Access forbidden to admin functions with web interface
Roger Leigh
rleigh at whinlatter.ukfsn.org
Fri Oct 1 13:31:15 PDT 2004
Hello,
I'm using Debian GNU/Linux unstable with CUPS 1.1.21rc1. I've found a
problem when trying to allow remote administration of the server.
I've allowed access from localhost and a certain DNS domain (with DNS
lookups enabled); while I can access /admin from the localhost and any
other machine on the network or via PPP, I can't access it from the
server itself while calling it by its hostname (rather than
localhost).
For example (the machine name is "master.epic-client"):
w3m http://localhost:631/admin [works]
w3m http://master.epic-client:631/admin and
w3m http://master:631/admin [works when used on other machines on
the network, but not when used on master itself]
The server also runs ISC bind9 and ISC dhcpd3 with dynamic DNS.
This is what I see in error log:
[this is connecting to "master" from master, which fails. Notice that
the domain name "epic-client" is missing, which does not occur when
connecting from remote machines]
d [01/Oct/2004:19:22:22 +0100] AcceptClient(lis=0x808c2f0) 0 NumClients = 0
D [01/Oct/2004:19:22:22 +0100] AcceptClient: 5 from master:631.
d [01/Oct/2004:19:22:22 +0100] AcceptClient: Adding fd 5 to InputSet...
d [01/Oct/2004:19:22:23 +0100] select_timeout: 15 seconds to send browse update
d [01/Oct/2004:19:22:32 +0100] ReadClient: 5, used=0, file=-1
D [01/Oct/2004:19:22:32 +0100] ReadClient: 5 GET /admin HTTP/1.0
d [01/Oct/2004:19:22:32 +0100] decode_auth(0x40305008): Authorization string = ""
d [01/Oct/2004:19:22:32 +0100] decode_auth: 5 username=""
d [01/Oct/2004:19:22:32 +0100] IsAuthorized: con->uri = "/admin"
d [01/Oct/2004:19:22:32 +0100] FindBest: uri = "/admin"...
d [01/Oct/2004:19:22:32 +0100] FindBest: Location / Limit 7f
d [01/Oct/2004:19:22:32 +0100] FindBest: Location /jobs Limit 7f
d [01/Oct/2004:19:22:32 +0100] FindBest: Location /admin Limit 7f
d [01/Oct/2004:19:22:32 +0100] FindBest: best = "/admin"
d [01/Oct/2004:19:22:32 +0100] IsAuthorized: auth = 1, satisfy=0...
d [01/Oct/2004:19:22:32 +0100] ReadClient: Unauthorized request for /admin...
D [01/Oct/2004:19:22:32 +0100] SendError: 5 code=403 (Forbidden)
D [01/Oct/2004:19:22:32 +0100] CloseClient: 5
d [01/Oct/2004:19:22:32 +0100] CloseClient: Removing fd 5 from InputSet and OutputSet...
[this is connecting directly to "localhost", which succeeds]
d [01/Oct/2004:19:21:41 +0100] AcceptClient(lis=0x808c2f0) 0 NumClients = 0
D [01/Oct/2004:19:21:41 +0100] AcceptClient: 5 from localhost:631.
d [01/Oct/2004:19:21:41 +0100] AcceptClient: Adding fd 5 to InputSet...
d [01/Oct/2004:19:21:41 +0100] ReadClient: 5, used=0, file=-1
D [01/Oct/2004:19:21:41 +0100] ReadClient: 5 GET /admin HTTP/1.0
d [01/Oct/2004:19:21:41 +0100] decode_auth(0x40305008): Authorization string = "Basic cm9vdDo2MjU3bGU="
d [01/Oct/2004:19:21:41 +0100] decode_auth: 5 username="root"
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: con->uri = "/admin"
d [01/Oct/2004:19:21:41 +0100] FindBest: uri = "/admin"...
d [01/Oct/2004:19:21:41 +0100] FindBest: Location / Limit 7f
d [01/Oct/2004:19:21:41 +0100] FindBest: Location /jobs Limit 7f
d [01/Oct/2004:19:21:41 +0100] FindBest: Location /admin Limit 7f
d [01/Oct/2004:19:21:41 +0100] FindBest: best = "/admin"
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: auth = 0, satisfy=0...
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: username = "root" password = 6 chars
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: Checking "root", address = 7f000001, hostname = "localhost"
d [01/Oct/2004:19:21:41 +0100] argv[0] = "admin.cgi"
d [01/Oct/2004:19:21:41 +0100] envp[0] = "PATH=/bin:/usr/bin"
d [01/Oct/2004:19:21:41 +0100] envp[1] = "SERVER_SOFTWARE=CUPS/1.1"
d [01/Oct/2004:19:21:41 +0100] envp[2] = "GATEWAY_INTERFACE=CGI/1.1"
d [01/Oct/2004:19:21:41 +0100] envp[3] = "SERVER_PROTOCOL=HTTP/1.0"
d [01/Oct/2004:19:21:41 +0100] envp[4] = "REDIRECT_STATUS=1"
d [01/Oct/2004:19:21:41 +0100] envp[5] = "CUPS_SERVER=localhost"
d [01/Oct/2004:19:21:41 +0100] envp[6] = "IPP_PORT=631"
d [01/Oct/2004:19:21:41 +0100] envp[7] = "SERVER_NAME=localhost"
d [01/Oct/2004:19:21:41 +0100] envp[8] = "SERVER_PORT=631"
d [01/Oct/2004:19:21:41 +0100] envp[9] = "REMOTE_ADDR=127.0.0.1"
d [01/Oct/2004:19:21:41 +0100] envp[10] = "REMOTE_HOST=localhost"
d [01/Oct/2004:19:21:41 +0100] envp[11] = "REMOTE_USER=root"
d [01/Oct/2004:19:21:41 +0100] envp[12] = "LANG=en.ISO8859-15"
d [01/Oct/2004:19:21:41 +0100] envp[13] = "TZ=Europe/London"
d [01/Oct/2004:19:21:41 +0100] envp[14] = "TMPDIR=/var/spool/cups/tmp"
d [01/Oct/2004:19:21:41 +0100] envp[15] = "CUPS_DATADIR=/usr/share/cups"
d [01/Oct/2004:19:21:41 +0100] envp[16] = "CUPS_SERVERROOT=/etc/cups"
d [01/Oct/2004:19:21:41 +0100] envp[17] = "HTTP_USER_AGENT=w3m/0.5.1"
d [01/Oct/2004:19:21:41 +0100] envp[18] = "SCRIPT_NAME=/admin"
d [01/Oct/2004:19:21:41 +0100] envp[19] = "REQUEST_METHOD=GET"
d [01/Oct/2004:19:21:41 +0100] AddCert: adding certificate for pid 2262
D [01/Oct/2004:19:21:41 +0100] CGI /usr/lib/cups/cgi-bin/admin.cgi started - PID = 2262
I [01/Oct/2004:19:21:41 +0100] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=2262)
I hope this is a simple configuration error on my part, but I've not
been able to find a solution to this. I've included the configuration
information below that I thought would be appropriate; I can supply
any more detail required.
Perhaps CUPS is only considering the hostname as opposed to the FQDN
in this situation?
This is my cupsd.conf, with all comments removed:
LogLevel debug2
Printcap /var/run/cups/printcap
Port 631
HostNameLookups On
Browsing On
BrowseProtocols cups
BrowseAddress @LOCAL
BrowseShortNames Yes
#BrowseDeny All
#BrowseAllow @IF(eth0)
ImplicitClasses Off
<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From @LOCAL
Allow From *.epic-client
</Location>
<Location /jobs>
</Location>
<Location /admin>
AuthType Basic
AuthClass System
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From *.epic-client
#Encryption Required
</Location>
These are my network settings:
[/etc/hostname]
master
[/etc/hosts]
127.0.0.1 localhost
192.168.0.1 master.epic-client master
::1 ip6-localhost ip6-loopback
[/etc/nsswitch.conf]
hosts: files dns
networks: files
protocols: db files
services: db files
rpc: db files
[/etc/resolv.conf, using local nameserver]
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search epic-client
Name server information:
master:~# cat /var/cache/bind/db.epic_client
$ORIGIN .
$TTL 86400 ; 1 day
epic-client IN SOA epic-client. root.epic-client. (
7 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS dns.epic-client.
$ORIGIN epic-client.
dialup CNAME dialup-0
dialup-0 A 192.168.0.150
dns CNAME master
master A 192.168.0.1
ppp CNAME ppp-0
ppp-0 A 192.168.0.151
master:~# cat /var/cache/bind/db.192.168.0
$ORIGIN .
$TTL 86400 ; 1 day
0.168.192.in-addr.arpa IN SOA epic_client. root.epic_client. (
5 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS dns.epic-client.
$ORIGIN 0.168.192.in-addr.arpa.
1 PTR master.epic-client.
150 PTR dialup-0.epic-client.
151 PTR ppp-0.epic-client.
This is testing the DNS is working:
master:~# host master
master.epic-client has address 192.168.0.1
master:~# host 192.168.0.1
1.0.168.192.in-addr.arpa domain name pointer master.epic-client.
master:~# nslookup master
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: master.epic-client
Address: 192.168.0.1
master:~# nslookup 192.168.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
1.0.168.192.in-addr.arpa name = master.epic-client.
roger at master:~$ ping master
PING master.epic-client (192.168.0.1) 56(84) bytes of data.
64 bytes from master.epic-client (192.168.0.1): icmp_seq=1 ttl=64 time=0.138 ms
64 bytes from master.epic-client (192.168.0.1): icmp_seq=2 ttl=64 time=0.100 ms
--- master.epic-client ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.100/0.119/0.138/0.019 ms
roger at master:~$ ping master.epic-client
PING master.epic-client (192.168.0.1) 56(84) bytes of data.
64 bytes from master.epic-client (192.168.0.1): icmp_seq=1 ttl=64 time=0.106 ms
64 bytes from master.epic-client (192.168.0.1): icmp_seq=2 ttl=64 time=0.101 ms
--- master.epic-client ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.101/0.103/0.106/0.010 ms
This looks like it's functioning properly. It also works for all of
the dynamic IPs (not shown here, because they are not swtiched on). I
can access /admin using all of the dynamic IPs, and the static IPs
over used over a PPP connection (mgetty/pppd).
Many thanks,
Roger
--
Roger Leigh
Printing on GNU/Linux? http://gimp-print.sourceforge.net/
GPG Public Key: 0x25BFB848. Please sign and encrypt your mail.
More information about the cups
mailing list