Hack 28. Define a Secure CUPS Printer
Integrated support for various authentication mechanisms makes it easy to limit access to specific printers with CUPS. The other CUPS hacks in this chapter have focused on its most excellent web-based administrative interface and how the interface simplifies and standardizes printer setup, regardless of the type of CUPS client you're configuring. However, like most Unix/Linux programs, you can also administer the CUPS server by directly manipulating its configuration file, /etc/cups/cupsd.conf. While this may seem somewhat intimidating at first blush, the format of this file is actually quite simple and is conceptually evocative of an Apache configuration file (which we've all probably had to modify at one time or another). A few simple changes to this file can quickly add a new layer of security to your CUPS printing environment. Many sysadmins are paranoid today, and for good reason. Securing your existing systems by eliminating unnecessary services is just plain smart [Hack #63]. Similarly, there may be cases where you want to restrict access to certain printers. There are many security and cost reasons for limiting access to specific printers to certain users or certain IP addresses, whether it's because of who "owns" the printer (such as your CEO or department head) or because the printer uses platinum toner to print on gold sheets (and is therefore the wrong place for freshmen to print their CS101 homework). Here's how to do just that with your favorite text editor (which should be emacs) and a few minutes of your spare time.
3.10.1. Enabling Remote Printing on a CUPS ServerDepending 'on how CUPS is preconfigured on your Linux distribution, you may need to add your remote hosts (or your entire network) to the list of acceptable locations in the CUPS daemon's configuration file, /etc/cups/cupsd.conf, so they can print on the printer in the first place. The list of valid locations for incoming print jobs is stored inside a <Location />…</Location> stanza in the CUPS configuration file. The default CUPS configuration file contains a single Location stanza, which applies to all printers that the CUPS server knows about. On most systems, this looks like the following: <Location /> Order Deny,Allow Deny From All Allow From 127.0.0.1 </Location> This configuration file entry supports printing to the CUPS server only from the host on which the print server is running. Many CUPS printer configuration files use the @LOCAL macro to tell CUPS that any host that has a non-point-to-point connection to the print server can print to the printer. This generally includes hosts on the local network and typically looks like the following: <Location /> Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow from @LOCAL </Location> If you are having problems printing to a specific printer from other hosts on your network, check the /etc/cups/cupsd.conf file to ensure that the Location stanza includes an @LOCAL entry. If you want to explicitly configure the CUPS server so that only hosts on a specific local network can print to the printer, remove the @LOCAL entry and add a line for the local subnet, so that the stanza now looks something like the following: <Location /> Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 192.168.6.* </Location> This stanza now enables printing from the local host and from all printers on the specified subnet (in this case, 192.168.6), as well as the host to which the printer is physically connected. 3.10.2. Restricting Printer Access to Specific IP AddressesThe most straightforward way to create a secure printer is to put the printer in a secure location and physically restrict access to it. If you don't have a secure location available, you can also restrict printing to a particular printer so that only hosts with specific IP addresses can print to it. To do this, you simply create a new Location stanza in /etc/cups/cupsd.conf for that printer and use the Allow/Deny approach introduced in the previous section to identify any IP addresses that you want to be able to print to the printer. For example, a Location stanza that restricts access to the printer silentwriter such that only the host to which the printer is actually attached and the host with the IP address 192.168.6.101 can print to it would be the following: <Location /printers/silentwriter> Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 192.168.6.101 </Location> 3.10.3. Restricting Printer Access to Specific UsersRestricting access to a specific printer based on the IP address of the host that you want to allow to print to it is useful, but those pesky users often tend to move around from host to host. An alternative to restricting access by IP address is to require authentication in order to print to a specified printer. You can do this by using users' standard Linux passwords, but I find it most useful to require a separate password for printer access. Using standard Linux passwords causes the print server to invoke the PAM modules for CUPS (defined in /etc/pam.d/cups), which often differ from Linux distribution to Linux distribution. (PAMs were discussed in "Customize Authentication with PAMs" [Hack #4]) Also, since most people using Linux systems have Linux passwords, that approach doesn't really limit access to any significant extent. Using a separate password for printer access is quite standard across all CUPS-oriented Linux distributions. You can define a CUPS access password using the lppasswd command. To add a new user to the CUPS password file (stored in /etc/cups/passwd.md5 by default), execute the following command as root or via sudo: # lppasswda username You'll be prompted twice for the specified user's password. Once a user has a CUPS password, you can add this level of authentication to a specific printer by creating a new Location stanza for that printer (or updating an existing one), as in the following example: <Location /printers/silentwriter> Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 192.168.6.* AuthType Digest </Location> This lets anyone from the 192.168.6 subnet who has a valid CUPS password entry print to the silentwriter printer. Users will be prompted for this password whenever they try to send print jobs to the specified printer, as in the following example: $ lpr /etc/printcap Password for wvh on localhost?
3.10.4. SummaryBeyond the simple authentication and IP address entries discussed in this hack, CUPS provides many other mechanisms for authentication, such as printer classes and alternatives to digest authentication that are outside the scope of this hack and really deserve a book of their own. As a matter of fact, there is one: Michael Sweet's book on CUPS is complete and easy to read (and as the original author of CUPS, he should know all about it). Excellent, complete, and readable documentation is also available from the CUPS web site (http://www.cups.org/documentation.php). 3.10.5. See Also
|