[cups.general] Security and lp command and -u option

Jerome Alet alet at librelogiciel.com
Tue Apr 1 10:54:45 PDT 2008 

On Tue, Apr 01, 2008 at 12:49:01PM +0200, Johannes Meixner wrote:
> 
> According to how I understand it, how should a service running
> on a server machine know who the user is "behind" a client program
> on a remote client system without special authentication?
> ...
> 
> Think about a user who makes his own IPP client program
> which can send whatever he likes to the CUPS server.
> 
> Think about a user who is root on his own laptop so that
> he can run arbitrary programs to receive and send
> arbitrary stuff via network.

Is there is a way for the CUPS server to require the password for the
username specified with -U (and not for the user who launched the lp
command) ?

This seems to be a very common problem. So either people don't read 
the CUPS' documentation (me included), can't find it while reading 
it, or it is not possible. 

If user 'john' launches 'lp' without using -U, 
then there should be a way for CUPS to ask john's password. If now
'john' launches 'lp -U Mary ...' then CUPS should ask for Mary's
password (or wait for it as part of the job submission process).

Is this possible with some setting in cupsd.conf ? If yes how ?

Of course this should work with any IPP client : if the transmitted password
is incorrect on the CUPS server side, or possibly not send at all, the job
should be rejected.

Even without asking for a password, is there a setting in cupsd.conf 
to allow the checking for the existence of that particular user, 
preferably through PAM and/or configurable external command (think 
special LDAP queries combined with time slots and the like) ? 

It seems several people are having this very same problem. 
Personally I'm playing with settings in my cupsd.conf, and the logs 
don't make any sense to me (date removed for readability) :

--- CUT ---
D [] cupsdReadClient: 23 POST /printers/PDFGen HTTP/1.1
D [] cupsdAuthorize: No authentication data provided.
D [] Print-Job ipp://localhost/printers/PDFGen
D [] print_job: auto-typing file...
D [] cupsdIsAuthorized: username=""
E [] Print-Job: Unauthorized
D [] cupsdSendError: 23 code=401 (Unauthorized)
D [] cupsdCloseClient: 23
D [] cupsdAcceptClient: 23 from localhost:631 (IPv4)
D [] cupsdReadClient: 23 POST /printers/PDFGen HTTP/1.1
D [] cupsdAuthorize: Authorized as root using Local
D [] Print-Job ipp://localhost/printers/PDFGen
D [] print_job: auto-typing file...
D [] cupsdIsAuthorized: username="root"
I [] [Job 124] Adding start banner page "none,none".
--- CUT ---

Jow was printed on local CUPS server by user 'jerome' with :

        lp -U nonuser -dPDFGen myfile.ps
        
No password was asked, 'nonuser' doesn't exist locally, and job        
was printed.

Was is this 'cupsdAuthorize' and in which way was this print job
related to user 'root' ???

Why did CUPS send and error 401 but lp didn't ask anything ?

my cupsd.conf contained 

--- CUT ---
LogLevel debug
SystemGroup lpadmin
# Allow remote access
Port 631
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
  Allow localhost
  # Allow shared printing...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  Allow localhost
  # Restrict access to the admin pages...
  Order allow,deny
  Allow localhost
</Location>
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Allow localhost
  # Restrict access to the configuration files...
  Order allow,deny
  Allow localhost
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job Print-Job>
    #Require user @OWNER @SYSTEM
    Require valid-user
    AuthType Default
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
    Allow @LOCAL
  </Limit>
</Policy>
--- CUT ---

Any hint about what I'm doing incorrectly ?

I thought changing the '<Limit CUPS-Authenticate-Job Print-Job>' in
the default policy would be sufficient... 

Thanks in advance for any help.

Jerome Alet

More information about the cups mailing list