projects / thirdparty / cups.git / blame
| Commit | Line | Data |
|---|---|---|
| 8ca02f3c | 1 | <HTML> |
| 2 | <!-- SECTION: Getting Started --> | |
| 3 | <HEAD> | |
| 4 | <TITLE>Managing Operation Policies</TITLE> | |
| 178cb736 | 5 | <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> |
| 8ca02f3c | 6 | </HEAD> |
| 7 | <BODY> | |
| 8 | ||
| 178cb736 MS |
9 | <H1 CLASS="title">Managing Operation Policies</H1> |
| 10 | ||
| 8ca02f3c | 11 | <P>Operation policies are the rules used for each IPP operation |
| 12 | in CUPS. These rules include things like "user must provide a | |
| 13 | password", "user must be in the system group", "allow only from | |
| 14 | the local system", and so forth. Until CUPS 1.2, these rules were | |
| 15 | largely hardcoded and could only be customized at a very basic | |
| 16 | level.</P> | |
| 17 | ||
| 18 | <P>CUPS 1.2 adds a new fine-grained policy layer which allows you | |
| 19 | to completely redefine the rules for each operation and/or | |
| 20 | printer. Each policy is named and defines access control rules | |
| 21 | for each IPP operation. This document describes how to manage | |
| 22 | policies and their rules.</P> | |
| 23 | ||
| 24 | <H2 CLASS="title"><A NAME="BASICS">The Basics</A></H2> | |
| 25 | ||
| 26 | <P>Operation policies are used for all IPP requests sent to the | |
| 27 | scheduler and are evaluated <em>after</em> the <A | |
| 28 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> based | |
| 29 | access control rules. This means that operation policies can only | |
| 30 | add additional security restrictions to a request, never relax | |
| 31 | them. Use <TT>Location</TT> based access control rules for | |
| 32 | server-wide limits and operation policies for limits on | |
| 33 | individual printers, tasks, or services.</P> | |
| 34 | ||
| 35 | <P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A | |
| 36 | HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections. | |
| 37 | Each policy has an alphanumeric name that is used to select it. | |
| 38 | Inside the policy section are one or more <A | |
| 39 | HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A> | |
| 40 | subsections which list the operations that are affected by the | |
| 41 | rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the | |
| 42 | default operation policy, appropriately called "default", that is | |
| 43 | shipped with CUPS.</P> | |
| 44 | ||
| 45 | <P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR> | |
| 46 | file is to use the web interface. Click on the | |
| 47 | <VAR>Administration</VAR> tab and then the <VAR>Edit | |
| 48 | Configuration File</VAR> button to edit the current | |
| 49 | <VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR> | |
| 50 | button to save the changes and restart the scheduler. If you edit | |
| 51 | the <VAR>cupsd.conf</VAR> file from the console, make sure to <A | |
| 52 | HREF="ref-cupsd-conf.html">restart the cupsd process</A> before | |
| 53 | trying to use the new policy.</P> | |
| 54 | ||
| 5a738aea | 55 | <PRE CLASS="example"> |
| 8ca02f3c | 56 | <EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM> |
| 57 | ||
| 58 | 1 <Policy default> | |
| 59 | 2 # Job-related operations must be done by the owner or an | |
| 355e94dc | 60 | administrator... |
| 8ca02f3c | 61 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
| 62 | Restart-Job Purge-Jobs Set-Job-Attributes | |
| 63 | Create-Job-Subscription Renew-Subscription | |
| 64 | Cancel-Subscription Get-Notifications Reprocess-Job | |
| 65 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
| 66 | CUPS-Move-Job> | |
| 67 | 4 Require user @OWNER @SYSTEM | |
| 68 | 5 Order deny,allow | |
| 69 | 6 </Limit> | |
| 70 | 7 | |
| 355e94dc | 71 | 8 # All administration operations require an administrator |
| 8ca02f3c | 72 | to authenticate... |
| 355e94dc MS |
73 | 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
| 74 | CUPS-Delete-Class CUPS-Set-Default> | |
| 75 | 10 AuthType Default | |
| 8ca02f3c | 76 | 11 Require user @SYSTEM |
| 77 | 12 Order deny,allow | |
| 78 | 13 </Limit> | |
| 79 | 14 | |
| 355e94dc MS |
80 | 15 # All printer operations require a printer operator |
| 81 | to authenticate... | |
| 82 | 16 <Limit Pause-Printer Resume-Printer | |
| 83 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
| 84 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
| 85 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
| 86 | Restart-Printer Shutdown-Printer Startup-Printer | |
| 87 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
| 88 | CUPS-Reject-Jobs> | |
| 89 | 17 AuthType Default | |
| 90 | 18 Require user <em>varies by OS</em> | |
| 91 | 19 Order deny,allow | |
| 92 | 20 </Limit> | |
| 93 | 21 | |
| 94 | 22 # Only the owner or an administrator can cancel or | |
| 8ca02f3c | 95 | authenticate a job... |
| 355e94dc MS |
96 | 23 <Limit Cancel-Job CUPS-Authenticate-Job> |
| 97 | 24 Require user @OWNER @SYSTEM | |
| 98 | 25 Order deny,allow | |
| 99 | 26 </Limit> | |
| 100 | 27 | |
| 101 | 28 <Limit All> | |
| 102 | 29 Order deny,allow | |
| 103 | 30 </Limit> | |
| 104 | 31 </Policy> | |
| 8ca02f3c | 105 | </PRE> |
| 106 | ||
| 107 | <H3>The Default CUPS Operation Policy</H3> | |
| 108 | ||
| 109 | <P>The policy definition starts with an opening <TT>Policy</TT> | |
| 110 | directive:</P> | |
| 111 | ||
| 5a738aea | 112 | <PRE CLASS="example"> |
| 8ca02f3c | 113 | 1 <Policy default> |
| 114 | </PRE> | |
| 115 | ||
| 116 | <P>The first <TT>Limit</TT> subsection defines the rules for IPP | |
| 117 | job operations:</P> | |
| 118 | ||
| 5a738aea | 119 | <PRE CLASS="example"> |
| 8ca02f3c | 120 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
| 121 | Restart-Job Purge-Jobs Set-Job-Attributes | |
| 122 | Create-Job-Subscription Renew-Subscription | |
| 123 | Cancel-Subscription Get-Notifications Reprocess-Job | |
| 124 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
| 125 | CUPS-Move-Job> | |
| 126 | 4 Require user @OWNER @SYSTEM | |
| 127 | 5 Order deny,allow | |
| 128 | 6 </Limit> | |
| 129 | </PRE> | |
| 130 | ||
| 131 | <P>The operation names are listed on a single line | |
| 132 | with spaces separating them. Each name corresponds to the IPP | |
| 133 | operation described in any of the IETF or PWG standards documents | |
| 134 | for the Internet Printing Protocol. <A HREF="#TABLE01">Table | |
| 135 | 1</A> lists all of the operations that have been defined along | |
| 136 | with their usage in CUPS.</P> | |
| 137 | ||
| 138 | <P>The access control rules are listed after the <TT>Limit</TT> | |
| 139 | line and are the same as those used for <A | |
| 140 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> | |
| 141 | sections. In this case, we require the owner of the job | |
| 142 | ("@OWNER") or a member of the <A | |
| 143 | HREF="ref-cupsd-conf.html#SystemGroup"><TT>SystemGroup</TT></A> | |
| 144 | ("@SYSTEM") to do the operation. Because we do not include an <A | |
| 145 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A> | |
| 146 | directive here, the user information can come from the IPP | |
| 147 | request itself or the authenticated username from the HTTP | |
| 148 | request. The administrative operations starting on line 9, | |
| 149 | however, <em>do</em> use the <TT>AuthType</TT> directive, and so | |
| 150 | administrative operations need to be authenticated:</P> | |
| 151 | ||
| 5a738aea | 152 | <PRE CLASS="example"> |
| 355e94dc MS |
153 | 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
| 154 | CUPS-Delete-Class CUPS-Set-Default> | |
| 155 | 10 AuthType Default | |
| 156 | 11 Require user @SYSTEM | |
| 157 | 12 Order deny,allow | |
| 158 | 13 </Limit> | |
| 159 | 14 | |
| 160 | 15 # All printer operations require a printer operator | |
| 161 | to authenticate... | |
| 162 | 16 <Limit Pause-Printer Resume-Printer | |
| 8ca02f3c | 163 | Set-Printer-Attributes Enable-Printer Disable-Printer |
| 164 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
| 165 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
| 166 | Restart-Printer Shutdown-Printer Startup-Printer | |
| 355e94dc MS |
167 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs |
| 168 | CUPS-Reject-Jobs> | |
| 169 | 17 AuthType Default | |
| 170 | 18 Require user <em>varies by OS</em> | |
| 171 | 19 Order deny,allow | |
| 172 | 20 </Limit> | |
| 8ca02f3c | 173 | </PRE> |
| 174 | ||
| 175 | <P>The "Order deny,allow" line at the end of both <TT>Limit</TT> | |
| 176 | subsections allows the request to come from any system allowed by | |
| 177 | the <TT>Location</TT> sections elsewhere in the | |
| 178 | <VAR>cupsd.conf</VAR> file.</P> | |
| 179 | ||
| 180 | <P>The <TT>Cancel-Job</TT> and <TT>CUPS-Authenticate-Job</TT> | |
| 181 | operations are listed separately to allow the web interface to | |
| 182 | more easily edit their policy without disturbing the rest. Like | |
| 183 | the rest of the job operations, we want the job's owner | |
| 184 | ("@OWNER") or an administrator ("@SYSTEM") to do it:</P> | |
| 185 | ||
| 5a738aea | 186 | <PRE CLASS="example"> |
| 8ca02f3c | 187 | 16 <Limit Cancel-Job CUPS-Authenticate-Job> |
| 188 | 17 Require user @OWNER @SYSTEM | |
| 189 | 18 Order deny,allow | |
| 190 | 19 </Limit> | |
| 191 | </PRE> | |
| 192 | ||
| 193 | <P>The last <TT>Limit</TT> subsection in any policy uses the | |
| 194 | special operation name <TT>All</TT>. CUPS will use the rules in | |
| 195 | this subsection for any operation you don't list specifically in | |
| 196 | the policy. In this case, all other operations are allowed | |
| 197 | without a username or authentication:</P> | |
| 198 | ||
| 5a738aea | 199 | <PRE CLASS="example"> |
| 8ca02f3c | 200 | 21 <Limit All> |
| 201 | 22 Order deny,allow | |
| 202 | 23 </Limit> | |
| 203 | 24 </Policy> | |
| 204 | </PRE> | |
| 205 | ||
| 206 | ||
| 207 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="IPP Operation Names"> | |
| 208 | <CAPTION>Table 1: <A NAME="TABLE01">IPP Operation Names</A></CAPTION> | |
| 209 | <THEAD> | |
| 210 | <TR> | |
| 211 | <TH>Name</TH> | |
| 212 | <TH>Used by CUPS?</TH> | |
| 213 | <TH>Description</TH> | |
| 214 | </TR> | |
| 215 | </THEAD> | |
| 216 | <TBODY> | |
| 217 | <TR> | |
| 218 | <TD NOWRAP><TT>Print-Job</TT></TD> | |
| 219 | <TD>Yes</TD> | |
| 220 | <TD>Creates a print job with a single file.</TD> | |
| 221 | </TR> | |
| 222 | <TR> | |
| 223 | <TD NOWRAP><TT>Print-URI</TT></TD> | |
| 224 | <TD>No</TD> | |
| 225 | <TD>Create a print job with a single URI.</TD> | |
| 226 | </TR> | |
| 227 | <TR> | |
| 228 | <TD NOWRAP><TT>Validate-Job</TT></TD> | |
| 229 | <TD>Yes</TD> | |
| 230 | <TD>Validates a print request before printing.</TD> | |
| 231 | </TR> | |
| 232 | <TR> | |
| 233 | <TD NOWRAP><TT>Create-Job</TT></TD> | |
| 234 | <TD>Yes</TD> | |
| 235 | <TD>Creates a print job with no files or URIs.</TD> | |
| 236 | </TR> | |
| 237 | <TR> | |
| 238 | <TD NOWRAP><TT>Send-Document</TT></TD> | |
| 239 | <TD>Yes</TD> | |
| 240 | <TD>Adds a file to a print job.</TD> | |
| 241 | </TR> | |
| 242 | <TR> | |
| 243 | <TD NOWRAP><TT>Send-URI</TT></TD> | |
| 244 | <TD>No</TD> | |
| 245 | <TD>Adds a URI to a print job.</TD> | |
| 246 | </TR> | |
| 247 | <TR> | |
| 248 | <TD NOWRAP><TT>Cancel-Job</TT></TD> | |
| 249 | <TD>Yes</TD> | |
| 250 | <TD>Cancels a print job.</TD> | |
| 251 | </TR> | |
| 252 | <TR> | |
| 253 | <TD NOWRAP><TT>Get-Job-Attributes</TT></TD> | |
| 254 | <TD>Yes</TD> | |
| 255 | <TD>Gets information and options associated with a job.</TD> | |
| 256 | </TR> | |
| 257 | <TR> | |
| 258 | <TD NOWRAP><TT>Get-Jobs</TT></TD> | |
| 259 | <TD>Yes</TD> | |
| 260 | <TD>Gets a list of jobs.</TD> | |
| 261 | </TR> | |
| 262 | <TR> | |
| 263 | <TD NOWRAP><TT>Get-Printer-Attributes</TT></TD> | |
| 264 | <TD>Yes</TD> | |
| 265 | <TD>Gets information and options associated with a printer or class.</TD> | |
| 266 | </TR> | |
| 267 | <TR> | |
| 268 | <TD NOWRAP><TT>Hold-Job</TT></TD> | |
| 269 | <TD>Yes</TD> | |
| 270 | <TD>Holds a print job for printing.</TD> | |
| 271 | </TR> | |
| 272 | <TR> | |
| 273 | <TD NOWRAP><TT>Release-Job</TT></TD> | |
| 274 | <TD>Yes</TD> | |
| 275 | <TD>Releases a print job for printing.</TD> | |
| 276 | </TR> | |
| 277 | <TR> | |
| 278 | <TD NOWRAP><TT>Restart-Job</TT></TD> | |
| 279 | <TD>Yes</TD> | |
| 280 | <TD>Reprints a print job.</TD> | |
| 281 | </TR> | |
| 282 | <TR> | |
| 283 | <TD NOWRAP><TT>Pause-Printer</TT></TD> | |
| 284 | <TD>Yes</TD> | |
| 285 | <TD>Stops a printer or class.</TD> | |
| 286 | </TR> | |
| 287 | <TR> | |
| 288 | <TD NOWRAP><TT>Resume-Printer</TT></TD> | |
| 289 | <TD>Yes</TD> | |
| 290 | <TD>Starts a printer or class.</TD> | |
| 291 | </TR> | |
| 292 | <TR> | |
| 293 | <TD NOWRAP><TT>Purge-Jobs</TT></TD> | |
| 294 | <TD>Yes</TD> | |
| 295 | <TD>Cancels all jobs on the server or a printer or class | |
| 296 | and removes the job history information.</TD> | |
| 297 | </TR> | |
| 298 | <TR> | |
| 299 | <TD NOWRAP><TT>Set-Printer-Attributes</TT></TD> | |
| 300 | <TD>No</TD> | |
| 301 | <TD>Sets printer or class information; CUPS uses | |
| 302 | CUPS-Add-Modify-Printer and CUPS-Add-Modify-Class | |
| 303 | instead.</TD> | |
| 304 | </TR> | |
| 305 | <TR> | |
| 306 | <TD NOWRAP><TT>Set-Job-Attributes</TT></TD> | |
| 307 | <TD>Yes</TD> | |
| 308 | <TD>Changes job options.</TD> | |
| 309 | </TR> | |
| 310 | <TR> | |
| 311 | <TD NOWRAP><TT>Get-Printer-Supported-Values</TT></TD> | |
| 312 | <TD>No</TD> | |
| 313 | <TD>Gets -supported attributes for a printer based on job | |
| 314 | options.</TD> | |
| 315 | </TR> | |
| 316 | <TR> | |
| 317 | <TD NOWRAP><TT>Create-Printer-Subscription</TT></TD> | |
| 318 | <TD>Yes</TD> | |
| 319 | <TD>Creates an event subscription for a printer or the server.</TD> | |
| 320 | </TR> | |
| 321 | <TR> | |
| 322 | <TD NOWRAP><TT>Create-Job-Subscription</TT></TD> | |
| 323 | <TD>Yes</TD> | |
| 324 | <TD>Creates an event subscription for a job.</TD> | |
| 325 | </TR> | |
| 326 | <TR> | |
| 327 | <TD NOWRAP><TT>Get-Subscription-Attributes</TT></TD> | |
| 328 | <TD>Yes</TD> | |
| 329 | <TD>Gets information for an event subscription.</TD> | |
| 330 | </TR> | |
| 331 | <TR> | |
| 332 | <TD NOWRAP><TT>Get-Subscriptions</TT></TD> | |
| 333 | <TD>Yes</TD> | |
| 334 | <TD>Gets a list of event subscriptions.</TD> | |
| 335 | </TR> | |
| 336 | <TR> | |
| 337 | <TD NOWRAP><TT>Renew-Subscription</TT></TD> | |
| 338 | <TD>Yes</TD> | |
| 339 | <TD>Renews an event subscription that is about to expire.</TD> | |
| 340 | </TR> | |
| 341 | <TR> | |
| 342 | <TD NOWRAP><TT>Cancel-Subscription</TT></TD> | |
| 343 | <TD>Yes</TD> | |
| 344 | <TD>Cancels an event subscription.</TD> | |
| 345 | </TR> | |
| 346 | <TR> | |
| 347 | <TD NOWRAP><TT>Get-Notifications</TT></TD> | |
| 348 | <TD>Yes</TD> | |
| 349 | <TD>Gets (pending) events for an event subscription.</TD> | |
| 350 | </TR> | |
| 351 | <TR> | |
| 352 | <TD NOWRAP><TT>Send-Notifications</TT></TD> | |
| 353 | <TD>No</TD> | |
| 354 | <TD>Sends events for an event subscription.</TD> | |
| 355 | </TR> | |
| 356 | <TR> | |
| 357 | <TD NOWRAP><TT>Get-Printer-Support-Files</TT></TD> | |
| 358 | <TD>No</TD> | |
| 359 | <TD>Gets printer driver files for a Novell client.</TD> | |
| 360 | </TR> | |
| 361 | <TR> | |
| 362 | <TD NOWRAP><TT>Enable-Printer</TT></TD> | |
| 363 | <TD>Yes</TD> | |
| 364 | <TD>Starts a printer or class.</TD> | |
| 365 | </TR> | |
| 366 | <TR> | |
| 367 | <TD NOWRAP><TT>Disable-Printer</TT></TD> | |
| 368 | <TD>Yes</TD> | |
| 369 | <TD>Stops a printer or class.</TD> | |
| 370 | </TR> | |
| 371 | <TR> | |
| 372 | <TD NOWRAP><TT>Pause-Printer-After-Current-Job</TT></TD> | |
| 373 | <TD>No</TD> | |
| 374 | <TD>Stops a printer or class after the current job is finished.</TD> | |
| 375 | </TR> | |
| 376 | <TR> | |
| 377 | <TD NOWRAP><TT>Hold-New-Jobs</TT></TD> | |
| 378 | <TD>No</TD> | |
| 379 | <TD>Holds new jobs submitted to a printer or class.</TD> | |
| 380 | </TR> | |
| 381 | <TR> | |
| 382 | <TD NOWRAP><TT>Release-Held-New-Jobs</TT></TD> | |
| 383 | <TD>No</TD> | |
| 384 | <TD>Releases jobs that were held because of the | |
| 385 | Hold-New-Jobs operation.</TD> | |
| 386 | </TR> | |
| 387 | <TR> | |
| 388 | <TD NOWRAP><TT>Deactivate-Printer</TT></TD> | |
| 389 | <TD>No</TD> | |
| 390 | <TD>Deactivates a printer or class.</TD> | |
| 391 | </TR> | |
| 392 | <TR> | |
| 393 | <TD NOWRAP><TT>Activate-Printer</TT></TD> | |
| 394 | <TD>No</TD> | |
| 395 | <TD>Activates a printer or class.</TD> | |
| 396 | </TR> | |
| 397 | <TR> | |
| 398 | <TD NOWRAP><TT>Restart-Printer</TT></TD> | |
| 399 | <TD>No</TD> | |
| 400 | <TD>Restarts a printer or class, resuming print jobs as needed.</TD> | |
| 401 | </TR> | |
| 402 | <TR> | |
| 403 | <TD NOWRAP><TT>Shutdown-Printer</TT></TD> | |
| 404 | <TD>No</TD> | |
| 405 | <TD>Powers a printer or class off.</TD> | |
| 406 | </TR> | |
| 407 | <TR> | |
| 408 | <TD NOWRAP><TT>Startup-Printer</TT></TD> | |
| 409 | <TD>No</TD> | |
| 410 | <TD>Powers a printer or class on.</TD> | |
| 411 | </TR> | |
| 412 | <TR> | |
| 413 | <TD NOWRAP><TT>Reprocess-Job</TT></TD> | |
| 414 | <TD>No</TD> | |
| 415 | <TD>Reprints a job on a different printer or class; CUPS has the | |
| 416 | CUPS-Move-Job operation instead.</TD> | |
| 417 | </TR> | |
| 418 | <TR> | |
| 419 | <TD NOWRAP><TT>Cancel-Current-Job</TT></TD> | |
| 420 | <TD>No</TD> | |
| 421 | <TD>Cancels the current job on a printer or class.</TD> | |
| 422 | </TR> | |
| 423 | <TR> | |
| 424 | <TD NOWRAP><TT>Suspend-Current-Job</TT></TD> | |
| 425 | <TD>No</TD> | |
| 426 | <TD>Stops the current job on a printer or class.</TD> | |
| 427 | </TR> | |
| 428 | <TR> | |
| 429 | <TD NOWRAP><TT>Resume-Job</TT></TD> | |
| 430 | <TD>No</TD> | |
| 431 | <TD>Resumes printing of a stopped job.</TD> | |
| 432 | </TR> | |
| 433 | <TR> | |
| 434 | <TD NOWRAP><TT>Promote-Job</TT></TD> | |
| 435 | <TD>No</TD> | |
| 436 | <TD>Prints a job before others.</TD> | |
| 437 | </TR> | |
| 438 | <TR> | |
| 439 | <TD NOWRAP><TT>Schedule-Job-After</TT></TD> | |
| 440 | <TD>No</TD> | |
| 441 | <TD>Prints a job after others.</TD> | |
| 442 | </TR> | |
| 443 | <TR> | |
| 444 | <TD NOWRAP><TT>CUPS-Get-Default</TT></TD> | |
| 445 | <TD>Yes</TD> | |
| 446 | <TD>Gets the server/network default printer or class.</TD> | |
| 447 | </TR> | |
| 448 | <TR> | |
| 449 | <TD NOWRAP><TT>CUPS-Get-Printers</TT></TD> | |
| 450 | <TD>Yes</TD> | |
| 451 | <TD>Gets a list of printers and/or classes.</TD> | |
| 452 | </TR> | |
| 453 | <TR> | |
| 454 | <TD NOWRAP><TT>CUPS-Add-Modify-Printer</TT></TD> | |
| 455 | <TD>Yes</TD> | |
| 456 | <TD>Adds or modifies a printer.</TD> | |
| 457 | </TR> | |
| 458 | <TR> | |
| 459 | <TD NOWRAP><TT>CUPS-Delete-Printer</TT></TD> | |
| 460 | <TD>Yes</TD> | |
| 461 | <TD>Removes a printer.</TD> | |
| 462 | </TR> | |
| 463 | <TR> | |
| 464 | <TD NOWRAP><TT>CUPS-Get-Classes</TT></TD> | |
| 465 | <TD>Yes</TD> | |
| 466 | <TD>Gets a list of classes.</TD> | |
| 467 | </TR> | |
| 468 | <TR> | |
| 469 | <TD NOWRAP><TT>CUPS-Add-Modify-Class</TT></TD> | |
| 470 | <TD>Yes</TD> | |
| 471 | <TD>Adds or modifies a class.</TD> | |
| 472 | </TR> | |
| 473 | <TR> | |
| 474 | <TD NOWRAP><TT>CUPS-Delete-Class</TT></TD> | |
| 475 | <TD>Yes</TD> | |
| 476 | <TD>Removes a class.</TD> | |
| 477 | </TR> | |
| 478 | <TR> | |
| 479 | <TD NOWRAP><TT>CUPS-Accept-Jobs</TT></TD> | |
| 480 | <TD>Yes</TD> | |
| 481 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
| 482 | attribute to true.</TD> | |
| 483 | </TR> | |
| 484 | <TR> | |
| 485 | <TD NOWRAP><TT>CUPS-Reject-Jobs</TT></TD> | |
| 486 | <TD>Yes</TD> | |
| 487 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
| 488 | attribute to false.</TD> | |
| 489 | </TR> | |
| 490 | <TR> | |
| 491 | <TD NOWRAP><TT>CUPS-Set-Default</TT></TD> | |
| 492 | <TD>Yes</TD> | |
| 493 | <TD>Sets the server/network default printer or class.</TD> | |
| 494 | </TR> | |
| 495 | <TR> | |
| 496 | <TD NOWRAP><TT>CUPS-Get-Devices</TT></TD> | |
| 497 | <TD>Yes</TD> | |
| 498 | <TD>Gets a list of printer devices.</TD> | |
| 499 | </TR> | |
| 500 | <TR> | |
| 501 | <TD NOWRAP><TT>CUPS-Get-PPDs</TT></TD> | |
| 502 | <TD>Yes</TD> | |
| 503 | <TD>Gets a list of printer drivers or manufacturers.</TD> | |
| 504 | </TR> | |
| 505 | <TR> | |
| 506 | <TD NOWRAP><TT>CUPS-Move-Job</TT></TD> | |
| 507 | <TD>Yes</TD> | |
| 508 | <TD>Moves a job to a different printer or class.</TD> | |
| 509 | </TR> | |
| 510 | <TR> | |
| 511 | <TD NOWRAP><TT>CUPS-Authenticate-Job</TT></TD> | |
| 512 | <TD>Yes</TD> | |
| 513 | <TD>Authenticates a job for printing.</TD> | |
| 514 | </TR> | |
| 515 | </TBODY> | |
| 516 | </TABLE></DIV> | |
| 517 | ||
| 518 | ||
| 519 | <H2 CLASS="title"><A NAME="CREATING">Creating Your Own Policies</A></H2> | |
| 520 | ||
| 521 | <P>The easiest way to create a new policy is to start with the | |
| 522 | default policy and then make changes to the copy. The first | |
| 523 | change you'll make is to give the policy a new name. Policy names | |
| 524 | can use the same characters as a printer name, specifically all | |
| 525 | printable characters except space, slash (/), and pound (#):</P> | |
| 526 | ||
| 5a738aea | 527 | <PRE CLASS="example"> |
| 8ca02f3c | 528 | <Policy mypolicy> |
| 529 | </PRE> | |
| 530 | ||
| 531 | <P>Then you need to decide exactly what limits you want for the | |
| 532 | policy. For example, if you want to allow any user to cancel any | |
| 533 | other users' jobs, you can change the <TT>Cancel-Job</TT> limits | |
| 534 | to:</P> | |
| 535 | ||
| 5a738aea | 536 | <PRE CLASS="example"> |
| 8ca02f3c | 537 | <Limit Cancel-Job> |
| 538 | Order deny,allow | |
| 539 | </Limit> | |
| 540 | </PRE> | |
| 541 | ||
| 542 | <P>The directives inside the <TT>Limit</TT> subsection can use | |
| 543 | any of the normal limiting directives: <A | |
| 544 | HREF="ref-cupsd-conf.html#Allow"><TT>Allow</TT></A>, <A | |
| 545 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>, <A | |
| 546 | HREF="ref-cupsd-conf.html#Deny"><TT>Deny</TT></A>, <A | |
| 547 | HREF="ref-cupsd-conf.html#Encryption"><TT>Encryption</TT></A>, <A | |
| 548 | HREF="ref-cupsd-conf.html#Require"><TT>Require</TT></A>, and <A | |
| 549 | HREF="ref-cupsd-conf.html#Satisfy"><TT>Satisfy</TT></A>. <A | |
| 550 | HREF="#TABLE02">Table 2</A> lists some basic "recipes" for | |
| 551 | different access control rules.</P> | |
| 552 | ||
| 553 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="Access Control Recipes"> | |
| 554 | <CAPTION>Table 2: <A NAME="TABLE02">Access Control Recipes</A></CAPTION> | |
| 555 | <THEAD> | |
| 556 | <TR> | |
| 557 | <TH>Access Level</TH> | |
| 558 | <TH>Directives to Use</TH> | |
| 559 | </TR> | |
| 560 | </THEAD> | |
| 561 | <TBODY> | |
| 562 | <TR> | |
| 563 | <TD>Allow Everyone</TD> | |
| 564 | <TD><PRE>Order deny,allow | |
| 565 | Allow from all</PRE></TD> | |
| 566 | </TR> | |
| 567 | <TR> | |
| 568 | <TD>Allow Everyone on the Local Network</TD> | |
| 569 | <TD><PRE>Order deny,allow | |
| 570 | Allow from @LOCAL</PRE></TD> | |
| 571 | </TR> | |
| 572 | <TR> | |
| 573 | <TD>Deny Everyone/Disable Operation(s)</TD> | |
| 574 | <TD><PRE>Order allow,deny | |
| 575 | Deny from all</PRE></TD> | |
| 576 | </TR> | |
| 577 | <TR> | |
| 578 | <TD>Require Login (System) Password</TD> | |
| 579 | <TD><PRE>AuthType Basic</PRE></TD> | |
| 580 | </TR> | |
| 581 | <TR> | |
| 582 | <TD>Require CUPS (lppasswd) Password</TD> | |
| 583 | <TD><PRE>AuthType BasicDigest</PRE></TD> | |
| 584 | </TR> | |
| 585 | <TR> | |
| 586 | <TD>Require the Owner of a Job or Subscription</TD> | |
| 587 | <TD><PRE>Require user @OWNER</PRE></TD> | |
| 588 | </TR> | |
| 589 | <TR> | |
| 590 | <TD>Require an Administrative User</TD> | |
| 591 | <TD><PRE>Require user @SYSTEM</PRE></TD> | |
| 592 | </TR> | |
| 593 | <TR> | |
| 594 | <TD>Require Member of Group "foogroup"</TD> | |
| 595 | <TD><PRE>Require user @foogroup</PRE></TD> | |
| 596 | </TR> | |
| 597 | <TR> | |
| 598 | <TD>Require "john" or "mary"</TD> | |
| 599 | <TD><PRE>Require user john mary</PRE></TD> | |
| 600 | </TR> | |
| 601 | <TR> | |
| 602 | <TD>Require Encryption</TD> | |
| 603 | <TD><PRE>Encryption Required</PRE></TD> | |
| 604 | </TR> | |
| 605 | </TABLE></DIV> | |
| 606 | ||
| 607 | ||
| 608 | <H3>Creating a Policy for a Computer Lab</H3> | |
| 609 | ||
| 610 | <P>One common operating scenario is a computer lab. The lab is | |
| 611 | managed by one or more technicians that assist the users of the | |
| 612 | lab and handle the basic administration tasks. <A | |
| 613 | HREF="#LISTING02">Listing 2</A> shows an operation policy that | |
| 614 | only allows access from the lab's subnet, 10.0.2.x, and allows | |
| 615 | the lab technicians, who are members of a special UNIX group for | |
| 616 | that lab called "lab999", to do job, printer, and subscription | |
| 617 | management operations.</P> | |
| 618 | ||
| 5a738aea | 619 | <PRE CLASS="example"> |
| 8ca02f3c | 620 | <EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM> |
| 621 | ||
| 622 | 1 <Policy lab999> | |
| 623 | 2 # Job- and subscription-related operations must be done | |
| 355e94dc | 624 | by the owner, a lab technician, or an administrator... |
| 8ca02f3c | 625 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
| 626 | Restart-Job Purge-Jobs Set-Job-Attributes | |
| 627 | Create-Job-Subscription Renew-Subscription | |
| 628 | Cancel-Subscription Get-Notifications Reprocess-Job | |
| 629 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
| 630 | CUPS-Move-Job Cancel-Job CUPS-Authenticate-Job> | |
| 631 | 4 Require user @OWNER @lab999 @SYSTEM | |
| 632 | 5 Order allow,deny | |
| 633 | 6 Allow from 10.0.2.0/24 | |
| 634 | 7 </Limit> | |
| 635 | 8 | |
| 636 | 9 # All administration operations require a lab technician | |
| 355e94dc | 637 | or an administrator to authenticate... |
| 8ca02f3c | 638 | 10 <Limit Pause-Printer Resume-Printer |
| 639 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
| 640 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
| 641 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
| 642 | Restart-Printer Shutdown-Printer Startup-Printer | |
| 643 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
| 644 | CUPS-Reject-Jobs CUPS-Set-Default> | |
| 355e94dc | 645 | 11 AuthType Default |
| 8ca02f3c | 646 | 12 Require user @lab999 @SYSTEM |
| 647 | 13 Order allow,deny | |
| 648 | 14 Allow from 10.0.2.0/24 | |
| 649 | 15 </Limit> | |
| 650 | 16 | |
| 651 | 17 # All other operations are allowed from the lab network... | |
| 652 | 18 <Limit All> | |
| 653 | 19 Order allow,deny | |
| 654 | 20 Allow from 10.0.2.0/24 | |
| 655 | 21 </Limit> | |
| 656 | 22 </Policy> | |
| 657 | </PRE> | |
| 658 | ||
| 659 | ||
| 660 | <H2 CLASS="title"><A NAME="SELECT">Using Policies</A></H2> | |
| 661 | ||
| 662 | <P>Once you have created a policy, you can use it in two ways. | |
| 663 | The first way is to assign it as the default policy for the | |
| 664 | system using the <A | |
| 665 | HREF="ref-cupsd-conf.html#DefaultPolicy"><TT>DefaultPolicy</TT></A> | |
| 666 | directive in the <VAR>cupsd.conf</VAR> file. For example, add the | |
| 667 | following line to the <VAR>cupsd.conf</VAR> file to use the | |
| 668 | "lab999" policy from the previous section:</P> | |
| 669 | ||
| 5a738aea | 670 | <PRE CLASS="example"> |
| 8ca02f3c | 671 | DefaultPolicy lab999 |
| 672 | </PRE> | |
| 673 | ||
| 674 | <P>To associate the policy with one or more printers, use either | |
| 675 | the <A HREF="man-lpadmin.html">lpadmin(8)</A> command or the web | |
| 676 | interface to change the operation policy for each printer. When | |
| 677 | using the <B>lpadmin</B> command, the <TT>-o | |
| 678 | printer-op-policy=name</TT> option sets the operation policy for | |
| 679 | a printer. For example, enter the following command to use the | |
| 680 | "lab999" policy from the previous section with a printer named | |
| 681 | "LaserJet4000":</P> | |
| 682 | ||
| 683 | <PRE CLASS="command"> | |
| 684 | lpadmin -p LaserJet4000 -o printer-op-policy=lab999 | |
| 685 | </PRE> | |
| 686 | ||
| 687 | <P>To make the same change in the web interface, go to the | |
| 688 | printer's web page, for example | |
| 689 | "http://localhost:631/printers/LaserJet4000", and click on the | |
| 690 | <VAR>Set Printer Options</VAR> button. Scroll down to the bottom | |
| 691 | of the page and choose the desired policy from the pull-down | |
| 2e4ff8af | 692 | list. Click on <VAR>Set Printer Options</VAR> to change the policy for |
| 8ca02f3c | 693 | the printer.</P> |
| 694 | ||
| 695 | </BODY> | |
| 696 | </HTML> |