[cups] Query regarding setting up common Interface for print jobs

Johannes Meixner jsmeix at suse.de
Wed Aug 23 02:30:34 PDT 2017 

Hello,

On Aug 22 15:07 Brian Potkin wrote (excerpt):
> I am assuming a single queue "printq" is visible in the print dialogs
> of the applications. On a per-user basis one could set Firefox to print
> with PageSize=A and Evince to print with PageSize=B. If one wants these
> options to be enforcable by an administrator I see no way to do it
> which cannot be altered by a user via the application's print options
> or lpoptions.

right - unless one patches Firefox and Evince - and except applications
that support system config files where the administrator could enforce
settings that cannot be changed by the user.

> printq is a virtual queue set up with the Tea4CUPS backend. A pre-hook
> examines PageSize and directs the job to a queue for printer C or D
> depending on its value, at the same time changing PageSize to something
> sensible.

Perhaps it is in practice a sufficient solution to avoid that users
alter the special print job option setting in arbitrary ways when
the pre-hook examines the print job options and if the special print
job option does not exist or has a wrong value, then the job is
not forwarded to the actual printer.

Then users could still alter the special print job option setting
to print on the other actual printer but then I think it is an
intentional setting  by the user that he really wants to get this
particular job printed on the other actual printer and in general
I think a user's explicit intent/request should be respected.


Also special setup is needed to enforce that normal users
cannot directly print to the queues for the actual printers.

I assume the Tea4CUPS backend runs as user 'lp' and then
it should work to set up the queues for the actual printers
so that only 'lp' is allowed to print to them via something
like "lpadmin ... -u allow:lp".

If everything works as I hope it does then the queues for the
actual printers would even not show up in the user application's
print dialogs because user print dialogs should not show queues
where the user is not allowed to submit print jobs.


Finally to be 100% safe against possible user-misuse one would
have to ensure that the actual printer devices accept data
only from the CUPS server to avoid that users print directly
to the actual printer devices, e.g. for network printers via
"netcat network.printer.IP.address 9100 < selfmade.print.data"


Kind Regards
Johannes Meixner
-- 
SUSE LINUX GmbH - GF: Felix Imendoerffer, Jane Smithard,
Graham Norton - HRB 21284 (AG Nuernberg)

More information about the cups mailing list