Authorization of custom CGIs

Opher Shachar ophers at ladpc.co.il
Thu Dec 21 09:06:58 PST 2006 

> Opher Shachar wrote:
> >> Opher Shachar wrote:
> >>> Hello all,
> >>>   I've written a custom CGI and marked it as a protected resource in cupsd.conf:
> >>> <Location /ojobs.cgi>
> >>>   AuthType Basic
> >>>   Require user @SYSTEM
> >>>   # Allow remote administration...
> >>>   Order allow,deny
> >>>   Allow @LOCAL
> >>> </Location>
> >>> [snip]
> > I have another question: I changed the Require directive to
> >      Require user @OWNER
> > and to the url I append 'job_id=xxx' as in
> >      http://localhost:631/ojobs.cgi?job_id=102
> > but still the owner is not authorized. Can this be managed?
>
> The best thing to do is create a subdirectory and use the subdir for
> your location-based authentication.  Right now /ojobs.cgi and
> /ojobs.cgi?foo are not treated as a match... (file a feature request
> if you'd like to see support for that added...)

I get this in error_log:
D [21/Dec/2006:18:26:46 +0200] encrypt_client: 13 Connection from 10.236.42.48 now encrypted.
d [21/Dec/2006:18:26:46 +0200] cupsdReadClient: 13, used=0, file=-1 state=0
D [21/Dec/2006:18:26:46 +0200] cupsdReadClient: 13 GET /ojobs.cgi?op=display-job&job_id=102&job_printer_uri=/printers/BPHsigal&job_name=ED5515P0_1641212.lis1 HTTP/1.1
D [21/Dec/2006:18:26:46 +0200] cupsdReadClient: 13 Browser asked for language "he-il.utf-8"...
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: uri = "/ojobs.cgi?op=display-job&job_id=102&job_printer_uri=/printers/BPHsigal&job_name=ED5515P0_1641212.lis1"...
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: Location /printers/Cups-PDF Limit 7f
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: Location /oto Limit 7f
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: Location /ojobs.cgi?op=display-job Limit 7f
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: Location /admin/conf Limit 7f
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: Location /admin Limit 7f
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: Location / Limit 7f
d [21/Dec/2006:18:26:46 +0200] cupsdFindBest: best = /ojobs.cgi?op=display-job
d [21/Dec/2006:18:26:46 +0200] cupsdAuthorize: con->uri="/ojobs.cgi?op=display-job&job_id=102&job_printer_uri=/printers/BPHsigal&job_name=ED5515P0_1641212.lis1", con->best=0x96996a8(/ojobs.cgi?op=display-job)

so it seems the uri /ojobs.cgi?op=display-job&job_id=102&job_printer_uri=/printers/BPHsigal&job_name=ED5515P0_1641212.lis1
is matched with /ojobs.cgi?op=display-job

Now, how does CUPS evaluate the directive
   Require user @OWNER
when deciding on authorization. What part of the uri does it inspect?

Thanks,
Opher Shachar.

More information about the cups mailing list