[cups.general] Security via printers.conf versus cupsd.conf

Michael Sweet msweet at apple.com
Thu Apr 8 17:27:25 PDT 2010


On Apr 8, 2010, at 4:34 PM, John A. Sullivan III wrote:
> After my run in with security in the web interface outlined in a previous thread, I'm left struggling to understand the differences between restricting user access in printers.conf versus cupsd.conf.  What is the difference?

cupsd.conf defines overall policies including whether requests require authentication and what kind of authentication.

printers.conf just defines the user/group list - this can also mostly be done in cupsd.conf via the Require directive, however cupsd.conf only gives you an "allow" list and you can't change it without restarting cupsd.  Location/policy restrictions are also not reflected in the printer list returned by cupsGetDests and friends.

The printers.conf lists are also manipulated via IPP operations so you can grant admin rights just to a particular printer instead of requiring full admin privileges to change cupsd.conf.

> It seems printers.conf can only take user IDs.  So what is the different between allow <username> in printers.conf versus Require <username> in cupsd.conf? Is printers.conf only for visibility or does it actually restrict access, i.e., if I only use printers.conf, and someone sends a print job to the IP address of the printer even though they could not see it in their application, will the job be printed?

Print jobs submitted through the CUPS server will honor the allow/deny list in printers.conf. However, if you don't do authentication the username can be spoofed to get past those restrictions.

Printing direct to the printer bypasses any CUPS limits you set - most controlled print environments use either IP-based ACLs on the printer (only designated servers can connect) or private networks to prevent users from getting past the servers.

> If I use a name restriction in printers.conf and an IP address restriction in cupsd.conf, is it correct to understand that the user must be both the correct named user and sending the print job from an allowed IP address? Thanks - John

Yes, although if the username was allowed but not the IP, the user would still see the printer as available since we don't validate the client's address against the printer's policy.

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair








More information about the cups mailing list