Authorization of custom CGIs
Opher Shachar
ophers at ladpc.co.il
Thu Dec 21 08:38:42 PST 2006
> Opher Shachar wrote:
> > Hello all,
> > I've written a custom CGI and marked it as a protected resource in cupsd.conf:
> > <Location /ojobs.cgi>
> > AuthType Basic
> > Require user @SYSTEM
> > # Allow remote administration...
> > Order allow,deny
> > Allow @LOCAL
> > </Location>
> >
> > When accessing the CGI I'm asked to authenticate BUT then any (authenticated) user - not just root - gets access.
> > Is it the CGI's responsibility to check for authorization?
> > If so need the CGI parse the cupsd.conf file, or is there a simpler way?
>
> CUPS should be doing the group checks for you - verify that your
> users are not part of the system group(s). If they aren't, set the
> LogLevel to debug2 and see which location is being used for
> authentication (look for the cupsdFindBest log messages).
OK, this one is funny :)
Yesterday I accidentally typed 'cupsd' at the console, recieved no message and though that nothing happened. Now I did a 'ps -ef|grep cups' and found two instances of cupsdreceived. I unloaded them and restarted the cups service. It now works as you say.
I have another question: I changed the Require directive to
Require user @OWNER
and to the url I append 'job_id=xxx' as in
http://localhost:631/ojobs.cgi?job_id=102
but still the owner is not authorized. Can this be managed?
Thanks,
Opher Shachar.
More information about the cups
mailing list