Created at 08:40 Apr 21, 2005 by steve, last modified at 13:46 Nov 14, 2005
If you want certain users to have access to administer printers and nothing else, you need to create a group.
FOR LINUX USERS ONLY:
1) From the command line type:
Then for each user you want to add to that group type:
For example, if I wanted to create a group called printadmin and wanted to add Steve and Debbie to that group, I'd type the following commands:
2) In your cupsd.conf file, add this line:
For MacOS X Users
1) Use the Netinfo Manager utility to add the group and users to the group.
2) In your cupsd.conf file, add this line:
For All Other Users:
1) Go to the /etc/group file and insert this line format:
For example, if I wanted to create a group named printadmin and wanted to add Steve and Debbie I'd type this:
What does x do?
Just means this group is only for those listed.
What about 9999?
Unique number that corresponds to group name. You can use any number as long as it is not taken. You will be able to see which numbers have been taken.
2) In your cupsd.conf file, add this line:
Hi Folks,
for specific printers I want that specific users can stop, start the printer and manage the printing jobs.
So I tried to add an additional SystemGroup and and an additional policy. At the printer I changed the policy from default to the new one. The user is member of this group ("id username" shows me that).
The problem is that when I try to manage the printer with a user from that group it will not work!? In the error.log it shows me the following:
d [16/Jun/2008:08:52:22 +0200] cupsdAuthorize: Authorization="Basic d2FsY2hlcjprbmFwcCEx"
D [16/Jun/2008:08:52:22 +0200] cupsdAuthorize: username="test"
d [16/Jun/2008:08:52:22 +0200] cupsdIsAuthorized: con->uri="/admin/?op=modify-printer&printer_name=pr76", con->best=0x80bcdd8(/admin)
d [16/Jun/2008:08:52:22 +0200] cupsdIsAuthorized: level=AUTH_USER, type=AUTH_BASIC, satisfy=AUTH_SATISFY_ALL, num_names=2
d [16/Jun/2008:08:52:22 +0200] cupsdIsAuthorized: auth=AUTH_ALLOW...
d [16/Jun/2008:08:52:22 +0200] cupsdIsAuthorized: username="test"
d [16/Jun/2008:08:52:22 +0200] cupsdIsAuthorized: Checking user membership...
d [16/Jun/2008:08:52:22 +0200] cupsdCheckGroup(username="test", user=0xb7d7bd14, groupname="lpadmin")
d [16/Jun/2008:08:52:22 +0200] get_md5_password(username="test", group="lpadmin", passwd=0xbf9aa98b)
d [16/Jun/2008:08:52:22 +0200] cupsdCheckGroup(username="test", user=0xb7d7bd14, groupname="ux_cups_printadmin")
d [16/Jun/2008:08:52:22 +0200] get_md5_password(username="test", group="ux_cups_printadmin", passwd=0xbf9aa98b)
d [16/Jun/2008:08:52:22 +0200] cupsdReadClient: Unauthorized request for /admin/?op=modify-printer&printer_name=pr76...
D [16/Jun/2008:08:52:22 +0200] cupsdSendError: 23 code=401 (Unauthorized)
D [16/Jun/2008:08:52:22 +0200] cupsdCloseClient: 23
I [16/Jun/2008:08:52:22 +0200] cupsdCloseClient: SSL shutdown successful!
-------
It follows a bit from the cupsd.conf:
# All administration operations require an adminstrator to authenticate... # Only the administrator can authenticate a job... <Limit All>
...
SystemGroup @ux_cups_printadmin
SystemGroup @lpadmin
...
<Policy test>
# Job-related operations must be done by the owner or an ux_cups_jobadmin or an adminstrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job Pause-Printer Resume-Printer Enable-Printer Activate-Printer Restart-Printer Startup-Printer Cancel-Job>
Require user @OWNER @lpadmin @ux_cups_printadmin
Order deny,allow
</Limit>
<Limit Set-Printer-Attributes Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Shutdown-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
Require user @OWNER @lpadmin @ux_cups_printadmin
Order deny,allow
</Limit>
<Limit CUPS-Authenticate-Job>
Require user @OWNER @lpadmin @ux_cups_printadmin
Order deny,allow
</Limit>
Order deny,allow
</Limit>
</Policy>
I hope someone has a clue how can i fix this!
Thank you! Reply
Beware the -G flag on usermod.
If a user is already a member of a number of supplemental groups, they will have their membership revoked.
A better option might be
Reply
adduser nameofperson nameofgroup
This however does not work (cups1.1.23, SuSe9.3). The following cups.conf:
==========================================================
LogLevel info
Printcap /etc/printcap
User lp
Group lp
RunAsUser Yes
Port 631
BrowseAllow @LOCAL
BrowseDeny All
SystemGroup cups
# <Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 127.0.0.2
Allow From @LOCAL
Allow From 192.168.0.99
Allow From 192.168.0.101
Allow From 192.168.0.103
Allow From 192.168.0.133
</Location>
==================================================================
lets anyone managing printers Reply
You need to remove the comment (#) in front of <Location /> to have it work. Reply
No way to give rights in a more granular way ? Say,
We're not really changing printer configurations doing this. We're just allowing users to start and stop printers and jobs.
In CUPS 1.2, you'll be able to be more specific about a group's allowed fuctions. Reply
Actually I tried to put the SystemGroup option under <Location /jobs>, with no printing success. I had to put it under <Location /Admin> in order to allow users manage jobs Reply
Here's my exact problem. I have a printer that, for an unknown reason, self pauses randomly.
Unpausing it requires the rights to access CUPS below /admin/ path, but giving such rights seems to currently also gives the right to add and remove printers, for example.
Maybe I should write a script to unpause printers periodically instead... Reply
Currently Mac OS X Server 10.3.x appears to use the syntax "SystemGroup lp,admin" in the cups.conf file. Can someone confirm if this is correct for multiple group names or should it be "SystemGroup lp, admin" with a space after the comma? If the syntax is correct why is root not allowed to admin from the local unit(127.0.0.1:631)? It ask for a user:pass but does not accept any from the "admin" id 80 group? The following is the admin half of the .conf
<Location /admin>
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#
AuthType None
AuthClass Anonymous
#
# Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 192.30.40.169
Allow From 127.0.0.1
#Encryption Required
<Limit GET>
AuthType Basic
AuthClass System
</Limit>
</Location>
#
# End of "$Id: cupsd.conf,v 1.30 2003/07/23 23:14:51 jlovell Exp $".
#
I think I see the conflict with #Encryption Required field active. hmm. Reply
"Currently Mac OS X Server 10.3.x appears to use the syntax "SystemGroup lp,admin" in the cups.conf file. Can someone confirm if this is correct for multiple group names or should it be "SystemGroup lp, admin" with a space after the comma?"
Both spaces and commas are valid delimiters.
"If the syntax is correct why is root not allowed to admin from the local unit(127.0.0.1:631)? It ask for a user:pass but does not accept any from the "admin" id 80 group? The following is the admin half of the .conf"
Basically this is a bug in 10.3.x., see the MacOS X password FAQ: