Printing/CUPS/Access Control
Access Control
By Kurt Pfeifle, author of KDEPrint handbook.
CUPS allows you to create a new or modify an existing printer in such a way that there is a user-based access-control in place. Thus you can allow or deny access to a certain printer based on the user name.
At the present time, the described features are only supported when using the commandline with "lpadmin". This is described in the "lpadmin" man page. If you give the command
lpadmin -p danka_infotec -u allow:kurt,chris,michael
you turn the (existing) printer "danka_infotec" into a device to be exclusively used by kurt, chris and michael. Not even root can use it! Above quoted lpadmin command does insert the following entry in the /etc/cups/printers.conf:
<Printer danka_infotec> Info This printer was modified by the lpadmin command Location Dustbin or Black Hole DeviceURI file:/dev/null State Idle Accepting Yes JobSheets none none AllowUser kurt AllowUser chris AllowUser michael </Printer>
You can also allow everybody *except* uwe,danimo and root access to this printer:
lpadmin -p danka_infotec -u deny:uwe,danimo,root
The printers.conf section for this printer will now look like this:
<Printer danka_infotec> Info This printer was modified by the lpadmin command Location Dustbin or Black Hole DeviceURI file:/dev/null State Idle Accepting Yes JobSheets none none DenyUser uwe DenyUser danimo DenyUser root </Printer>
To turn off username blocking again, use:
lpadmin -p danka_infotec -u allow:all
or
lpadmin -p danka_infotec -u deny:none
There is the alternative to use the IPP-derived syntax to specify user-based ACLs when creating or modifying a printer:
lpadmin -p danka_infotec -o requesting-user-name-denied=uwe,danimo,root
This allows all users *except* uwe,danimo and root to print to the printer. Similarly:
lpadmin -p danka_infotec -o requesting-user-name-allowed=kurt,chris,michael
only allows "kurt", "chrus" and "michael" to print.
To turn off username blocking, do:
lpadmin -p danka_infotec -o requesting-user-name-allowed=all
or
lpadmin -p danka_infotec -o requesting-user-name-denied=none