Configuring a CUPS Server

CUPS is an unusually flexible printing system for UNIX and Linux computers. Rather than a re-implementation of the BSD LPD package (which is what LPRng is), CUPS is a new framework around which printing on Linux can work. Part of this framework is a compatibility layer, so that applications and users can use familiar printing commands, and so that CUPS clients can use LPD print servers, and vice versa. Major additional features include support for a new network printing protocol, IPP, which is based on the Hypertext Transfer Protocol (HTTP) used by Web servers and browsers; the ability to pass file type information with files to simplify the selection of print filters on the print server; the use of PostScript Printer Description (PPD) files to define printer capabilities; and "printer browsing," a feature that allows a client to search for printers on the network without having to explicitly configure the client to use a specific printer. If CUPS is widely adopted, these features will greatly simplify printer configuration, both for non-networked and networked use.

One major hurdle faced by CUPS is the fact that it doesn't use the same types of configuration files that BSD LPD or LPRng use. Therefore, if you're already familiar with these systems, you'll have to learn to configure your printers in an entirely new way. If you like to work with GUI tools, you may want to look into a GUI front-end to CUPS for general configuration, such as KUPS (http://cups. sourceforge .net/kups/) or ESP Print Pro (http://www.easysw.com/printpro/). CUPS also comes with a Web-based tool, as described shortly; you can point your Web browser at http://localhost:631 to configure the computer on which the Web browser is running.

NOTE

As with the other printing systems, a complete description of CUPS printer configuration is beyond the scope of this book. This section assumes that you can create a minimally functional local print queue; I describe only those options related to the networking aspects of the printer definition. For more information on basic CUPS configuration, consult the CUPS documentation at http://www.cups.org/sam.html.

Configuring /etc/cups/cupsd.conf

The CUPS server is controlled through the /etc/cups/cupsd.conf file. This file is modeled after the Apache configuration file (discussed in Chapter 20, Running Web Servers), as CUPS borrows many HTTP server features. CUPS also uses several other configuration files, such as /etc/cups/printers.conf and /etc/cups/classes.conf , which define specific printers and groups of printers, respectively. Both these files are normally edited via the lpadmin configuration tool or a GUI front-end, but the CUPS documentation recommends editing cupsd.conf manually.

The cupsd.conf file consists of a series of directives that set specific features of the server's function, such as the server's name or where logs are stored. Directives that are particularly important for network print server functions include the following:

• Allow ” This directive is followed by the keyword from and the wildcards All or None , a hostname, a hostname with an asterisk wildcard (such as *.threeroomco.com ), a partial or complete IP address, or an IP address with a netmask (in either CIDR or 8-byte formats). Any of these forms specify computers that are allowed access to the server. You can include multiple Allow directives to grant access to multiple computers or groups of computers. This directive must appear within a Location directive.

• AuthClass ” This directive takes a value of Anonymous (the default), User , System , or Group . Anonymous results in no need to authenticate clients; this works much like a BSD LPD system. The remaining three options require clients to provide a valid username and password. System further requires that the user belong to the sys group, as set by the SystemGroup directive. Group requires that the user belong to the group named by the AuthGroupName directive.

• BrowseAddress ” The CUPS printer browsing features works best when a central server collects information on available printers on a network. You can set this server with the BrowseAddress directive, which takes an IP address or hostname and port number as an option, as in 192.168.23.34:631 . (631 is the usual port number for this and most other CUPS connections.) The default is 255.255.255.255:631 , which results in a broadcast to all computers on the local network.

• BrowseAllow ” To use printer browsing from a client, your server must accept browse packets from the client. This directive is followed by the keyword from and the partial or complete hostname or IP address of the computers from which the server will accept browse packets. The default is to accept browse packets from all computers.

• BrowseDeny ” This directive is the opposite of BrowseAllow ; you can blacklist just certain networks or clients using this directive.

• BrowseOrder ” When you use both BrowseAllow and BrowseDeny , this directive determines the order in which the first two directives are applied. Options are BrowseOrder Allow,Deny and BrowseOrder Deny,Allow .

• BrowseInterval ” This directive sets the time in seconds between outgoing browse queries. A value of disables outgoing browse queries. This value should always be less than the value of BrowseTimeout , or printers will periodically disappear from your local browse list.

• BrowsePoll ” You can set the name or IP address of a print server you want to poll for printers using this directive. You can poll multiple servers by using this value more than once.

• BrowsePort ” The default port for printer browsing is 631, but you can override this value by using this directive.

• BrowseTimeout ” CUPS removes information on network printers and classes at an interval determined by this directive. This value should always be greater than the BrowseInterval value, or printers will periodically disappear from a CUPS client's browse list.

• Browsing ” You can enable or disable network browsing by setting this directive to On or Off , respectively. The default value is On .

• Deny ” This directive is the opposite of Allow ; it's a specification of computers that are not allowed access to the server. It must appear within a Location directive.

• HostNameLookups ” This directive takes values of Off , On , and Double . These cause CUPS to not look up hostnames of clients, to look up hostnames for every client that connects, and to look up the hostname and then look up the IP address from the obtained hostname, respectively. The Double option in particular provides some protection against certain types of attack, because it prevents connections from systems with misconfigured DNS entries. The default is Off , because this setting results in the least performance cost and because it's most reliable (the other options can cause problems if your network's DNS server goes down or becomes slow).

• Listen ” You can tell CUPS to use only a subset of your computer's network interfaces by using one or more Listen directives. Follow the directive name with the IP address associated with the network interface, a colon , and a port number (normally 631). For instance, Listen 192.168.23.8:631 causes the computer to use the interface associated with the 192.168.23.8 address. You can use more than one Listen directive (and probably should, to bind to the 127.0.0.1 interface as well as whatever network interface you want active).

• Location ” This directive is unusual in that it surrounds others, defining a location within the CUPS document tree to which the surrounded directives apply. For instance, you must include Allow and Deny directives within a Location directive, in order to restrict access to particular document types (and hence particular types of operations) for specific clients. To start a Location directive, you include that keyword in angle braces ( <> ) along with the name of the location. To end such a directive, you use the string </Location> . Possible locations you can restrict include /admin for administrative actions, /classes for printer classes, /jobs for print jobs, and /printers for printers.

• MaxClients ” You can limit the number of clients that can connect to a server using this directive. The default value is 100 .

• Order ” This directive is similar to the BrowseOrder directive, but it applies to the Allow and Deny directives. Order Allow,Deny causes Allow directives to be applied before Deny directives, whereas Order Deny,Allow does the opposite.

• Port ” CUPS normally listens on port 631 for IPP transfers, but you can change the default port with this directive. You can specify multiple ports by using this directive more than once. Note that this does not affect the port CUPS uses for interacting with BSD LPD clients and servers, or compatible programs.

The default /etc/cups/cupsd.conf file provided with most CUPS packages leaves the server fairly open to access from outsiders. You should probably tighten access by applying CUPS configuration rules to restrict access to the server. For instance, the following directives block access to anything but the server computer itself and systems on the 172.22.0.0/16 network:

 <Location /printers> BrowseAllow from 127.0.0.1 BrowseAllow from 172.22.0.0/16 Allow from 127.0.0.1 Allow from 172.22.0.0/16 </Location> 

Because it applies to the /printers location, the preceding example does not completely close off access to the server. For instance, administrative tasks (via the /admin location) and access to specific print job information (via the /jobs location) is still available to other systems. You should probably restrict access to these locations as well, and apply packet filter firewall rules (as discussed in Chapter 25). The latter will completely block access to systems you don't authorize, assuming no bugs or misconfiguration.

Accepting Jobs from BSD LPD or LPRng Clients

The preceding discussion of /etc/cups/cupsd.conf directives applies most directly to clients that support IPP. Neither BSD LPD nor LPRng uses IPP, though; they use the older LPD protocol. (Work is underway for adding IPP support to LPRng, though.) Therefore, if your CUPS print server must accept print jobs from clients that use the LPD protocol, CUPS needs a helper program to let it do the job. This program is called cups-lpd , and it comes with CUPS.

To use cups-lpd , you must configure it to work via a super server such as inetd or xinetd , as discussed in Chapter 4; the package doesn't work as a standalone server. It's normally located in the /usr/lib/cups/daemon directory. An appropriate /etc/inetd.conf file entry is as follows :

 printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd 

Chapter 4 covers the differences between inetd and xinetd , should you need to configure cups-lpd to work with xinetd . Some distributions ship preconfigured to work correctly with BSD LPD clients, so you may not need to make such a modification.

WARNING

CUPS provides no means to control printer access to clients using the LPD protocol. Such jobs are submitted locally using the server's own address, so the normal /etc/cups/cupsd.conf directives don't have any effect. To limit outside access to a CUPS server that supports the LPD protocol, you must use a packet filter firewall or some other outside mechanism.

Specifying the Server on a CUPS Client

You can add printers to CUPS by using the command-line lpadmin utility, by using a GUI front-end to lpadmin , or by entering http://localhost:631 in a Web browser running on the computer (or the hostname and :631 on another computer that's allowed administrative access). Each of these methods of administration allows you to add or delete printers accessible from the computer in question, or to perform various other administrative tasks.

To add a network printer, you could use lpadmin to enter a command like the following:

 #  lpadmin -p   PrinterName   -E -v lpd://   server.name   /   queuname   -m \   ppdfile.ppd  

In this example, PrinterName is the name of the printer queue to be used locally, server.name is the hostname of the print server, and queuename is the name of the print queue on that server. This example shows access to a print queue that uses the BSD LPD protocol, as indicated by the lpd that precedes the server and queue names . To use another CUPS server, you might prefer using ipp in place of lpd . This tells CUPS to use IPP rather than the BSD LPD protocol. (You can create a local queue in much the same way, but the parameter to -v would be parallel:/dev/lp0 or some other local device identifier.) Finally, the -m parameter identifies the PPD file for the printer, so that CUPS can pass information on the printer's capabilities back to CUPS-aware applications. On most installations, you can find a collection of PPD files in the /usr/share/cups/model directory tree. Many PostScript printers also ship with their own PPD files, which you can use. You can also attempt to use the driver listings at the Linux Printing Web site, http://www.linuxprinting.org/driver_list.cgi. Click on a Ghostscript driver name, then select your printer model in the CUPS-O-Matic area and click Generate CUPS PPD. After a brief delay, the result should be a PPD file that describes your printer's capabilities. As the comments in the generated file note, though, this machine-generated PPD file might have quirks , or it might not even work at all. For this reason, you're better off using a PPD file that's provided by your printer's manufacturer, if possible.

TIP

If you've configured both the client and the server to perform CUPS browsing, as described earlier, you shouldn't need to explicitly add CUPS IPP printers; the client should retrieve the list of available printers and make them available automatically. Adding a printer manually is most useful for LPD print queues.

If you want to modify an existing print queue, you may do so with the lpadmin tool just as if you were adding a new queue. Specify the original name and any other options you include override the originals . For instance, you can change a local queue to a network queue by using the -v option and specifying the new location.

If you prefer to use a GUI tool, the Web interface (shown in Figure 9.1) is supported by default on a standard installation. After you enter the URL to your computer (including the port 631 specification), CUPS prompts you for an administrative username and password. You can then select from several options, such as Do Administration Tasks and Manage Printers. Figure 9.1 shows the latter, in which you can create, delete, and administer printers. Figure 9.1 shows two defined printers. The first, hp4000 , is the default and is an LPD printer. The second, lexmark , is connected to the parallel port. You can click Modify Printer to modify the basic settings, such as the server name, or you can adjust printer-specific settings such as page size and printer memory by clicking Configure Printer.