cupsenable "may ask the user for an access password"

Kurt Pfeifle kurt.pfeifle at infotec.com
Thu Jun 28 12:58:33 PDT 2007


> I accidentally ran cupsenable as me instead of root and got:
>
> moylek(103)cupsenable lp3
> Password for moylek on localhost?
>
> Entering my password just resulted in repeated prompts.
>
> According to the cupsenable man page:
>
> The CUPS versions of disable and enable may ask the user for an access
> password depending on the printing system configuration. This differs
> from the System V versions which require the root user to execute these
>  commands.
>
> http://cups.org/documentation.php/man-cupsenable.html
>
> "May" require?  Depending on _what_?

Depending on "print system configuration".

CUPS' print system configuration mainly lives in /etc/cups/cupsd.conf

There, you'll find sections for "locations" which are enclosed by "<Location /$something>....</Location>" tags.

Look for the "AuthType" settings inside the location definitions.

If "AuthType Basic" you'll need the standard password that is stored in /etc/shadow (or somewhere else, depending on your PAM configuration). The one which you use to log in.

If "AuthType BasicDigest" or "AuthType Digest" you'll need a password that must be (first of all) *set* by the "lppasswd -a $username" command (by root) and which will be living in /etc/cups/lppasswd.md5. The lppasswd separates the print admin privileges from root and allows you to outsource print administration to non-root users. If it is compromised, the respective system password is not necessarily compromised at the same time.

Many distros set up the CUPS print system like that by default, but leave it with a non-existent or empty lppasswd.md5 file, because they want to make it more secure.

Unfortunately, they do a poorer job in explaining to their users these measures than they do in making the system "secure, but too hard to use".

That's why lots of people run into the same problem as you did.

> I can't find the docs for this feature.  Anyone know what I have to
> tweak, poke or [...beep...] to enable use of cupsenable by users?

Cheers,
Kurt

--
Kurt Pfeifle
System & Network Printing Consultant --- Linux/Unix/Windows/Samba/CUPS
Infotec Deutschland GmbH - A RICOH Company ......... Stuttgart/Germany








More information about the cups mailing list