[cups] Allow remote printer admin, but not edit config file
Helge Blischke
helgeblischke at web.de
Mon Feb 8 08:54:37 PST 2021
> Am 05.02.2021 um 11:37 schrieb daku8938 at gmx.de:
>
> Thanks Helge, unfortunately I cannot see how your answer relates to my question.
>
> Currently, access to /admin/conf/ ist forbidden for everyone (see my posted config).
> This is wanted and works.
>
> But unfortunately, that does not prevent users in the @SYSTEM group from editing the cupsd.conf file vie web GUI,
> because it looks like that goes over /admin/ and @SYSTEM group users have access to /admin/, because access to /admin/ is needed to administrate printers.
>
> So how can users in the @SYSTEM group be allowed to administrate printers, but not edit cupsd.conf file ?
>
> Because in cupsd.conf there is ACL configuration, and people could give themselves or others more privileges, but that shall not be.
>
>
>> I’d try something like:
>>
>> <Location /admin/conf>
>> Oder allow, deny
>> Require user somebody at somegroup
>> </Location>
>>
>> where somebody and/or some group are user- and group-names unique to the host
>> the server is running.
>>
>> Helge
>>
>> _______________________________________________
>> cups mailing list
>> cups at cups.org
>> https://lists.cups.org/mailman/listinfo/cups
>>
> _______________________________________________
Sorry, I forgot the „|“ in the require line; you can specify either a (list of) user name(s) or group name(s).
If that does not work, I’d suggest to file an error; it might be an issue with the cgi programs which do the web interface
operations.
Helge
More information about the cups
mailing list