Access forbidden to admin functions with web interface

Roger Leigh rleigh at whinlatter.ukfsn.org
Fri Oct 1 13:31:15 PDT 2004 

Hello,

I'm using Debian GNU/Linux unstable with CUPS 1.1.21rc1.  I've found a
problem when trying to allow remote administration of the server.
I've allowed access from localhost and a certain DNS domain (with DNS
lookups enabled); while I can access /admin from the localhost and any
other machine on the network or via PPP, I can't access it from the
server itself while calling it by its hostname (rather than
localhost).

For example (the machine name is "master.epic-client"):

w3m http://localhost:631/admin   [works]
w3m http://master.epic-client:631/admin  and
w3m http://master:631/admin      [works when used on other machines on
                        the network, but not when used on master itself]

The server also runs ISC bind9 and ISC dhcpd3 with dynamic DNS.

This is what I see in error log:
[this is connecting to "master" from master, which fails.  Notice that
the domain name "epic-client" is missing, which does not occur when
connecting from remote machines]

d [01/Oct/2004:19:22:22 +0100] AcceptClient(lis=0x808c2f0) 0 NumClients = 0
D [01/Oct/2004:19:22:22 +0100] AcceptClient: 5 from master:631.
d [01/Oct/2004:19:22:22 +0100] AcceptClient: Adding fd 5 to InputSet...
d [01/Oct/2004:19:22:23 +0100] select_timeout: 15 seconds to send browse update
d [01/Oct/2004:19:22:32 +0100] ReadClient: 5, used=0, file=-1
D [01/Oct/2004:19:22:32 +0100] ReadClient: 5 GET /admin HTTP/1.0
d [01/Oct/2004:19:22:32 +0100] decode_auth(0x40305008): Authorization string = ""
d [01/Oct/2004:19:22:32 +0100] decode_auth: 5 username=""
d [01/Oct/2004:19:22:32 +0100] IsAuthorized: con->uri = "/admin"
d [01/Oct/2004:19:22:32 +0100] FindBest: uri = "/admin"...
d [01/Oct/2004:19:22:32 +0100] FindBest: Location / Limit 7f
d [01/Oct/2004:19:22:32 +0100] FindBest: Location /jobs Limit 7f
d [01/Oct/2004:19:22:32 +0100] FindBest: Location /admin Limit 7f
d [01/Oct/2004:19:22:32 +0100] FindBest: best = "/admin"
d [01/Oct/2004:19:22:32 +0100] IsAuthorized: auth = 1, satisfy=0...
d [01/Oct/2004:19:22:32 +0100] ReadClient: Unauthorized request for /admin...
D [01/Oct/2004:19:22:32 +0100] SendError: 5 code=403 (Forbidden)
D [01/Oct/2004:19:22:32 +0100] CloseClient: 5
d [01/Oct/2004:19:22:32 +0100] CloseClient: Removing fd 5 from InputSet and OutputSet...

[this is connecting directly to "localhost", which succeeds]

d [01/Oct/2004:19:21:41 +0100] AcceptClient(lis=0x808c2f0) 0 NumClients = 0
D [01/Oct/2004:19:21:41 +0100] AcceptClient: 5 from localhost:631.
d [01/Oct/2004:19:21:41 +0100] AcceptClient: Adding fd 5 to InputSet...
d [01/Oct/2004:19:21:41 +0100] ReadClient: 5, used=0, file=-1
D [01/Oct/2004:19:21:41 +0100] ReadClient: 5 GET /admin HTTP/1.0
d [01/Oct/2004:19:21:41 +0100] decode_auth(0x40305008): Authorization string = "Basic cm9vdDo2MjU3bGU="
d [01/Oct/2004:19:21:41 +0100] decode_auth: 5 username="root"
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: con->uri = "/admin"
d [01/Oct/2004:19:21:41 +0100] FindBest: uri = "/admin"...
d [01/Oct/2004:19:21:41 +0100] FindBest: Location / Limit 7f
d [01/Oct/2004:19:21:41 +0100] FindBest: Location /jobs Limit 7f
d [01/Oct/2004:19:21:41 +0100] FindBest: Location /admin Limit 7f
d [01/Oct/2004:19:21:41 +0100] FindBest: best = "/admin"
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: auth = 0, satisfy=0...
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: username = "root" password = 6 chars
d [01/Oct/2004:19:21:41 +0100] IsAuthorized: Checking "root", address = 7f000001, hostname = "localhost"
d [01/Oct/2004:19:21:41 +0100] argv[0] = "admin.cgi"
d [01/Oct/2004:19:21:41 +0100] envp[0] = "PATH=/bin:/usr/bin"
d [01/Oct/2004:19:21:41 +0100] envp[1] = "SERVER_SOFTWARE=CUPS/1.1"
d [01/Oct/2004:19:21:41 +0100] envp[2] = "GATEWAY_INTERFACE=CGI/1.1"
d [01/Oct/2004:19:21:41 +0100] envp[3] = "SERVER_PROTOCOL=HTTP/1.0"
d [01/Oct/2004:19:21:41 +0100] envp[4] = "REDIRECT_STATUS=1"
d [01/Oct/2004:19:21:41 +0100] envp[5] = "CUPS_SERVER=localhost"
d [01/Oct/2004:19:21:41 +0100] envp[6] = "IPP_PORT=631"
d [01/Oct/2004:19:21:41 +0100] envp[7] = "SERVER_NAME=localhost"
d [01/Oct/2004:19:21:41 +0100] envp[8] = "SERVER_PORT=631"
d [01/Oct/2004:19:21:41 +0100] envp[9] = "REMOTE_ADDR=127.0.0.1"
d [01/Oct/2004:19:21:41 +0100] envp[10] = "REMOTE_HOST=localhost"
d [01/Oct/2004:19:21:41 +0100] envp[11] = "REMOTE_USER=root"
d [01/Oct/2004:19:21:41 +0100] envp[12] = "LANG=en.ISO8859-15"
d [01/Oct/2004:19:21:41 +0100] envp[13] = "TZ=Europe/London"
d [01/Oct/2004:19:21:41 +0100] envp[14] = "TMPDIR=/var/spool/cups/tmp"
d [01/Oct/2004:19:21:41 +0100] envp[15] = "CUPS_DATADIR=/usr/share/cups"
d [01/Oct/2004:19:21:41 +0100] envp[16] = "CUPS_SERVERROOT=/etc/cups"
d [01/Oct/2004:19:21:41 +0100] envp[17] = "HTTP_USER_AGENT=w3m/0.5.1"
d [01/Oct/2004:19:21:41 +0100] envp[18] = "SCRIPT_NAME=/admin"
d [01/Oct/2004:19:21:41 +0100] envp[19] = "REQUEST_METHOD=GET"
d [01/Oct/2004:19:21:41 +0100] AddCert: adding certificate for pid 2262
D [01/Oct/2004:19:21:41 +0100] CGI /usr/lib/cups/cgi-bin/admin.cgi started - PID = 2262
I [01/Oct/2004:19:21:41 +0100] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=2262)


I hope this is a simple configuration error on my part, but I've not
been able to find a solution to this.  I've included the configuration
information below that I thought would be appropriate; I can supply
any more detail required.

Perhaps CUPS is only considering the hostname as opposed to the FQDN
in this situation?


This is my cupsd.conf, with all comments removed:
LogLevel debug2
Printcap /var/run/cups/printcap

Port 631
HostNameLookups On

Browsing On
BrowseProtocols cups
BrowseAddress @LOCAL
BrowseShortNames Yes

#BrowseDeny All
#BrowseAllow @IF(eth0)

ImplicitClasses Off

<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From @LOCAL
Allow From *.epic-client
</Location>

<Location /jobs>
</Location>

<Location /admin>
AuthType Basic
AuthClass System
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From *.epic-client
#Encryption Required
</Location>


These are my network settings:

[/etc/hostname]
master

[/etc/hosts]
127.0.0.1	localhost
192.168.0.1     master.epic-client master
::1     ip6-localhost ip6-loopback

[/etc/nsswitch.conf]
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
rpc:            db files

[/etc/resolv.conf, using local nameserver]
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search epic-client

Name server information:

master:~# cat /var/cache/bind/db.epic_client
$ORIGIN .
$TTL 86400	; 1 day
epic-client		IN SOA	epic-client. root.epic-client. (
				7          ; serial
				604800     ; refresh (1 week)
				86400      ; retry (1 day)
				2419200    ; expire (4 weeks)
				86400      ; minimum (1 day)
				)
			NS	dns.epic-client.
$ORIGIN epic-client.
dialup			CNAME	dialup-0
dialup-0		A	192.168.0.150
dns			CNAME	master
master			A	192.168.0.1
ppp			CNAME	ppp-0
ppp-0			A	192.168.0.151

master:~# cat /var/cache/bind/db.192.168.0
$ORIGIN .
$TTL 86400	; 1 day
0.168.192.in-addr.arpa	IN SOA	epic_client. root.epic_client. (
				5          ; serial
				604800     ; refresh (1 week)
				86400      ; retry (1 day)
				2419200    ; expire (4 weeks)
				86400      ; minimum (1 day)
				)
			NS	dns.epic-client.
$ORIGIN 0.168.192.in-addr.arpa.
1			PTR	master.epic-client.
150			PTR	dialup-0.epic-client.
151			PTR	ppp-0.epic-client.


This is testing the DNS is working:
master:~# host master
master.epic-client has address 192.168.0.1

master:~# host 192.168.0.1
1.0.168.192.in-addr.arpa domain name pointer master.epic-client.

master:~# nslookup master
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	master.epic-client
Address: 192.168.0.1

master:~# nslookup 192.168.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

1.0.168.192.in-addr.arpa	name = master.epic-client.

roger at master:~$ ping master
PING master.epic-client (192.168.0.1) 56(84) bytes of data.
64 bytes from master.epic-client (192.168.0.1): icmp_seq=1 ttl=64 time=0.138 ms
64 bytes from master.epic-client (192.168.0.1): icmp_seq=2 ttl=64 time=0.100 ms

--- master.epic-client ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.100/0.119/0.138/0.019 ms
roger at master:~$ ping master.epic-client
PING master.epic-client (192.168.0.1) 56(84) bytes of data.
64 bytes from master.epic-client (192.168.0.1): icmp_seq=1 ttl=64 time=0.106 ms
64 bytes from master.epic-client (192.168.0.1): icmp_seq=2 ttl=64 time=0.101 ms

--- master.epic-client ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.101/0.103/0.106/0.010 ms



This looks like it's functioning properly.  It also works for all of
the dynamic IPs (not shown here, because they are not swtiched on).  I
can access /admin using all of the dynamic IPs, and the static IPs
over used over a PPP connection (mgetty/pppd).


Many thanks,
Roger

-- 
Roger Leigh

                Printing on GNU/Linux?  http://gimp-print.sourceforge.net/
                GPG Public Key: 0x25BFB848.  Please sign and encrypt your mail.

More information about the cups mailing list