Configure CUPS to Disable authentications

schlabs · August 10, 2016, 11:15pm

Hi everyone,
I have a small office where only work 3 people, My wife, my daugter, and me.
I want enter with the browser on “server:631” and whitout password get complete access to:

Remove task in the spool, do not care who started the job.
Re-enable printers
Pause printers

In the possible all things of cups, but minimum this.

My family is not skilled on linux, and dont know what is cupsenable or lprm also dont know what is ssh as root to do the things.

Thanks you in advance

deano_ferrari · August 13, 2016, 6:26am

CUPS admin privileges are defined in /etc/cups/cupsd.conf. There are various ways users can get increased privileges with CUPS, but be aware that with with increased privileges (=convenience) can come security risks. The following section in /etc/cups/cupsd.conf determines who can do some of the things you referred to in your opening post

# All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

You could remove the functions that you don’t want restricted eg ‘Pause-Printer’, ‘Resume Printer’, ‘Enable Printer’, ‘Disable Printer’

# All printer operations require a printer operator to authenticate...
   <Limit Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs  Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer  Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs  CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

You’d need to add edit this file with root privileges, then restart CUPS with

sudo systemctl restart cups

There used to be a section that looked like this


# Administrator user group...
SystemGroup sys root

Users that were members of the ‘sys’ group had CUPS administrator privileges. It doesn’t seem to be present in cupsd.conf any more. However, you could reinstate this I guess, and then add the users to that group. It would take effect the next time they logged in.

eng-int · August 13, 2016, 10:41pm

Some years ago I had what may have been a similar situation and tackled it differently. A managing director set up home office with a local printer. Her husband and then young daughter would jam the print queue by trying to print a dynamic web page with constantly updating or streaming data, or else using an unavailable paper size. I added an entry to /etc/sudoers, a trivial script and desktop entry file to /usr/local/bin.


#!/bin/sh

# #  /usr/local/bin/clearPrinter
# #  ray@eng-int.net 2006-09-12

# #  clear all print jobs and re-enable HP_Color_LaserJet_CM1312nfi_MFP printer queue
# #  users to be in group 'lp' and append the following two lines to '/etc/sudoers' (visudo or YaST):
# Cmnd_Alias      PRINTING = /usr/sbin/lpc,/usr/bin/lprm,/usr/bin/lpstat,/usr/bin/lpq,/usr/sbin/lpadmin
# %lp    ALL =  NOPASSWD: PRINTING
# #

printername="hpcolorlaserjetcm1312nfimfp"

lpq -P $printername
echo "Deleting all print jobs"
sudo /usr/bin/lprm -P $printername
wait
sudo /usr/sbin/lpadmin -p $printername -E
wait
lpq -P $printername


[Desktop Entry]
# /usr/local/bin/clearPrinter.desktop
Comment[en_GB]= Clear all print jobs and reset printer
Comment="Clear all print jobs and reset printer"
Exec=kdialog --msgbox "$(clearPrinter)"
GenericName[en_GB]=
GenericName=Printer Admin
# Icon=/usr/local/share/icons/printer-ok.png
Icon=yast-printer
Type=Application
MimeType=
Name[en_GB]=clear printer
Name=clear printer
Path=
StartupNotify=true
Terminal=false
TerminalOptions=
X-DBUS-ServiceName=
X-DBUS-StartupType=
X-KDE-SubstituteUID=false
X-KDE-Username=
X-SuSE-translate=true

Dragging /usr/local/bin/clearPrinter.desktop into a panel or onto a desktop from e.g. Dolphin should create a clickable icon to clear and re-nable a print queue. Perhaps the general idea could be modified and improved to suit your purposes.

schlabs · August 15, 2016, 8:12pm

I must say thanksyou to both. I use the first option, i know that is a security, but the damage do not go more of 5 undesired printed pages, and the benefit is one wife and dughter working without depend of me (husband/father).

In every case, my office compurters have 4 IP, (1,2,3,4) and the wifi have 100-200 i think that is possible restrict the admin to these 4 IPs.

Best Regards and thanksyou.