Created at 12:42 May 10, 2005 by steve, last modified at 12:42 May 10, 2005
To allow printing from certain computers, edit the /etc/cups/cupsd.conf file and find the <Location /> directive.
There you can add or edit the Order, Allow, and Deny directives to your liking. Here are two examples:
# Allow printing from # itself and computers 192.10.2.5 and 192.10.2.6 <Location /> ... Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.10.2.5 Allow from 192.10.2.6 </Location> # Allow printing from # itself and all computers on subnet 192.10.2.x <Location /> ... Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.10.2.0/255.255.255.0 </Location>To enable the changes in the configuration file, restart the cupsd daemon.
Just a suggestion to make configuration easier (at least for me). The deny/allow order is rather counter-intuitive - I always imagine the directives being processed sequentially, so it surprises me that after "deny all", "allow X" does anything. Also, I have still not understood what is supposed to happen if the deny/allow "order" is changed: how does it change default behaviour? And must one change the sequence of the succeeding "deny" and "allow" directives?
It is presumably too late to actually change the logic of this processing, but I would certainly be helped if a more complete explanation of the processsing of these directives were given somewhere, along with a sufficient number of concrete examples using different "orders". One good place to include this would be in cupsd.conf (this may be a distribution issue - I use Debian). Reply
This is in the CUPS Software Administrators Manual:
Allow, Deny - Allow requests from all systems except for those listed in a Deny directive
Deny, Allow - Allow requests only from those listed in an Allow directive
If you're having problems with Debian, contact Debian. You can also look at this article: http://www.cups.org/articles.php?L301+I0+TMine+P1+Q Reply
Thanks for the reply, but it doesn't allow me to reach a full understanding of how CUPS parses these directives. I think I have found the section in the SAM, which gives no more detail than you quote here (note that some negations are missing from the description of "Deny" in the SAM at http://www.cups.org/doc-1.1/sam.html#Deny). I'm trying to avoid reading the source...
My problem with the explanation is that it doesn't say how _both_ directives are processed. Thus, "Deny, Allow - Allow requests only from those listed in an Allow directive" doesn't explain how Deny directives are processed in this case. Does it imply that the "Deny from All" in the examples is superfluous? More generally, the explanation would suggest that only one kind of directive is ever active (e.g., allow for order deny,allow). Is that true? If so, having both directives in all examples is a little confusing.
Consider the following case where we want to allow access to all computers on the 192.168.2.0/24 network *except* for 192.168.2.1
You would use:
Order allow,deny Allow from 192.168.2.0/24 Deny from 192.168.2.1The code does this for "allow,deny":
1. status=denied
2. check all allowed directives, set status=allowed if we have
a match.
3. check all denied directives, set status=denied if we have a
match.
(in short, default is denied, then check the allowed list, and
then the denied list)
For "deny,allow", it does:
1. status=allowed
2. check all denied directives, set status=denied if we have a
match.
3. check all allowed directives, set status=allowed if we have
a match.
(in short, default is allowed, then check the denied list, and
then the allowed list)
The order value just determines the *order* of the checks.
Dear Steve, I do thank you for taking the time to reply, and I'm probably a moron. But I think this example shows nicely why the syntax is potentially confusing. Thus:
For "deny,allow"
1. status = all allowed 2. deny access from 192.168.2.1 3. allow access from the whole subnet which includes 192.168.2.1
So is access from 192.168.2.1 denied? If I take your explanation literally, access is not denied from this ip, since the last check found an "Allow" match from the whole subnet. Thus, despite a configuration file that explicitly asks for the exclusion of 192.168.2.1, it isn't excluded. Confusing...
My points can be made more generally:
i) Knowing the order of the checks does not define in any obvoius way how conflicts between allow and deny are resolved. Does the first match win or the last?? Are all directives processed?? It would be nice if this were clear from the commands or a comment in the configuration file, as well as in the documentation (which for me at least it isn't).
ii) The default behaviour is not apparent from the order directive. Why not simply Deny by default (security) and allow users to compose the rules they desire. You have plenty of powerful rules.
iii) I think the most intuitive approach would be like iptables packet filtering: directives are processed in the order in which they appear and processing stops when a match is found. (Currently they can be read out of the written order, which is another wrong-footing aspect of the current syntax.)
If this suggestion were adopted, the situation intended above could be configured as follows:
# "Deny" and "Allow" directives are processed in the order given # and processing halts at the first match (leading to acceptance # or denial of the access). If no match is found, access will be # denied. So the default is equivalent to "Deny All". Deny from 192.168.2.1 Allow from 192.168.2.0/24 Deny from All # redundant
I believe this would be more intuitive, less ambiguous, and I think it should cover most cases.
Best regards Reply
You'd be moron if you didn't ask questions. Does this explanation make more sense?
The Order directive decides how Deny and Allow are processed.
Order Deny, Allow
The Deny directive is looked at first (Don't want to allow access to)
The Allow directive is looked at second (Do want to allow access to)
Order Allow, Deny
The Allow directive is looked at first (Do want to allow access to)
The Deny directive is looked at second (Don't want to allow access to)
Why use one over the other? (Let's look at this example again)
Consider the following case where we want to allow access to all computers on the 192.168.2.0/24 network *except* for 192.168.2.1. You would use:
Order Allow,Deny
Allow from 192.168.2.0/24
Deny from 192.168.2.1
Why use Order Allow, Deny?
See the above example - it would not be possible to express it with "Order deny,allow" unless you added many Deny or many Allow lines, e.g.:
Order Deny,Allow
Deny from all
Allow from 192.168.2.2
Allow from 192.168.2.3
Allow from 192.168.2.4
...
Allow from 192.168.2.253
Allow from 192.168.2.254
I have understood, I think. The point I was trying to make was that such filtering could be implemented in several ways (cf iptables for a perfectly logical alternative scheme), and the documentation/config file is not very explicit in describing the processing, so the user (this one at least) is left in some doubt.
Could I suggest amending the doc/.conf along the following lines to make it more explicit? (The bold part I would have found particularly helpful.)
"The Order directive specifies the default action if none of the subsequent directives match, and how they are processed. For "Order Allow, Deny", the default is to allow access. For "Order Deny, Allow", the default is to deny access. Allow and Deny directives are then processed in the sequence specified by the Order directive (note that the order in which they are written is irrelevant). When Allow and Deny directives overlap, the directive processed later overrides the overlapping parts of the directive processed earlier. <concrete example like that above?>"
Did you note the mistake in the "Deny" section of the SAM I linked to above?
Description The Deny directive specifies a hostname, IP address, or network that is allowed access to the server. Deny directives are cummulative, so multiple Deny directives can be used to allow access for multiple hosts or networks
It should surely be "not allow" and "disallow access from" or "deny access from"? A detail: "Cumulative" only has one "m".
Best regards Reply
If I say Order Deny,Allow...
1) Look at Deny directive
2) Look at Allow directive
It doesn't matter the order I enter it in my file, it recognizes it as determined by the Order directive.
Order Deny,Allow Deny from all Allow from 192.168.2.1(will get the same results as...)
Order Deny,Allow Allow from 192.168.2.1 Deny from all
**The directives are set up to mimick Apache, ip tables packet filtering isn't the direction we want to go at this time