[cups.general] Is it possible to make available certain printers to specific hosts/networks while others are not
Kurt Pfeifle
kpfeifle at danka.de
Fri Jun 16 07:57:25 PDT 2006
wtautz <wtautz at cs.uwaterloo.ca> wrote (Friday 16 June 2006 15:42):
> Is it possible to have certain printers be made available for certain
> hosts/networks only while others
> are not.
Yes, it is.
I note you said "available", not "visible"....
CUPS-1.1.x:
-----------
Assuming CUPS 1.1.x, you'd put a separate "Location" section for each
printer in your cupsd.conf, like that:
<Location /printers/PrinterNameA>
Order Deny,Allow
Deny From All
Allow From 192.168.1.*
Allow From 192.168.2.*
</Location>
<Location /printers/PrinterNameB>
Order Deny,Allow
Deny From All
Allow From 192.168.2.*
Allow From 192.168.3.*
Allow From 192.168.4.*
</Location>
and so on.... (you could add more access control directives, and also
authentication as needed).
CUPS-1.2.x:
-----------
Assuming you use CUPS 1.2, you can use the same thing as in 1.1.x,
using the same syntax.
But you can also use an "OpPolicy" for each printer definition. The
Policy itself is defined in cupsd.conf. You can define different
"policies", and the assign the specific policy to each printer as
needed. The concept of policies provides a more finely granulated
set of controls over your IPP printer and job objects and operations.
>From the top of my head (I've not actually tested it, just shortly
checked against the available docu), put this in cupsd.conf (the
actual policy names are arbitrary). It is the most simple way to
define a Policy with "Limit All". In essence, the following does
not give a different outcome than the "old2 1.1 syntax does:
-------- snip --------------------------
<Policy my_policy_for_PrinterNameA>
<Limit All>
Order Deny,Allow
Deny From All
Allow From 192.168.1.*
Allow From 192.168.2.*
</Limit>
</Policy>
<Policy my_policy_for_PrinterNameB>
<Limit All>
Order Deny,Allow
Deny From All
Allow From 192.168.2.*
Allow From 192.168.3.*
Allow From 192.168.4.*
</Limit>
</Policy>
-------- snap --------------------------
After you've defined a policy in cupsd.conf and re-started cupsd,
you can assign an OpPolicy to a printer, either with the lpadmin
command:
lpadmin -p PrinterNameA -o printer-op-policy=my_policy_for_PrinterNameA
lpadmin -p PrinterNameb -o printer-op-policy=my_policy_for_PrinterNameB
or through the web interface shown in the "Policies" section at the
bottom of:
http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameA
http://localhost:631/admin/?op=set-printer-options&printer_name=PrinterNameB
Of course, with the concept of policies, you can have very finely
grained control structures. You can do things that are beyond what
the CUPS-1.1.x "Location" syntax could do....
Consider something like this (note that lineendings noted with "\"s
are only used here for readability; you should put these one one
single line) -- I'm not saying this is particularly clever way of
setting things up:
-------- snip -------------------------------------------------------
<Policy policy_for_PrinterNameC>
# Job-related operations must be done by job owner or an
# administrator, and only if connecting from an IP address
# like 10.162.3.[0-255] or from localhost...
<Limit Send-Document Hold-Job Release-Job Restart-Job \
Purge-Jobs Set-Job-Attributes Create-Job-Subscription \
Renew-Subscription Cancel-Subscription Get-Notifications \
Suspend-Current-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow from 127.0.0.1
Allow from 10.162.3.*
Satisfy all
Encryption Required
</Limit>
# Stop/start/pause/resume printer operations as well as listing \
# all printers and classes may be done by any valid user, from \
# any client that can access CUPS...
<Limit Enable-Printer Disable-Printer Pause-Printer \
Resume-Printer CUPS-Get-Classes CUPS-Get-Printers \
Resume-Printer>
Require valid-user
Order deny,allow
Allow from All
Deny from None
Encryption Required
</Limit>
# All other operations can only be done by an administrator
# connecting from localhost and using Digest authentication...
<Limit All>
AuthType Digest
Require user @SYSTEM
Order Deny,Allow
Deny From All
Allow from 127.0.0.1
Satisfy all
Encryption Required
</Limit>
</Policy>
-------- snap -------------------------------------------------------
Hope this helps. Hope also that I didn't put any major flaws into
my examples.
Cheers,
Kurt
More information about the cups
mailing list