Access forbidden to admin functions with web interface
Helge Blischke
H.Blischke at srz-berlin.de
Sat Oct 2 04:17:44 PDT 2004
Try
Allow From .epic-client
i.e. without the star. That is how it works for me.
Helge
Roger Leigh wrote:
>
> Hello,
>
> I'm using Debian GNU/Linux unstable with CUPS 1.1.21rc1. I've found a
> problem when trying to allow remote administration of the server.
> I've allowed access from localhost and a certain DNS domain (with DNS
> lookups enabled); while I can access /admin from the localhost and any
> other machine on the network or via PPP, I can't access it from the
> server itself while calling it by its hostname (rather than
> localhost).
>
> For example (the machine name is "master.epic-client"):
>
> w3m http://localhost:631/admin [works]
> w3m http://master.epic-client:631/admin and
> w3m http://master:631/admin [works when used on other machines on
> the network, but not when used on master itself]
>
> The server also runs ISC bind9 and ISC dhcpd3 with dynamic DNS.
>
> This is what I see in error log:
> [this is connecting to "master" from master, which fails. Notice that
> the domain name "epic-client" is missing, which does not occur when
> connecting from remote machines]
>
> d [01/Oct/2004:19:22:22 +0100] AcceptClient(lis=0x808c2f0) 0 NumClients = 0
> D [01/Oct/2004:19:22:22 +0100] AcceptClient: 5 from master:631.
> d [01/Oct/2004:19:22:22 +0100] AcceptClient: Adding fd 5 to InputSet...
> d [01/Oct/2004:19:22:23 +0100] select_timeout: 15 seconds to send browse update
> d [01/Oct/2004:19:22:32 +0100] ReadClient: 5, used=0, file=-1
> D [01/Oct/2004:19:22:32 +0100] ReadClient: 5 GET /admin HTTP/1.0
> d [01/Oct/2004:19:22:32 +0100] decode_auth(0x40305008): Authorization string = ""
> d [01/Oct/2004:19:22:32 +0100] decode_auth: 5 username=""
> d [01/Oct/2004:19:22:32 +0100] IsAuthorized: con->uri = "/admin"
> d [01/Oct/2004:19:22:32 +0100] FindBest: uri = "/admin"...
> d [01/Oct/2004:19:22:32 +0100] FindBest: Location / Limit 7f
> d [01/Oct/2004:19:22:32 +0100] FindBest: Location /jobs Limit 7f
> d [01/Oct/2004:19:22:32 +0100] FindBest: Location /admin Limit 7f
> d [01/Oct/2004:19:22:32 +0100] FindBest: best = "/admin"
> d [01/Oct/2004:19:22:32 +0100] IsAuthorized: auth = 1, satisfy=0...
> d [01/Oct/2004:19:22:32 +0100] ReadClient: Unauthorized request for /admin...
> D [01/Oct/2004:19:22:32 +0100] SendError: 5 code=403 (Forbidden)
> D [01/Oct/2004:19:22:32 +0100] CloseClient: 5
> d [01/Oct/2004:19:22:32 +0100] CloseClient: Removing fd 5 from InputSet and OutputSet...
>
> [this is connecting directly to "localhost", which succeeds]
>
> d [01/Oct/2004:19:21:41 +0100] AcceptClient(lis=0x808c2f0) 0 NumClients = 0
> D [01/Oct/2004:19:21:41 +0100] AcceptClient: 5 from localhost:631.
> d [01/Oct/2004:19:21:41 +0100] AcceptClient: Adding fd 5 to InputSet...
> d [01/Oct/2004:19:21:41 +0100] ReadClient: 5, used=0, file=-1
> D [01/Oct/2004:19:21:41 +0100] ReadClient: 5 GET /admin HTTP/1.0
> d [01/Oct/2004:19:21:41 +0100] decode_auth(0x40305008): Authorization string = "Basic cm9vdDo2MjU3bGU="
> d [01/Oct/2004:19:21:41 +0100] decode_auth: 5 username="root"
> d [01/Oct/2004:19:21:41 +0100] IsAuthorized: con->uri = "/admin"
> d [01/Oct/2004:19:21:41 +0100] FindBest: uri = "/admin"...
> d [01/Oct/2004:19:21:41 +0100] FindBest: Location / Limit 7f
> d [01/Oct/2004:19:21:41 +0100] FindBest: Location /jobs Limit 7f
> d [01/Oct/2004:19:21:41 +0100] FindBest: Location /admin Limit 7f
> d [01/Oct/2004:19:21:41 +0100] FindBest: best = "/admin"
> d [01/Oct/2004:19:21:41 +0100] IsAuthorized: auth = 0, satisfy=0...
> d [01/Oct/2004:19:21:41 +0100] IsAuthorized: username = "root" password = 6 chars
> d [01/Oct/2004:19:21:41 +0100] IsAuthorized: Checking "root", address = 7f000001, hostname = "localhost"
> d [01/Oct/2004:19:21:41 +0100] argv[0] = "admin.cgi"
> d [01/Oct/2004:19:21:41 +0100] envp[0] = "PATH=/bin:/usr/bin"
> d [01/Oct/2004:19:21:41 +0100] envp[1] = "SERVER_SOFTWARE=CUPS/1.1"
> d [01/Oct/2004:19:21:41 +0100] envp[2] = "GATEWAY_INTERFACE=CGI/1.1"
> d [01/Oct/2004:19:21:41 +0100] envp[3] = "SERVER_PROTOCOL=HTTP/1.0"
> d [01/Oct/2004:19:21:41 +0100] envp[4] = "REDIRECT_STATUS=1"
> d [01/Oct/2004:19:21:41 +0100] envp[5] = "CUPS_SERVER=localhost"
> d [01/Oct/2004:19:21:41 +0100] envp[6] = "IPP_PORT=631"
> d [01/Oct/2004:19:21:41 +0100] envp[7] = "SERVER_NAME=localhost"
> d [01/Oct/2004:19:21:41 +0100] envp[8] = "SERVER_PORT=631"
> d [01/Oct/2004:19:21:41 +0100] envp[9] = "REMOTE_ADDR=127.0.0.1"
> d [01/Oct/2004:19:21:41 +0100] envp[10] = "REMOTE_HOST=localhost"
> d [01/Oct/2004:19:21:41 +0100] envp[11] = "REMOTE_USER=root"
> d [01/Oct/2004:19:21:41 +0100] envp[12] = "LANG=en.ISO8859-15"
> d [01/Oct/2004:19:21:41 +0100] envp[13] = "TZ=Europe/London"
> d [01/Oct/2004:19:21:41 +0100] envp[14] = "TMPDIR=/var/spool/cups/tmp"
> d [01/Oct/2004:19:21:41 +0100] envp[15] = "CUPS_DATADIR=/usr/share/cups"
> d [01/Oct/2004:19:21:41 +0100] envp[16] = "CUPS_SERVERROOT=/etc/cups"
> d [01/Oct/2004:19:21:41 +0100] envp[17] = "HTTP_USER_AGENT=w3m/0.5.1"
> d [01/Oct/2004:19:21:41 +0100] envp[18] = "SCRIPT_NAME=/admin"
> d [01/Oct/2004:19:21:41 +0100] envp[19] = "REQUEST_METHOD=GET"
> d [01/Oct/2004:19:21:41 +0100] AddCert: adding certificate for pid 2262
> D [01/Oct/2004:19:21:41 +0100] CGI /usr/lib/cups/cgi-bin/admin.cgi started - PID = 2262
> I [01/Oct/2004:19:21:41 +0100] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=2262)
>
> I hope this is a simple configuration error on my part, but I've not
> been able to find a solution to this. I've included the configuration
> information below that I thought would be appropriate; I can supply
> any more detail required.
>
> Perhaps CUPS is only considering the hostname as opposed to the FQDN
> in this situation?
>
> This is my cupsd.conf, with all comments removed:
> LogLevel debug2
> Printcap /var/run/cups/printcap
>
> Port 631
> HostNameLookups On
>
> Browsing On
> BrowseProtocols cups
> BrowseAddress @LOCAL
> BrowseShortNames Yes
>
> #BrowseDeny All
> #BrowseAllow @IF(eth0)
>
> ImplicitClasses Off
>
> <Location />
> Order Deny,Allow
> Deny From All
> Allow From 127.0.0.1
> Allow From @LOCAL
> Allow From *.epic-client
> </Location>
>
> <Location /jobs>
> </Location>
>
> <Location /admin>
> AuthType Basic
> AuthClass System
> Order Deny,Allow
> Deny From All
> Allow From 127.0.0.1
> Allow From *.epic-client
> #Encryption Required
> </Location>
>
> These are my network settings:
>
> [/etc/hostname]
> master
>
> [/etc/hosts]
> 127.0.0.1 localhost
> 192.168.0.1 master.epic-client master
> ::1 ip6-localhost ip6-loopback
>
> [/etc/nsswitch.conf]
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> rpc: db files
>
> [/etc/resolv.conf, using local nameserver]
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 127.0.0.1
> search epic-client
>
> Name server information:
>
> master:~# cat /var/cache/bind/db.epic_client
> $ORIGIN .
> $TTL 86400 ; 1 day
> epic-client IN SOA epic-client. root.epic-client. (
> 7 ; serial
> 604800 ; refresh (1 week)
> 86400 ; retry (1 day)
> 2419200 ; expire (4 weeks)
> 86400 ; minimum (1 day)
> )
> NS dns.epic-client.
> $ORIGIN epic-client.
> dialup CNAME dialup-0
> dialup-0 A 192.168.0.150
> dns CNAME master
> master A 192.168.0.1
> ppp CNAME ppp-0
> ppp-0 A 192.168.0.151
>
> master:~# cat /var/cache/bind/db.192.168.0
> $ORIGIN .
> $TTL 86400 ; 1 day
> 0.168.192.in-addr.arpa IN SOA epic_client. root.epic_client. (
> 5 ; serial
> 604800 ; refresh (1 week)
> 86400 ; retry (1 day)
> 2419200 ; expire (4 weeks)
> 86400 ; minimum (1 day)
> )
> NS dns.epic-client.
> $ORIGIN 0.168.192.in-addr.arpa.
> 1 PTR master.epic-client.
> 150 PTR dialup-0.epic-client.
> 151 PTR ppp-0.epic-client.
>
> This is testing the DNS is working:
> master:~# host master
> master.epic-client has address 192.168.0.1
>
> master:~# host 192.168.0.1
> 1.0.168.192.in-addr.arpa domain name pointer master.epic-client.
>
> master:~# nslookup master
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Name: master.epic-client
> Address: 192.168.0.1
>
> master:~# nslookup 192.168.0.1
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> 1.0.168.192.in-addr.arpa name = master.epic-client.
>
> roger at master:~$ ping master
> PING master.epic-client (192.168.0.1) 56(84) bytes of data.
> 64 bytes from master.epic-client (192.168.0.1): icmp_seq=1 ttl=64 time=0.138 ms
> 64 bytes from master.epic-client (192.168.0.1): icmp_seq=2 ttl=64 time=0.100 ms
>
> --- master.epic-client ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 0.100/0.119/0.138/0.019 ms
> roger at master:~$ ping master.epic-client
> PING master.epic-client (192.168.0.1) 56(84) bytes of data.
> 64 bytes from master.epic-client (192.168.0.1): icmp_seq=1 ttl=64 time=0.106 ms
> 64 bytes from master.epic-client (192.168.0.1): icmp_seq=2 ttl=64 time=0.101 ms
>
> --- master.epic-client ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 0.101/0.103/0.106/0.010 ms
>
> This looks like it's functioning properly. It also works for all of
> the dynamic IPs (not shown here, because they are not swtiched on). I
> can access /admin using all of the dynamic IPs, and the static IPs
> over used over a PPP connection (mgetty/pppd).
>
> Many thanks,
> Roger
>
> --
> Roger Leigh
>
> Printing on GNU/Linux? http://gimp-print.sourceforge.net/
> GPG Public Key: 0x25BFB848. Please sign and encrypt your mail.
--
Helge Blischke
Softwareentwicklung
SRZ Berlin | Firmengruppe besscom
http://www.srz.de
tel: +49 30 75301-360
More information about the cups
mailing list