Policy - User not in group
Michael Sweet
mike at easysw.com
Thu Jan 3 09:24:03 PST 2008
angelb wrote:
>> angelb wrote:
>>> ...
>>> Ok, it would appear I need to have the "qadmin" group included
>>> in /admin. That allowed the user "qadmin1" to stop the printer. But
>>> now, I'm confused why qadmin1 is allowed to stop or start, or any other
>>> options, a printer even if the mktgtest policy only has the following
>>> option:
>>>
>>> <Limit CUPS-Accept-Jobs>
>>> AuthType Basic
>>> Require group qadmin
>>> Order deny,allow
>>> </Limit>
>> Policies do not inherit from the default policy - you need to include
>> all of the default policy in any other policy you define.
>
> That's why I'm confused. Given only one operation to mkgtest policy,
> CUPS-Accept-Jobs, how is it that qadmin1 is able to Disable or Enable
> a printer queue?
Without a <Limit All>, the default is to allow the operation.
> The last Limit in the mkgtest policy is also set to deny for all,
> still, the qadmin1 is able to perform operations not in the mktgtest
> policy limit.
>
> <Limit All>
> Order allow,deny
> </Limit>
Are you accessing from localhost or the domain socket? If so,
the access will be allowed, just like for locations.
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
More information about the cups
mailing list