[cups] Allow remote printer admin, but not edit config file

[Helge Blischke]

> Am 04.02.2021 um 15:22 schrieb daku8938 at gmx.de:
> 
> Hello,
> 
> running CUPS 2.2.7 on Ubuntu18 server.
> 
> I want members of the lpadmin user group to have full remote access to manage printers, print-jobs and view log files.
> 
> But those users shall _not_ be allowed to edit (or even view) the /etc/cups/cupsd.conf file and restart cups.
> 
> Here is the /etc/cupsd.conf
> 
> <Location />
>  # Allow remote administration...
>  Order allow,deny
>  Allow all
> </Location>
> 
> <Location /admin>
>  AuthType Default
>  Require user @SYSTEM
>  # Allow remote administration...
>  Order allow,deny
>  Allow all
> </Location>
> 
> <Location /admin/conf>
>  # Allow remote access to the configuration files...
>  Order allow,deny
> </Location>
> 
> <Location /admin/log>
>  AuthType Default
>  Require user @SYSTEM
>  Order allow,deny
>  # Allow remote access to the log files...
>  Order allow,deny
>  Allow all
> </Location>
> 
> I would guess the location /admin/conf/ would be the point to disallow editing the cupsd.conf file via web interface.
> But editing the cupsd.conf goes via /admin/. So here I disallowed /admin/conf/ but it does not have effect.
> 
> So how can I prevent the printer admins from remote editing the cupsd.conf file via web interface and restarting cupsd ?

I’d try something like:

<Location /admin/conf>
Oder allow, deny
Require user somebody at somegroup
</Location>

where somebody and/or some group are user- and group-names unique to the host 
the server is running.

Helge