start/stop authorization for a single printer

Patrice Guay pg at outboxtechnology.com
Tue Dec 19 10:36:15 PST 2006 

> >>Hi,
> >>
> >>I'm using cups v.1.1.22 on RHEL4. I would like to allow a user to start/stop a specific printer without giving him the right to delete or modify the printer.
> >>
> >>I've looked at /etc/cups/cupsd.conf and found the following directive which looks like the starting point for what I want to achieve.
> >>
> >><Location /admin>
> >>[...]
> >></Location>
> >>
> >>
> > The following should work:
> >
> > <Location /printers/name_of_the_printer?op=foo-printer>
> > ....
> > </Location>
> >
> > where foo is one of start or stop.
> >
> > Helge
> >
>
> I added the following to allow simple users the right to stop the printer:
>
> <Location /admin/?op=stop-printer&printer_name=name_of_printer>
> AuthType Basic
> AuthClass User
> </Location>
>
> When CUPS prompts for a username/password, giving credentials of a normal user is accepted but I receive a web page with the following message: "Error: client-error-not-authorized"
>
> I examined the access_log from CUPS:
>
> localhost - patrice [XXX] "GET /admin/?op=stop-printer&printer_name=name_of_printer HTTP/1.1" 200 0
> localhost - - [XXX] "POST /admin/ HTTP/1.1" 401 0
> localhost - patrice [XXX] "POST /admin/ HTTP/1.1" 401 0
> localhost - patrice [XXX] "POST /admin/ HTTP/1.1" 401 0
> [...]
> localhost - patrice [XXX] "POST /admin/ HTTP/1.1" 401 0
> localhost - patrice [XXX] "GET /admin/?op=stop-printer&printer_name=name_of_printer HTTP/1.1" 200 1541
>
> When I input root credentials, access_log gives:
>
> localhost - root [XXX] "GET /admin/?op=stop-printer&printer_name=name_of_printer HTTP/1.1" 200 0
> localhost - - [XXX] "POST /admin/ HTTP/1.1" 401 0
> localhost - root [XXX] "POST /admin/ HTTP/1.1" 200 122
> localhost - root [XXX] "GET /admin/?op=stop-printer&printer_name=name_of_printer HTTP/1.1" 200 1544
>
> The "POST /admin/" command is clearly responsible for the "Error: client-error-not-authorized" error message.
>

Here is the solution I found:

<Location /admin>
AuthType Basic
AuthClass User
</Location>

<Location /admin/?op=>
AuthType Basic
AuthClass System
</Location>

<Location /admin/?op=stop-printer&printer_name=name_of_printer>
AuthType Basic
AuthClass User
</Location>

<Location /admin/?op=start-printer&printer_name=name_of_printer>
AuthType Basic
AuthClass User
</Location>

This configuration would open security breach if it is possible to issue administrative commands with something different than "/admin/?op=command..."

--
Patrice Guay

More information about the cups mailing list