Great! Thanks Jon!
Guess I never dug deep enough into the conf file to see how it's
actually done - the GUI for the old version always handled things
quite nicely (given our very simple setup).
The syntax is foreign and a bit confusing, so it looks like further
research is in order here to figure it out.
Thanks,
- Larry
Jon Peatfield wrote on 5/29/2009 3:34 PM:
> On Fri, 29 May 2009, P. Larry Nelson wrote:
>
>> I have a CUPS access control question.
>>
>> This relates to cups-1.3.7-8.el5_3.4 on a SL 5.1 system fully patched.
>> This also relates to using CUPS as a printer server where all my other
>> linux boxes use the browsing feature of CUPS to print thru the print
>> server.
>>
>> With an older version of CUPS (1.1.17-13.3.58) I'm currently using
>> on an older RHEL3 system, I can control access to all our printers
>> by specifying either a network or specific IP address in a CUPS
>> white list. This is done via redhat-config-printer, which has,
>> via a pulldown menu, a "sharing..." option, which then opens a
>> box that allows one to specify a single host or a network that
>> is allowed to access individual print queues. This is very
>> important for us in order to keep others, on different networks,
>> from finding and using our printers (yes, I'm talking about
>> those crafty grad students in other departments.) as well as
>> allowing (via specific hostname) a user *not* on our network
>> to print to our printers.
>>
>> Needing to migrate from RHEL3, I set up a test SL 5.1 box and
>> was able to duplicate the printer server function of our old
>> RHEL3 box, *except* that now, with the latest CUPS version,
>> access control is only by user! - and even that seems to be
>> broken when going thru system-config-printer. I'm only able
>> to add a user via the web interface (http://localhost:631).
>> That functionality via system-config-printer is grayed out!
>> And just what does "user" mean? Where does it look for the
>> "user" entry one might include? Passwd file? NIS?
>> Is the CUPS administrator expected to enter hundreds of user
>> names? And what about allowing someone, *not* in our NIS or
>> passwd file to print to our printers?
>>
>> Anyway, we need to control access via network and hostname
>> as in the past. Is there no way to do that type of access
>> control anymore?
>
> I don't know about the gui interfaces, but in cupsd.conf for cups 1.3.x
> you can still use the <Location...> stuff to allow/deny access to
> specific netblocks or hosts.
>
> We don't do this for specific printers, but we do for access to the
> entire server using <Location />, e.g (with the addresses hidden)
>
> <Location />
> Order Deny,Allow
> Deny From All
> Allow From 127.0.0.1
> # allow general requests from any host in damtp
> Allow From xxxx/24
> Allow From xxxx/24
> Allow From xxxx/24
> ## # and from the printers (is this actually sensible, probably not!)
> ## Allow From 10.16.1.0/24
> # and from laptop machines (not NAT'd)
> Allow From yyyy/23
> # and from new range for laptop machines (not NAT'd)
> Allow From yyyy/22
> # allow from (hidden) for testing!
> Allow From zzzz
> Allow From zzzz
> Allow From zzzz
> </Location>
>
> there used to be a block of comments in the default cupsd.conf which said:
>
> #<Location /printers>
> #
> # You may wish to limit access to printers and classes, either with Allow
> # and Deny lines, or by requiring a username and password.
> #
> #</Location>
>
> #<Location /printers/name>
> #
> # You may wish to limit access to printers and classes, either with Allow
> # and Deny lines, or by requiring a username and password.
> #
>
> so I'd guess that to restrict access to a particular printer called
> foobar (say) you could use
>
> <Location /printers/foobar>
> Order Deny,Allow
> Deny From All
> Allow From 127.0.0.1
> Allow From ... etc etc
> </Location>
>
> All this assumes that you trust the addresses and networks in between :-)
>
> BTW we do the following, which may or may not be sensible for you:
>
> <Location /admin>
> AuthType Basic
> Require user @SYSTEM
>
> ## Restrict access to localhost
> Order Deny,Allow
> Deny From All
> # MUST not let non-privelaged users log into the print server!
> Allow From 127.0.0.1
> </Location>
>
> but is good enough for my needs (we only do cups config locally on the
> print servers and only as SYSTEM users, but then we only use the lpadmin
> commands etc)...
>
> -- Jon
--
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask] | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
|