[cups] Location /jobs security (Unable to send document - Unauthorized)

Michael Sweet msweet at apple.com
Thu Jan 8 12:22:00 PST 2015 

Brandon,

Yes, position matters.  If you want all of the Allow/Deny lines to apply to the Limit subsection then it needs to come at the end...

> On Jan 8, 2015, at 2:39 PM, Haines, Brandan <BAHaines at cooperstandard.com> wrote:
> 
> Michael -
> 
> Thanks for the prompt reply.
> 
> I ran through SEVERAL scenarios to try and get this to work.  Does the position of the other directives matter?
> 
> Something like:
> 
> <Location /jobs>
>  AuthType Basic
>  Encryption Required
>  <Limit GET HEAD>
>   Require group root sys lp
>   Require user lpadmin
>  </Limit GET HEAD>
>  Order Deny,Allow
>  Deny From All
>  Allow From 127.0.0.1
>  Allow From xxx
>  Allow From yyy
>  Allow From zzz
> </Location>
> 
> -Brandan
> 
> 
> 
> -----Original Message-----
> From: cups-bounces at cups.org [mailto:cups-bounces at cups.org] On Behalf Of Michael Sweet
> Sent: Thursday, January 08, 2015 14:00
> To: The CUPS user discussion list.
> Subject: Re: [cups] Location /jobs security (Unable to send document - Unauthorized)
> 
> Brandan,
> 
> Try the Limit directive, e.g.:
> 
>    <Location /jobs>
>    <Limit GET HEAD>
>    ...
>    </Limit>
>    </Location>
> 
> That will address casual web usage at least.
> 
> 
>> On Jan 8, 2015, at 1:48 PM, Haines, Brandan <BAHaines at cooperstandard.com> wrote:
>> 
>> I am at my wits end with this, so I am trying the list.
>> 
>> I have an AIX 7.1 TL3 FP3 server running CUPS 1.6.4
>> 
>> I've been working with it for about a week and I've been successful in getting it to serve up documents that I am sending from another system via LPD when there is no security.
>> 
>> But, the second I add in the following to cupsd.conf:
>> 
>> <Location /jobs>
>> AuthType Basic
>> Encryption Required
>> Require group root sys lp
>> Require user lpadmin
>> Order Deny,Allow
>> Deny From All
>> Allow From 127.0.0.1
>> Allow From xxx
>> Allow From yyy
>> Allow From zzz
>> </Location>
>> 
>> I am no longer able to create jobs.  In fact, pretty much as soon as I add "AuthType Basic" things stop working. I am using inetd and the cups-lpd and can confirm that all of that works just fine.
>> 
>> The message I see in the debug of inetd is:
>> Jan  8 18:24:33 server lpr:err|error cups-lpd[25755706]: Unable to send document - Unauthorized
>> 
>> I am trying to secure the https://server/jobs web address while simultaneously not prohibiting things from creating and sending jobs.  The wacky thing is that if I take out the whole stanza, everything works just fine.  Put it in and error.
>> 
>> Any ideas?
>> 
>> ________________________________
>> This e-mail message is confidential and is intended only for the person(s) named above. If you have received this message in error, please notify the sender immediately and delete/remove it from your computer system. Any reading, distribution, printing or disclosure of this message is strictly prohibited if you are not the intended recipient of this message. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
>> _______________________________________________
>> cups mailing list
>> cups at cups.org
>> https://www.cups.org/mailman/listinfo/cups
> 
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
> 
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://www.cups.org/mailman/listinfo/cups
> 
> This e-mail message is confidential and is intended only for the person(s) named above.  If you have received this message in error, please notify the sender immediately and delete/remove it from your computer system.  Any reading, distribution, printing or disclosure of this message is strictly prohibited if you are not the intended recipient of this message.  Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://www.cups.org/mailman/listinfo/cups

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

More information about the cups mailing list