On Fri, 29 May 2009, P. Larry Nelson wrote:

> I have a CUPS access control question.
>
> This relates to cups-1.3.7-8.el5_3.4 on a SL 5.1 system fully patched.
> This also relates to using CUPS as a printer server where all my other
> linux boxes use the browsing feature of CUPS to print thru the print
> server.
>
> With an older version of CUPS (1.1.17-13.3.58) I'm currently using
> on an older RHEL3 system, I can control access to all our printers
> by specifying either a network or specific IP address in a CUPS
> white list.  This is done via redhat-config-printer, which has,
> via a pulldown menu, a "sharing..." option, which then opens a
> box that allows one to specify a single host or a network that
> is allowed to access individual print queues.  This is very
> important for us in order to keep others, on different networks,
> from finding and using our printers (yes, I'm talking about
> those crafty grad students in other departments.) as well as
> allowing (via specific hostname) a user *not* on our network
> to print to our printers.
>
> Needing to migrate from RHEL3, I set up a test SL 5.1 box and
> was able to duplicate the printer server function of our old
> RHEL3 box, *except* that now, with the latest CUPS version,
> access control is only by user! - and even that seems to be
> broken when going thru system-config-printer.  I'm only able
> to add a user via the web interface (http://localhost:631).
> That functionality via system-config-printer is grayed out!
> And just what does "user" mean?  Where does it look for the
> "user" entry one might include?  Passwd file? NIS?
> Is the CUPS administrator expected to enter hundreds of user
> names?  And what about allowing someone, *not* in our NIS or
> passwd file to print to our printers?
>
> Anyway, we need to control access via network and hostname
> as in the past.  Is there no way to do that type of access
> control anymore?

I don't know about the gui interfaces, but in cupsd.conf for cups 1.3.x 
you can still use the <Location...> stuff to allow/deny access to specific 
netblocks or hosts.

We don't do this for specific printers, but we do for access to the entire 
server using <Location />, e.g (with the addresses hidden)

<Location />
   Order Deny,Allow
   Deny From All
   Allow From 127.0.0.1
   # allow general requests from any host in damtp
   Allow From xxxx/24
   Allow From xxxx/24
   Allow From xxxx/24
   ## # and from the printers (is this actually sensible, probably not!)
   ## Allow From 10.16.1.0/24
   # and from laptop machines (not NAT'd)
   Allow From yyyy/23
   # and from new range for laptop machines (not NAT'd)
   Allow From yyyy/22
   # allow from (hidden) for testing!
   Allow From zzzz
   Allow From zzzz
   Allow From zzzz
</Location>

there used to be a block of comments in the default cupsd.conf which said:

#<Location /printers>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#
#</Location>

#<Location /printers/name>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#

so I'd guess that to restrict access to a particular printer called foobar 
(say) you could use

<Location /printers/foobar>
   Order Deny,Allow
   Deny From All
   Allow From 127.0.0.1
   Allow From ... etc etc
</Location>

All this assumes that you trust the addresses and networks in between :-)

BTW we do the following, which may or may not be sensible for you:

<Location /admin>
   AuthType Basic
   Require user @SYSTEM

   ## Restrict access to localhost
   Order Deny,Allow
   Deny From All
   # MUST not let non-privelaged users log into the print server!
   Allow From 127.0.0.1
</Location>

but is good enough for my needs (we only do cups config locally on the 
print servers and only as SYSTEM users, but then we only use the lpadmin 
commands etc)...

  -- Jon