Policy - User not in group

angelb angelb at bugarin.us
Thu Jan 3 06:48:43 PST 2008


> angelb wrote:
> > ...
> > Ok, it would appear I need to have the "qadmin" group included
> > in /admin. That allowed the user "qadmin1" to stop the printer. But
> > now, I'm confused why qadmin1 is allowed to stop or start, or any other
> > options, a printer even if the mktgtest policy only has the following
> > option:
> >
> >  <Limit CUPS-Accept-Jobs>
> >         AuthType Basic
> >         Require group qadmin
> >         Order deny,allow
> >  </Limit>
>
> Policies do not inherit from the default policy - you need to include
> all of the default policy in any other policy you define.

That's why I'm confused. Given only one operation to mkgtest policy,
CUPS-Accept-Jobs, how is it that qadmin1 is able to Disable or Enable
a printer queue?

The last Limit in the mkgtest policy is also set to deny for all,
still, the qadmin1 is able to perform operations not in the mktgtest
policy limit.

 <Limit All>
     Order allow,deny
 </Limit>


Here's the full mkgtest policy(for testing obviously):

<Policy mktgtest>

 <Limit CUPS-Accept-Jobs>
    AuthType Basic
    Require group qadmin
    Order allow,deny
 </Limit>

 <Limit All>
     Order allow,deny
 </Limit>
</Policy>

If I understand the policy correctly, users in the qadmin group is
allowed to perform only one operation, and that is CUPS-Accept-Jobs. If
the users are able to perform other operations, then there has to be a
misconfiguration somewhere. If so, I don't know where...at the moment.

BTW, I've happened to leave CUPS-Accept-Jobs in the Limits section but
it could be any other operation for the purpose of testing the policy.

Thanks,
Angel







More information about the cups mailing list