LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

June 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS June 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: CUPS access control
From:	"P. Larry Nelson" <[log in to unmask]>
Reply To:	P. Larry Nelson
Date:	Tue, 2 Jun 2009 16:41:57 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (133 lines)

Great!  Thanks Jon!
Guess I never dug deep enough into the conf file to see how it's
actually done - the GUI for the old version always handled things
quite nicely (given our very simple setup).

The syntax is foreign and a bit confusing, so it looks like further
research is in order here to figure it out.

Thanks,
- Larry

Jon Peatfield wrote on 5/29/2009 3:34 PM:
> On Fri, 29 May 2009, P. Larry Nelson wrote:
> 
>> I have a CUPS access control question.
>>
>> This relates to cups-1.3.7-8.el5_3.4 on a SL 5.1 system fully patched.
>> This also relates to using CUPS as a printer server where all my other
>> linux boxes use the browsing feature of CUPS to print thru the print
>> server.
>>
>> With an older version of CUPS (1.1.17-13.3.58) I'm currently using
>> on an older RHEL3 system, I can control access to all our printers
>> by specifying either a network or specific IP address in a CUPS
>> white list.  This is done via redhat-config-printer, which has,
>> via a pulldown menu, a "sharing..." option, which then opens a
>> box that allows one to specify a single host or a network that
>> is allowed to access individual print queues.  This is very
>> important for us in order to keep others, on different networks,
>> from finding and using our printers (yes, I'm talking about
>> those crafty grad students in other departments.) as well as
>> allowing (via specific hostname) a user *not* on our network
>> to print to our printers.
>>
>> Needing to migrate from RHEL3, I set up a test SL 5.1 box and
>> was able to duplicate the printer server function of our old
>> RHEL3 box, *except* that now, with the latest CUPS version,
>> access control is only by user! - and even that seems to be
>> broken when going thru system-config-printer.  I'm only able
>> to add a user via the web interface (http://localhost:631).
>> That functionality via system-config-printer is grayed out!
>> And just what does "user" mean?  Where does it look for the
>> "user" entry one might include?  Passwd file? NIS?
>> Is the CUPS administrator expected to enter hundreds of user
>> names?  And what about allowing someone, *not* in our NIS or
>> passwd file to print to our printers?
>>
>> Anyway, we need to control access via network and hostname
>> as in the past.  Is there no way to do that type of access
>> control anymore?
> 
> I don't know about the gui interfaces, but in cupsd.conf for cups 1.3.x 
> you can still use the <Location...> stuff to allow/deny access to 
> specific netblocks or hosts.
 >
> We don't do this for specific printers, but we do for access to the 
> entire server using <Location />, e.g (with the addresses hidden)
> 
> <Location />
>   Order Deny,Allow
>   Deny From All
>   Allow From 127.0.0.1
>   # allow general requests from any host in damtp
>   Allow From xxxx/24
>   Allow From xxxx/24
>   Allow From xxxx/24
>   ## # and from the printers (is this actually sensible, probably not!)
>   ## Allow From 10.16.1.0/24
>   # and from laptop machines (not NAT'd)
>   Allow From yyyy/23
>   # and from new range for laptop machines (not NAT'd)
>   Allow From yyyy/22
>   # allow from (hidden) for testing!
>   Allow From zzzz
>   Allow From zzzz
>   Allow From zzzz
> </Location>
> 
> there used to be a block of comments in the default cupsd.conf which said:
> 
> #<Location /printers>
> #
> # You may wish to limit access to printers and classes, either with Allow
> # and Deny lines, or by requiring a username and password.
> #
> #</Location>
> 
> #<Location /printers/name>
> #
> # You may wish to limit access to printers and classes, either with Allow
> # and Deny lines, or by requiring a username and password.
> #
> 
> so I'd guess that to restrict access to a particular printer called 
> foobar (say) you could use
> 
> <Location /printers/foobar>
>   Order Deny,Allow
>   Deny From All
>   Allow From 127.0.0.1
>   Allow From ... etc etc
> </Location>
> 
> All this assumes that you trust the addresses and networks in between :-)
> 
> BTW we do the following, which may or may not be sensible for you:
> 
> <Location /admin>
>   AuthType Basic
>   Require user @SYSTEM
> 
>   ## Restrict access to localhost
>   Order Deny,Allow
>   Deny From All
>   # MUST not let non-privelaged users log into the print server!
>   Allow From 127.0.0.1
> </Location>
> 
> but is good enough for my needs (we only do cups config locally on the 
> print servers and only as SYSTEM users, but then we only use the lpadmin 
> commands etc)...
> 
>  -- Jon


-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]        | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV