[cups.general] coercing owner of a job to another username

alet at librelogiciel.com alet at librelogiciel.com
Mon Aug 9 15:17:31 PDT 2010 

On Mon, Aug 09, 2010 at 02:46:00PM -0700, cowbert wrote:
> Is there a way to take the submitted username of a job (which can be
> arbitrary, if the user is a remote client printing to the cups printer),
> and coerce in cups so that the rest of the cups system sees the print
> job as being queued by a local user? Like user 'alice'@remote.domain
> prints to my cups server but I want her job to show up in the queue as
> being queued by 'nobody'.
>
> The way we wish to deploy papercut with unauthenticated release
> stations makes it so that we can have arbitrary people come in and
> release any job at the release station but papercut always looks up the
> user submitted by cups, which can either not exist or even be wrong (if
> there are 2 users named 'alice, then papercut will think they are the
> same user). People release their jobs at the release station based on
> other identifying information (document name, hostname, timestamp)
>
> We wish to do this in the absence of any other network authentication
> (no AD no krb), all access control is physical.
>
> In samba we do this by setting the queue up to be guest only = ok and
> then set the guest user as 'nobody' so all jobs being spooled through
> samba show up as being owned by user nobody. We would like to have the
> same mechanism directly via CUPS should someone decide to add the
> printer via IPP.

Well, obviously I can't help you much with papercut, but I do something
similar here with PyKota in order to force the username when it comes
from a machine for which either :

  * The end user is or can be administrator (so he could impersonate
    other users), be it under GNU/Linux, MacOSX, or Windows.

or

  * The user name he logs in with isn't in our LDAP server.

Whenever this is the case, we override the username with one based on
the remote user and host name through a static text file containing a
mapping like (these are not email addresses,
but 'remoteuser at remotehost      localuser') :

gandalf at example.com  john
*@localhost          root
remroot@*            root
jake-*@example.com   jake

PyKota includes a functionnality to do just this (and many more ;-), but
if papercut doesn't you can easily simulate it anyway for free with the
help of Tea4CUPS (http://www.pykota.com/software/tea4cups) :

  * Unpublish your real print queue, so that only localhost
    (CUPS+Papercut) will be allowed to print to it.

  * Create a new print queue (FakeQueue) managed by Tea4CUPS, which
    DeviceURI points to nowhere :

         tea4cups://

  * Create /etc/cups/tea4cups.conf with something like :
--- CUT ---
[global]
directory : /tmp
keepfiles : no
debug : yes

[FakeQueue]
prehook_username : /usr/bin/lp -U `/usr/local/bin/getrealusername.sh` -d RealQueue $TEADATAFILE
--- CUT ---

Then write /usr/local/bin/getrealusername.sh as you see fit. It can
extract a number of environment variables beginning with 'TEA' to do its
job, see the default tea4cups.conf file for the documentation. It can,
as we do here, also track anomalies, support wildcards, etc...

What this will do is simply requeue your print job to the real print
queue using a different username.

Then publish the FakeQueue print queue, and ensures everyone prints to
it.

NB : you could even have a single prehook_ line for all your print
queues if your naming scheme is consistant and the name of the real
queue can be extracted from the name of the fake one. Since you can
define any command of yours in this prehook_ setting, doing so is left
as an exercise :-)

Problem solved.

hth

Jerome Alet

More information about the cups mailing list