Great! Thanks Jon!
Guess I never dug deep enough into the conf file to see how it's
actually done - the GUI for the old version always handled things
quite nicely (given our very simple setup).
The syntax is foreign and a bit confusing, so it looks like further
research is in order here to figure it out.
Thanks,
- Larry
Jon Peatfield wrote on 5/29/2009 3:34 PM:
On Fri, 29 May 2009, P. Larry Nelson wrote:
I have a CUPS access control question.
This relates to cups-1.3.7-8.el5_3.4 on a SL 5.1 system fully patched.
This also relates to using CUPS as a printer server where all my other
linux boxes use the browsing feature of CUPS to print thru the print
server.
With an older version of CUPS (1.1.17-13.3.58) I'm currently using
on an older RHEL3 system, I can control access to all our printers
by specifying either a network or specific IP address in a CUPS
white list. This is done via redhat-config-printer, which has,
via a pulldown menu, a "sharing..." option, which then opens a
box that allows one to specify a single host or a network that
is allowed to access individual print queues. This is very
important for us in order to keep others, on different networks,
from finding and using our printers (yes, I'm talking about
those crafty grad students in other departments.) as well as
allowing (via specific hostname) a user *not* on our network
to print to our printers.
Needing to migrate from RHEL3, I set up a test SL 5.1 box and
was able to duplicate the printer server function of our old
RHEL3 box, *except* that now, with the latest CUPS version,
access control is only by user! - and even that seems to be
broken when going thru system-config-printer. I'm only able
to add a user via the web interface (http://localhost:631).
That functionality via system-config-printer is grayed out!
And just what does "user" mean? Where does it look for the
"user" entry one might include? Passwd file? NIS?
Is the CUPS administrator expected to enter hundreds of user
names? And what about allowing someone, *not* in our NIS or
passwd file to print to our printers?
Anyway, we need to control access via network and hostname
as in the past. Is there no way to do that type of access
control anymore?
I don't know about the gui interfaces, but in cupsd.conf for cups 1.3.x
you can still use the <Location...> stuff to allow/deny access to
specific netblocks or hosts.
>
We don't do this for specific printers, but we do for access to the
entire server using <Location />, e.g (with the addresses hidden)
<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
# allow general requests from any host in damtp
Allow From xxxx/24
Allow From xxxx/24
Allow From xxxx/24
## # and from the printers (is this actually sensible, probably not!)
## Allow From 10.16.1.0/24
# and from laptop machines (not NAT'd)
Allow From yyyy/23
# and from new range for laptop machines (not NAT'd)
Allow From yyyy/22
# allow from (hidden) for testing!
Allow From zzzz
Allow From zzzz
Allow From zzzz
</Location>
there used to be a block of comments in the default cupsd.conf which said:
#<Location /printers>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#
#</Location>
#<Location /printers/name>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#
so I'd guess that to restrict access to a particular printer called
foobar (say) you could use
<Location /printers/foobar>
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From ... etc etc
</Location>
All this assumes that you trust the addresses and networks in between :-)
BTW we do the following, which may or may not be sensible for you:
<Location /admin>
AuthType Basic
Require user @SYSTEM
## Restrict access to localhost
Order Deny,Allow
Deny From All
# MUST not let non-privelaged users log into the print server!
Allow From 127.0.0.1
</Location>
but is good enough for my needs (we only do cups config locally on the
print servers and only as SYSTEM users, but then we only use the lpadmin
commands etc)...
-- Jon
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[email protected] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
