Policy and Printer Administration

angelb angelb at bugarin.us
Tue Jan 22 09:09:41 PST 2008 

> angelb wrote:
> > Hello all.
> >
> > Does anyone know for sure that any printer administration; ie, stop,
> > reject, modify, etc, from the web interface requires an absolute
> > membership to the SystemGroup?

> No, it should use the printer's policy which defines the policy for
> all printer ops.
>

That's what I thought.

Below, we'll see how the policy is used and how CUPS react as I add
and removed the user "nonadmin" from the testprint group.

First, some facts:
$ grep nonadmin /etc/passwd
nonadmin:x:12094:12094::/home/nonadmin:/bin/bash

$ grep testprint /etc/group
testprint:x:1839:

#---- Custom Policy Start----#
#
# Set the default printer/job policies...
<Policy testprint>
 # Job-related operations must be done by the owner or an adminstrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    #
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default Print-Job>
    #
    AuthType Basic
    Require group testprint
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    #Order deny,allow
    #
    # Deny everything else
    Order allow,deny
  </Limit>
</Policy>
#
#---- Custom Policy End----#


Now, the fist test, the nonadmin account is NOT currently a member of
the testprint group. We'll see that CUPS sees the policy and reports
the error correctly:

Test Page Operation:
...
d [22/Jan/2008:10:36:39 -0600] cupsdIsAuthorized: username="nonadmin"
d [22/Jan/2008:10:36:39 -0600] cupsdIsAuthorized: Checking group membership...
d [22/Jan/2008:10:36:39 -0600] cupsdIsAuthorized: Checking group "testprint" membership...
d [22/Jan/2008:10:36:39 -0600] cupsdCheckGroup(username="nonadmin", user=0xb44078, groupname="testprint")
d [22/Jan/2008:10:36:39 -0600] get_md5_password(username="nonadmin", group="testprint", passwd=0xbfe11580)
d [22/Jan/2008:10:36:39 -0600] cupsdIsAuthorized: User not in group(s)!


Now, the nonadmin user is a member of the testprint group. CUPS now
allow it to send a test page. This, at least confirms the Policy:

...
d [22/Jan/2008:10:39:48 -0600] cupsdAuthorize: con->uri="/printers/abnull1", con->best=0x8716fb8(/)
d [22/Jan/2008:10:39:48 -0600] cupsdAuthorize: Authorization="Local 89EDAE38DF8DF6960EB618982968776F"
D [22/Jan/2008:10:39:48 -0600] cupsdAuthorize: username="nonadmin"
d [22/Jan/2008:10:39:48 -0600] cupsdIsAuthorized: con->uri="/printers/abnull1", con->best=0x8716fb8(/)
d [22/Jan/2008:10:39:48 -0600] cupsdIsAuthorized: level=AUTH_ANON, type=AUTH_NONE, satisfy=AUTH_SATISFY_ALL, num_names=0
d [22/Jan/2008:10:39:48 -0600] cupsdIsAuthorized: auth=AUTH_ALLOW...
d [22/Jan/2008:10:39:48 -0600] POST /printers/abnull1
d [22/Jan/2008:10:39:48 -0600] CONTENT_TYPE = application/ipp
d [22/Jan/2008:10:39:48 -0600] cupsdReadClient: 13 con->data_encoding=HTTP_ENCODE_LENGTH, con->data_remaining=18666, con->file=-1
d [22/Jan/2008:10:39:48 -0600] cupsdReadClient: 13 REQUEST /var/opt/TWWfsw/cups1212/spool/0000001c=12
d [22/Jan/2008:10:39:48 -0600] cupsdReadClient: 13 writing 18441 bytes to 12
d [22/Jan/2008:10:39:48 -0600] cupsdReadClient: 13 Closing data file 12, size=18441.


Now, testing the same Policy(testprint) but with the Stop Printer
option. We'll see from the next output that CUPS is requiring the user
to be in the "lp" group:

...
d [22/Jan/2008:10:43:41 -0600] cupsdIsAuthorized: username="nonadmin"
d [22/Jan/2008:10:43:41 -0600] cupsdIsAuthorized: Checking group membership...
d [22/Jan/2008:10:43:41 -0600] cupsdIsAuthorized: Checking group "lp" membership...
d [22/Jan/2008:10:43:41 -0600] cupsdCheckGroup(username="nonadmin", user=0xb44078, groupname="lp")
d [22/Jan/2008:10:43:41 -0600] get_md5_password(username="nonadmin", group="lp", passwd=0xbfe14840)
d [22/Jan/2008:10:43:41 -0600] cupsdIsAuthorized: User not in group(s)!


As we can see from the Policy, the group required is explicitly entered
as "testprint".

Where do I make the change so that the Policy will work correctly?

Any suggestion or idea is much appreciated.

Thanks!
Angel

More information about the cups mailing list