Policy - User not in group
angelb
angelb at bugarin.us
Thu Jan 3 06:48:43 PST 2008
> angelb wrote:
> > ...
> > Ok, it would appear I need to have the "qadmin" group included
> > in /admin. That allowed the user "qadmin1" to stop the printer. But
> > now, I'm confused why qadmin1 is allowed to stop or start, or any other
> > options, a printer even if the mktgtest policy only has the following
> > option:
> >
> > <Limit CUPS-Accept-Jobs>
> > AuthType Basic
> > Require group qadmin
> > Order deny,allow
> > </Limit>
>
> Policies do not inherit from the default policy - you need to include
> all of the default policy in any other policy you define.
That's why I'm confused. Given only one operation to mkgtest policy,
CUPS-Accept-Jobs, how is it that qadmin1 is able to Disable or Enable
a printer queue?
The last Limit in the mkgtest policy is also set to deny for all,
still, the qadmin1 is able to perform operations not in the mktgtest
policy limit.
<Limit All>
Order allow,deny
</Limit>
Here's the full mkgtest policy(for testing obviously):
<Policy mktgtest>
<Limit CUPS-Accept-Jobs>
AuthType Basic
Require group qadmin
Order allow,deny
</Limit>
<Limit All>
Order allow,deny
</Limit>
</Policy>
If I understand the policy correctly, users in the qadmin group is
allowed to perform only one operation, and that is CUPS-Accept-Jobs. If
the users are able to perform other operations, then there has to be a
misconfiguration somewhere. If so, I don't know where...at the moment.
BTW, I've happened to leave CUPS-Accept-Jobs in the Limits section but
it could be any other operation for the purpose of testing the policy.
Thanks,
Angel
More information about the cups
mailing list