OpPolicy problem/bug: Sending job as non-authorized user neverthelessprintsjobas root user
Michael Sweet
mike at easysw.com
Fri Jul 20 07:22:12 PDT 2007
Kurt Pfeifle wrote:
> ...
>> The policy kicks the original print request back (unauthorized,
>> your -U isn't accepted), at which point the lp command tries to
>> authenticate. Since you are running over localhost, the
>> authentication can use certificates. Since you are running as
>> root, certificate 0 is readable and you get authenticated as root.
>
> What would break if I disabled authentication via local certificates
> for the testing?
Nothing really, you'll just be asked for a password...
>> Now, if the limit was set via the requesting-user-name-allowed or
>> requesting-user-name-denied attributes (-u allow:... or -u deny:...
>> on the lpadmin command-line), your -U trick would work.
>
> Yes, but that is specifically not wanted by the customer, because the
> "management overhead" to maintain those lists for 100s of printers
> and 1000 of users is not very sexy...
You could use groups to manage the user lists for multiple printers.
(just like you'll be doing for the policies)
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
More information about the cups
mailing list