Printing/CUPS/Access Control

From KDE Community Wiki

Access Control

By Kurt Pfeifle, author of KDEPrint handbook.

CUPS allows you to create a new or modify an existing printer in such a way that there is a user-based access-control in place. Thus you can allow or deny access to a certain printer based on the user name.

At the present time, the described features are only supported when using the commandline with "lpadmin". This is described in the "lpadmin" man page. If you give the command

   lpadmin -p danka_infotec -u allow:kurt,chris,michael 

you turn the (existing) printer "danka_infotec" into a device to be exclusively used by kurt, chris and michael. Not even root can use it! Above quoted lpadmin command does insert the following entry in the /etc/cups/printers.conf:

<Printer danka_infotec> 
  Info This printer was modified by the lpadmin command 
  Location Dustbin or Black Hole 
  DeviceURI file:/dev/null 
  State Idle 
  Accepting Yes 
  JobSheets none none 
  AllowUser kurt 
  AllowUser chris 
  AllowUser michael 
</Printer> 

You can also allow everybody *except* uwe,danimo and root access to this printer:

   lpadmin -p danka_infotec -u deny:uwe,danimo,root 

The printers.conf section for this printer will now look like this:

<Printer danka_infotec> 
  Info This printer was modified by the lpadmin command 
  Location Dustbin or Black Hole 
  DeviceURI file:/dev/null 
  State Idle 
  Accepting Yes 
  JobSheets none none 
  DenyUser uwe 
  DenyUser danimo 
  DenyUser root 
</Printer> 

To turn off username blocking again, use:

   lpadmin -p danka_infotec -u allow:all 

or

   lpadmin -p danka_infotec -u deny:none 

There is the alternative to use the IPP-derived syntax to specify user-based ACLs when creating or modifying a printer:

   lpadmin -p danka_infotec -o requesting-user-name-denied=uwe,danimo,root 

This allows all users *except* uwe,danimo and root to print to the printer. Similarly:

   lpadmin -p danka_infotec -o requesting-user-name-allowed=kurt,chris,michael 

only allows "kurt", "chrus" and "michael" to print.

To turn off username blocking, do:

   lpadmin -p danka_infotec -o requesting-user-name-allowed=all 

or

   lpadmin -p danka_infotec -o requesting-user-name-denied=none