Authorization of custom CGIs
Michael Sweet
mike at easysw.com
Thu Dec 21 08:41:39 PST 2006
Opher Shachar wrote:
>> Opher Shachar wrote:
>>> Hello all,
>>> I've written a custom CGI and marked it as a protected resource in cupsd.conf:
>>> <Location /ojobs.cgi>
>>> AuthType Basic
>>> Require user @SYSTEM
>>> # Allow remote administration...
>>> Order allow,deny
>>> Allow @LOCAL
>>> </Location>
>>>
>>> When accessing the CGI I'm asked to authenticate BUT then any (authenticated) user - not just root - gets access.
>>> Is it the CGI's responsibility to check for authorization?
>>> If so need the CGI parse the cupsd.conf file, or is there a simpler way?
>> CUPS should be doing the group checks for you - verify that your
>> users are not part of the system group(s). If they aren't, set the
>> LogLevel to debug2 and see which location is being used for
>> authentication (look for the cupsdFindBest log messages).
>
> OK, this one is funny :)
> Yesterday I accidentally typed 'cupsd' at the console, recieved no message and though that nothing happened. Now I did a 'ps -ef|grep cups' and found two instances of cupsdreceived. I unloaded them and restarted the cups service. It now works as you say.
>
> I have another question: I changed the Require directive to
> Require user @OWNER
> and to the url I append 'job_id=xxx' as in
> http://localhost:631/ojobs.cgi?job_id=102
> but still the owner is not authorized. Can this be managed?
The best thing to do is create a subdirectory and use the subdir for
your location-based authentication. Right now /ojobs.cgi and
/ojobs.cgi?foo are not treated as a match... (file a feature request
if you'd like to see support for that added...)
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
More information about the cups
mailing list