http://bugzilla.novell.com/show_bug.cgi?id=614779
http://bugzilla.novell.com/show_bug.cgi?id=614779#c7
--- Comment #7 from Johannes Meixner 2010-06-17 14:39:41 UTC ---
Regarding having cupsGetDevices() authorized for everybody by default:
This would circumvent the CUPS default policy, see
http://www.cups.org/documentation.php/doc-1.4/policies.html
A CUPS-Get-Devices request lets the cupsd launch cups-deviced, see
http://www.cups.org/documentation.php/doc-1.4/man-cups-deviced.html
which executes each executable file in /usr/lib/cups/backend/
In the end this is the same as what "/usr/sbin/lpinfo -v" does.
This is by default forbidden by the cupsd for normal users
via this default entry in /etc/cups/cupsd.conf
(long lines are shown wrapped here):
---------------------------------------------------------------------
# Administrator user group...
SystemGroup sys root
.
.
.
<Policy default>
...
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
---------------------------------------------------------------------
If you don't like the restrictions of theCUPS default policy,
have a look at /etc/cups/cupsd.conf what I already provide:
---------------------------------------------------------------------
# The policy below is added by openSUSE/Novell during build
# of our cups package.
# The policy 'allowallforanybody' is totally open and insecure
# and therefore it can only be used within an internal network
# where only trused users exist and where the cupsd is not accessible
# at all from any external host.
# Have in mind that any user who is allowed to do printer admin tasks
# can change the print queues as he likes (e.g. send copies of confidental
# print jobs from an internal network to any external destination).
# For documentation regarding 'Managing Operation Policies' see
# http://www.cups.org/documentation.php/doc-1.4/policies.html
<Policy allowallforanybody>
<Limit All>
Order deny,allow
Allow from all
</Limit>
</Policy>
# Explicitely set the CUPS 'default' policy to be used by default:
DefaultPolicy default
# End of additions by openSUSE/Novell.
---------------------------------------------------------------------
A single authenticatin as root to launch the YaST printer module
and then only a few clicks to switch to the "allowallforanybody"
policy and afterwards everything regarding printer setup just works
as our usual desktop users like it so much... ;-)
FYI:
How it looks for me on openSUSE 11.3 milestone 7:
-----------------------------------------------------------------------
burns:~ # /usr/sbin/lpinfo -v
network http
direct scsi
network lpd
network smb
network ipp
network socket
direct usb://HP/LaserJet%201020
network beh
direct parallel:/dev/lp0
direct hp:/usb/HP_LaserJet_1020?serial=JL50HRE
direct hpfax
network socket://10.10.1.83
network socket://10.10.101.245
network socket://10.10.2.255
network socket://10.10.222.4
network socket://10.10.4.4
burns:~ # su - johannes
johannes@burns:~> /usr/sbin/lpinfo -v
lpinfo: Forbidden
johannes@burns:~> groups
users video
-----------------------------------------------------------------------
In contrast after I added "johannes" in /etc/group to the group "sys":
-----------------------------------------------------------------------
johannes@burns:~> groups
users sys video
johannes@burns:~> /usr/sbin/lpinfo -v
network http
direct scsi
network lpd
network ipp
network socket
network smb
direct usb://HP/LaserJet%201020
network beh
direct parallel:/dev/lp0
direct hp:/usb/HP_LaserJet_1020?serial=JL50HRE
direct hpfax
network socket://10.10.1.83
network socket://10.10.2.255
network socket://10.10.222.4
-----------------------------------------------------------------------
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.