' command line tools work correctly, both
with "-h localhost:10631" and with "-h
/var/snap/cups/x1/var/run/cups.sock". But if one issues a command which
changes something in the system, like cancelling jobs or creating print
queues, this works only with "-h /var/snap/cups/x1/var/run/cups.sock"
and not with "-h localhost:10631". Also to make cups-browsed working
with this CUPS daemon one needs to make it use the domain socket and not
localhost:10631 (note that cups-browsed creates queues). If you try to
do these operations which change something via localhost:10631 you are
asked for your password and if you do them as root (via "sudo") you are
asked for the password of root. With the domain socket the very same
operations get simply done (user is in "lpadmin" group).
This means that an operation through "localhost:10631" needs the
password from any user but the very same operation via domain socket
needs no password. And the very standard cupsd on port 631 does not need
the password in both cases.
Is there perhaps something wrong in the configurations? Or is this a bug
in CUPS?
Below are the config files of the two daemons.
Till
----------
cups-files.conf of first daemon (port 631):
#FatalErrors config
#SyncOnClose Yes
#User lp
#Group lp
SystemGroup lpadmin
#RemoteRoot remroot
FileDevice Yes
#ConfigFilePerm 0640
#LogFilePerm 00640
AccessLog /var/log/cups/access_log
#CacheDir /var/cache/cups
#DataDir /usr/share/cups
#DocumentRoot /usr/share/cups/doc-root
ErrorLog /var/log/cups/error_log
#FontPath /usr/share/cups/fonts
#LPDConfigFile
PageLog /var/log/cups/page_log
#Printcap /var/run/cups/printcap
#PrintcapFormat bsd
#PrintcapFormat plist
#PrintcapFormat solaris
#RequestRoot /var/spool/cups
#ServerBin /usr/lib/cups
#ServerKeychain ssl
#ServerRoot /etc/cups
#SMBConfigFile
#StateDir /var/run/cups
#TempDir /var/spool/cups/tmp
----------
cupsd.conf of first daemon (port 631):
LogLevel debug2
MaxLogSize 0
Port 631
Listen /var/run/cups/cups.sock
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
Order allow,deny
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job
CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer
CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs
CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job
CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer
CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs
CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
----------
cups-files.conf of second daemon (port 10631):
#FatalErrors config
#SyncOnClose No
#User lp
#Group lp
SystemGroup lpadmin sys root
#RemoteRoot remroot
#FileDevice No
#ConfigFilePerm 0640
#LogFilePerm 0644
AccessLog /var/snap/cups/x2/var/log/access_log
CacheDir /var/snap/cups/x2/var/cache
DataDir /snap/cups/x2/usr/share/cups
DocumentRoot /snap/cups/x2/usr/share/doc/cups
ErrorLog /var/snap/cups/x2/var/log/error_log
FontPath /snap/cups/x2/usr/share/cups/fonts
#LPDConfigFile
PageLog /var/snap/cups/x2/var/log/page_log
Printcap /var/snap/cups/x2/etc/printcap
#PrintcapFormat bsd
#PrintcapFormat plist
#PrintcapFormat solaris
RequestRoot /var/snap/cups/x2/var/spool
ServerBin /snap/cups/x2/usr/lib/cups
#ServerKeychain ssl
ServerRoot /var/snap/cups/x2/etc
#SMBConfigFile
StateDir /var/snap/cups/x2/var/run
TempDir /var/snap/cups/x2/var/spool/tmp
----------
cupsd.conf of second daemon (port 10631):
Listen /var/snap/cups/x2/var/run/cups.sock
Port 10631
LogLevel debug
PageLogFormat
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
Order allow,deny
</Location>
<Location /admin>
Order allow,deny
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
<Location /admin/log>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job
CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer
CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs
CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job
CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer
CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs
CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
----------
More information about the cups-devel
mailing list