[cups.general] actions by "anonymous"
Michael Sweet
msweet at apple.com
Tue Feb 15 15:40:21 PST 2011
On Feb 14, 2011, at 1:34 PM, Matt LaPlante wrote:
> Cups 1.4.5
>
> Assuming cupsd.conf contains the following:
>
> <Limit Pause-Printer Resume-Printer Set-Printer-Attributes
> Enable-Printer Disable-Printer Pause-Printer-After-Current-Job
> Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer
> Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer
> Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer
> CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs
> CUPS-Set-Default>
> Satisfy Any
> Allow From @IF(lo)
> AuthType Basic
> Require user @SYSTEM @printer-admins
> Order deny,allow
> </Limit>
>
> Why would the cups log produce the following?
>
> I [14/Feb/2011:21:31:51 +0000] New printer "foo" added by "anonymous".
> I [14/Feb/2011:21:31:54 +0000] Printer "foo" modified by "anonymous".
>
> In fact, most of the actions taken are reported as being done by
> "anonymous" in the log. I reproduced this myself, and I can confirm
> that cups authenticated me prior to letting me add the printer, but it
> apparently did not keep track of my username. If it does not gather
> the username from auth, when would it?
How did you add the printer?
I would expect that the correct username would be logged, however if the actual CUPS-Add-Modify-Printer request was not authenticated then it is entirely possible to get "anonymous" as the username.
FWIW, this kind of policy is a) not recommended for admin operations and b) not normally needed since local access via domain socket can use peer credentials instead of authentication.
________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
More information about the cups
mailing list