Policy - from a different angle
angelb
angelb at bugarin.us
Thu Jan 3 09:00:42 PST 2008
Trying to understand how policy works in CUPS, I've slightly changed
the config file so that users in the qadmin group is allowed only two
operations, Enable-Printer and Disable-Printer.
Here's the policy:
<Policy mktgtest>
<Limit Enable-Printer Disable-Printer>
AuthType Basic
Require group qadmin
Order Deny,Allow
Allow From All
</Limit>
<Limit All>
Order Allow,Deny
Deny From All
</Limit>
</Policy>
Now, when trying to stop printer assigned in the mkgtest policy, it
fails and complains:
Unauthorized request for /admin/?op=stop-printer&printer_name=3668-0-p1...
When I include the group qadmin in /admin section, the user can then
stop or start the printers but it could also do other operations not
listed in mkgtest policy; ie Cancel-Job or Cups-Add-Modify-Printer
I thought the last Limit should prevent the user from doing anything
else but that doesn't seems to be the case.
Thanks,
Angel
More information about the cups
mailing list