]>
Commit | Line | Data |
---|---|---|
8ca02f3c | 1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Managing Operation Policies</TITLE> | |
5 | </HEAD> | |
6 | <BODY> | |
7 | ||
8 | <P>Operation policies are the rules used for each IPP operation | |
9 | in CUPS. These rules include things like "user must provide a | |
10 | password", "user must be in the system group", "allow only from | |
11 | the local system", and so forth. Until CUPS 1.2, these rules were | |
12 | largely hardcoded and could only be customized at a very basic | |
13 | level.</P> | |
14 | ||
15 | <P>CUPS 1.2 adds a new fine-grained policy layer which allows you | |
16 | to completely redefine the rules for each operation and/or | |
17 | printer. Each policy is named and defines access control rules | |
18 | for each IPP operation. This document describes how to manage | |
19 | policies and their rules.</P> | |
20 | ||
21 | <H2 CLASS="title"><A NAME="BASICS">The Basics</A></H2> | |
22 | ||
23 | <P>Operation policies are used for all IPP requests sent to the | |
24 | scheduler and are evaluated <em>after</em> the <A | |
25 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> based | |
26 | access control rules. This means that operation policies can only | |
27 | add additional security restrictions to a request, never relax | |
28 | them. Use <TT>Location</TT> based access control rules for | |
29 | server-wide limits and operation policies for limits on | |
30 | individual printers, tasks, or services.</P> | |
31 | ||
32 | <P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A | |
33 | HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections. | |
34 | Each policy has an alphanumeric name that is used to select it. | |
35 | Inside the policy section are one or more <A | |
36 | HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A> | |
37 | subsections which list the operations that are affected by the | |
38 | rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the | |
39 | default operation policy, appropriately called "default", that is | |
40 | shipped with CUPS.</P> | |
41 | ||
42 | <P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR> | |
43 | file is to use the web interface. Click on the | |
44 | <VAR>Administration</VAR> tab and then the <VAR>Edit | |
45 | Configuration File</VAR> button to edit the current | |
46 | <VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR> | |
47 | button to save the changes and restart the scheduler. If you edit | |
48 | the <VAR>cupsd.conf</VAR> file from the console, make sure to <A | |
49 | HREF="ref-cupsd-conf.html">restart the cupsd process</A> before | |
50 | trying to use the new policy.</P> | |
51 | ||
52 | <PRE CLASS="command"> | |
53 | <EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM> | |
54 | ||
55 | 1 <Policy default> | |
56 | 2 # Job-related operations must be done by the owner or an | |
57 | adminstrator... | |
58 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job | |
59 | Restart-Job Purge-Jobs Set-Job-Attributes | |
60 | Create-Job-Subscription Renew-Subscription | |
61 | Cancel-Subscription Get-Notifications Reprocess-Job | |
62 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
63 | CUPS-Move-Job> | |
64 | 4 Require user @OWNER @SYSTEM | |
65 | 5 Order deny,allow | |
66 | 6 </Limit> | |
67 | 7 | |
68 | 8 # All administration operations require an adminstrator | |
69 | to authenticate... | |
70 | 9 <Limit Pause-Printer Resume-Printer | |
71 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
72 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
73 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
74 | Restart-Printer Shutdown-Printer Startup-Printer | |
75 | Promote-Job Schedule-Job-After CUPS-Add-Printer | |
76 | CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class | |
77 | CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default> | |
78 | 10 AuthType Basic | |
79 | 11 Require user @SYSTEM | |
80 | 12 Order deny,allow | |
81 | 13 </Limit> | |
82 | 14 | |
83 | 15 # Only the owner or an administrator can cancel or | |
84 | authenticate a job... | |
85 | 16 <Limit Cancel-Job CUPS-Authenticate-Job> | |
86 | 17 Require user @OWNER @SYSTEM | |
87 | 18 Order deny,allow | |
88 | 19 </Limit> | |
89 | 20 | |
90 | 21 <Limit All> | |
91 | 22 Order deny,allow | |
92 | 23 </Limit> | |
93 | 24 </Policy> | |
94 | </PRE> | |
95 | ||
96 | <H3>The Default CUPS Operation Policy</H3> | |
97 | ||
98 | <P>The policy definition starts with an opening <TT>Policy</TT> | |
99 | directive:</P> | |
100 | ||
101 | <PRE CLASS="command"> | |
102 | 1 <Policy default> | |
103 | </PRE> | |
104 | ||
105 | <P>The first <TT>Limit</TT> subsection defines the rules for IPP | |
106 | job operations:</P> | |
107 | ||
108 | <PRE CLASS="command"> | |
109 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job | |
110 | Restart-Job Purge-Jobs Set-Job-Attributes | |
111 | Create-Job-Subscription Renew-Subscription | |
112 | Cancel-Subscription Get-Notifications Reprocess-Job | |
113 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
114 | CUPS-Move-Job> | |
115 | 4 Require user @OWNER @SYSTEM | |
116 | 5 Order deny,allow | |
117 | 6 </Limit> | |
118 | </PRE> | |
119 | ||
120 | <P>The operation names are listed on a single line | |
121 | with spaces separating them. Each name corresponds to the IPP | |
122 | operation described in any of the IETF or PWG standards documents | |
123 | for the Internet Printing Protocol. <A HREF="#TABLE01">Table | |
124 | 1</A> lists all of the operations that have been defined along | |
125 | with their usage in CUPS.</P> | |
126 | ||
127 | <P>The access control rules are listed after the <TT>Limit</TT> | |
128 | line and are the same as those used for <A | |
129 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> | |
130 | sections. In this case, we require the owner of the job | |
131 | ("@OWNER") or a member of the <A | |
132 | HREF="ref-cupsd-conf.html#SystemGroup"><TT>SystemGroup</TT></A> | |
133 | ("@SYSTEM") to do the operation. Because we do not include an <A | |
134 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A> | |
135 | directive here, the user information can come from the IPP | |
136 | request itself or the authenticated username from the HTTP | |
137 | request. The administrative operations starting on line 9, | |
138 | however, <em>do</em> use the <TT>AuthType</TT> directive, and so | |
139 | administrative operations need to be authenticated:</P> | |
140 | ||
141 | <PRE CLASS="command"> | |
142 | 9 <Limit Pause-Printer Resume-Printer | |
143 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
144 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
145 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
146 | Restart-Printer Shutdown-Printer Startup-Printer | |
147 | Promote-Job Schedule-Job-After CUPS-Add-Printer | |
148 | CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class | |
149 | CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default> | |
150 | 10 AuthType Basic | |
151 | 11 Require user @SYSTEM | |
152 | 12 Order deny,allow | |
153 | 13 </Limit> | |
154 | </PRE> | |
155 | ||
156 | <P>The "Order deny,allow" line at the end of both <TT>Limit</TT> | |
157 | subsections allows the request to come from any system allowed by | |
158 | the <TT>Location</TT> sections elsewhere in the | |
159 | <VAR>cupsd.conf</VAR> file.</P> | |
160 | ||
161 | <P>The <TT>Cancel-Job</TT> and <TT>CUPS-Authenticate-Job</TT> | |
162 | operations are listed separately to allow the web interface to | |
163 | more easily edit their policy without disturbing the rest. Like | |
164 | the rest of the job operations, we want the job's owner | |
165 | ("@OWNER") or an administrator ("@SYSTEM") to do it:</P> | |
166 | ||
167 | <PRE CLASS="command"> | |
168 | 16 <Limit Cancel-Job CUPS-Authenticate-Job> | |
169 | 17 Require user @OWNER @SYSTEM | |
170 | 18 Order deny,allow | |
171 | 19 </Limit> | |
172 | </PRE> | |
173 | ||
174 | <P>The last <TT>Limit</TT> subsection in any policy uses the | |
175 | special operation name <TT>All</TT>. CUPS will use the rules in | |
176 | this subsection for any operation you don't list specifically in | |
177 | the policy. In this case, all other operations are allowed | |
178 | without a username or authentication:</P> | |
179 | ||
180 | <PRE CLASS="command"> | |
181 | 21 <Limit All> | |
182 | 22 Order deny,allow | |
183 | 23 </Limit> | |
184 | 24 </Policy> | |
185 | </PRE> | |
186 | ||
187 | ||
188 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="IPP Operation Names"> | |
189 | <CAPTION>Table 1: <A NAME="TABLE01">IPP Operation Names</A></CAPTION> | |
190 | <THEAD> | |
191 | <TR> | |
192 | <TH>Name</TH> | |
193 | <TH>Used by CUPS?</TH> | |
194 | <TH>Description</TH> | |
195 | </TR> | |
196 | </THEAD> | |
197 | <TBODY> | |
198 | <TR> | |
199 | <TD NOWRAP><TT>Print-Job</TT></TD> | |
200 | <TD>Yes</TD> | |
201 | <TD>Creates a print job with a single file.</TD> | |
202 | </TR> | |
203 | <TR> | |
204 | <TD NOWRAP><TT>Print-URI</TT></TD> | |
205 | <TD>No</TD> | |
206 | <TD>Create a print job with a single URI.</TD> | |
207 | </TR> | |
208 | <TR> | |
209 | <TD NOWRAP><TT>Validate-Job</TT></TD> | |
210 | <TD>Yes</TD> | |
211 | <TD>Validates a print request before printing.</TD> | |
212 | </TR> | |
213 | <TR> | |
214 | <TD NOWRAP><TT>Create-Job</TT></TD> | |
215 | <TD>Yes</TD> | |
216 | <TD>Creates a print job with no files or URIs.</TD> | |
217 | </TR> | |
218 | <TR> | |
219 | <TD NOWRAP><TT>Send-Document</TT></TD> | |
220 | <TD>Yes</TD> | |
221 | <TD>Adds a file to a print job.</TD> | |
222 | </TR> | |
223 | <TR> | |
224 | <TD NOWRAP><TT>Send-URI</TT></TD> | |
225 | <TD>No</TD> | |
226 | <TD>Adds a URI to a print job.</TD> | |
227 | </TR> | |
228 | <TR> | |
229 | <TD NOWRAP><TT>Cancel-Job</TT></TD> | |
230 | <TD>Yes</TD> | |
231 | <TD>Cancels a print job.</TD> | |
232 | </TR> | |
233 | <TR> | |
234 | <TD NOWRAP><TT>Get-Job-Attributes</TT></TD> | |
235 | <TD>Yes</TD> | |
236 | <TD>Gets information and options associated with a job.</TD> | |
237 | </TR> | |
238 | <TR> | |
239 | <TD NOWRAP><TT>Get-Jobs</TT></TD> | |
240 | <TD>Yes</TD> | |
241 | <TD>Gets a list of jobs.</TD> | |
242 | </TR> | |
243 | <TR> | |
244 | <TD NOWRAP><TT>Get-Printer-Attributes</TT></TD> | |
245 | <TD>Yes</TD> | |
246 | <TD>Gets information and options associated with a printer or class.</TD> | |
247 | </TR> | |
248 | <TR> | |
249 | <TD NOWRAP><TT>Hold-Job</TT></TD> | |
250 | <TD>Yes</TD> | |
251 | <TD>Holds a print job for printing.</TD> | |
252 | </TR> | |
253 | <TR> | |
254 | <TD NOWRAP><TT>Release-Job</TT></TD> | |
255 | <TD>Yes</TD> | |
256 | <TD>Releases a print job for printing.</TD> | |
257 | </TR> | |
258 | <TR> | |
259 | <TD NOWRAP><TT>Restart-Job</TT></TD> | |
260 | <TD>Yes</TD> | |
261 | <TD>Reprints a print job.</TD> | |
262 | </TR> | |
263 | <TR> | |
264 | <TD NOWRAP><TT>Pause-Printer</TT></TD> | |
265 | <TD>Yes</TD> | |
266 | <TD>Stops a printer or class.</TD> | |
267 | </TR> | |
268 | <TR> | |
269 | <TD NOWRAP><TT>Resume-Printer</TT></TD> | |
270 | <TD>Yes</TD> | |
271 | <TD>Starts a printer or class.</TD> | |
272 | </TR> | |
273 | <TR> | |
274 | <TD NOWRAP><TT>Purge-Jobs</TT></TD> | |
275 | <TD>Yes</TD> | |
276 | <TD>Cancels all jobs on the server or a printer or class | |
277 | and removes the job history information.</TD> | |
278 | </TR> | |
279 | <TR> | |
280 | <TD NOWRAP><TT>Set-Printer-Attributes</TT></TD> | |
281 | <TD>No</TD> | |
282 | <TD>Sets printer or class information; CUPS uses | |
283 | CUPS-Add-Modify-Printer and CUPS-Add-Modify-Class | |
284 | instead.</TD> | |
285 | </TR> | |
286 | <TR> | |
287 | <TD NOWRAP><TT>Set-Job-Attributes</TT></TD> | |
288 | <TD>Yes</TD> | |
289 | <TD>Changes job options.</TD> | |
290 | </TR> | |
291 | <TR> | |
292 | <TD NOWRAP><TT>Get-Printer-Supported-Values</TT></TD> | |
293 | <TD>No</TD> | |
294 | <TD>Gets -supported attributes for a printer based on job | |
295 | options.</TD> | |
296 | </TR> | |
297 | <TR> | |
298 | <TD NOWRAP><TT>Create-Printer-Subscription</TT></TD> | |
299 | <TD>Yes</TD> | |
300 | <TD>Creates an event subscription for a printer or the server.</TD> | |
301 | </TR> | |
302 | <TR> | |
303 | <TD NOWRAP><TT>Create-Job-Subscription</TT></TD> | |
304 | <TD>Yes</TD> | |
305 | <TD>Creates an event subscription for a job.</TD> | |
306 | </TR> | |
307 | <TR> | |
308 | <TD NOWRAP><TT>Get-Subscription-Attributes</TT></TD> | |
309 | <TD>Yes</TD> | |
310 | <TD>Gets information for an event subscription.</TD> | |
311 | </TR> | |
312 | <TR> | |
313 | <TD NOWRAP><TT>Get-Subscriptions</TT></TD> | |
314 | <TD>Yes</TD> | |
315 | <TD>Gets a list of event subscriptions.</TD> | |
316 | </TR> | |
317 | <TR> | |
318 | <TD NOWRAP><TT>Renew-Subscription</TT></TD> | |
319 | <TD>Yes</TD> | |
320 | <TD>Renews an event subscription that is about to expire.</TD> | |
321 | </TR> | |
322 | <TR> | |
323 | <TD NOWRAP><TT>Cancel-Subscription</TT></TD> | |
324 | <TD>Yes</TD> | |
325 | <TD>Cancels an event subscription.</TD> | |
326 | </TR> | |
327 | <TR> | |
328 | <TD NOWRAP><TT>Get-Notifications</TT></TD> | |
329 | <TD>Yes</TD> | |
330 | <TD>Gets (pending) events for an event subscription.</TD> | |
331 | </TR> | |
332 | <TR> | |
333 | <TD NOWRAP><TT>Send-Notifications</TT></TD> | |
334 | <TD>No</TD> | |
335 | <TD>Sends events for an event subscription.</TD> | |
336 | </TR> | |
337 | <TR> | |
338 | <TD NOWRAP><TT>Get-Printer-Support-Files</TT></TD> | |
339 | <TD>No</TD> | |
340 | <TD>Gets printer driver files for a Novell client.</TD> | |
341 | </TR> | |
342 | <TR> | |
343 | <TD NOWRAP><TT>Enable-Printer</TT></TD> | |
344 | <TD>Yes</TD> | |
345 | <TD>Starts a printer or class.</TD> | |
346 | </TR> | |
347 | <TR> | |
348 | <TD NOWRAP><TT>Disable-Printer</TT></TD> | |
349 | <TD>Yes</TD> | |
350 | <TD>Stops a printer or class.</TD> | |
351 | </TR> | |
352 | <TR> | |
353 | <TD NOWRAP><TT>Pause-Printer-After-Current-Job</TT></TD> | |
354 | <TD>No</TD> | |
355 | <TD>Stops a printer or class after the current job is finished.</TD> | |
356 | </TR> | |
357 | <TR> | |
358 | <TD NOWRAP><TT>Hold-New-Jobs</TT></TD> | |
359 | <TD>No</TD> | |
360 | <TD>Holds new jobs submitted to a printer or class.</TD> | |
361 | </TR> | |
362 | <TR> | |
363 | <TD NOWRAP><TT>Release-Held-New-Jobs</TT></TD> | |
364 | <TD>No</TD> | |
365 | <TD>Releases jobs that were held because of the | |
366 | Hold-New-Jobs operation.</TD> | |
367 | </TR> | |
368 | <TR> | |
369 | <TD NOWRAP><TT>Deactivate-Printer</TT></TD> | |
370 | <TD>No</TD> | |
371 | <TD>Deactivates a printer or class.</TD> | |
372 | </TR> | |
373 | <TR> | |
374 | <TD NOWRAP><TT>Activate-Printer</TT></TD> | |
375 | <TD>No</TD> | |
376 | <TD>Activates a printer or class.</TD> | |
377 | </TR> | |
378 | <TR> | |
379 | <TD NOWRAP><TT>Restart-Printer</TT></TD> | |
380 | <TD>No</TD> | |
381 | <TD>Restarts a printer or class, resuming print jobs as needed.</TD> | |
382 | </TR> | |
383 | <TR> | |
384 | <TD NOWRAP><TT>Shutdown-Printer</TT></TD> | |
385 | <TD>No</TD> | |
386 | <TD>Powers a printer or class off.</TD> | |
387 | </TR> | |
388 | <TR> | |
389 | <TD NOWRAP><TT>Startup-Printer</TT></TD> | |
390 | <TD>No</TD> | |
391 | <TD>Powers a printer or class on.</TD> | |
392 | </TR> | |
393 | <TR> | |
394 | <TD NOWRAP><TT>Reprocess-Job</TT></TD> | |
395 | <TD>No</TD> | |
396 | <TD>Reprints a job on a different printer or class; CUPS has the | |
397 | CUPS-Move-Job operation instead.</TD> | |
398 | </TR> | |
399 | <TR> | |
400 | <TD NOWRAP><TT>Cancel-Current-Job</TT></TD> | |
401 | <TD>No</TD> | |
402 | <TD>Cancels the current job on a printer or class.</TD> | |
403 | </TR> | |
404 | <TR> | |
405 | <TD NOWRAP><TT>Suspend-Current-Job</TT></TD> | |
406 | <TD>No</TD> | |
407 | <TD>Stops the current job on a printer or class.</TD> | |
408 | </TR> | |
409 | <TR> | |
410 | <TD NOWRAP><TT>Resume-Job</TT></TD> | |
411 | <TD>No</TD> | |
412 | <TD>Resumes printing of a stopped job.</TD> | |
413 | </TR> | |
414 | <TR> | |
415 | <TD NOWRAP><TT>Promote-Job</TT></TD> | |
416 | <TD>No</TD> | |
417 | <TD>Prints a job before others.</TD> | |
418 | </TR> | |
419 | <TR> | |
420 | <TD NOWRAP><TT>Schedule-Job-After</TT></TD> | |
421 | <TD>No</TD> | |
422 | <TD>Prints a job after others.</TD> | |
423 | </TR> | |
424 | <TR> | |
425 | <TD NOWRAP><TT>CUPS-Get-Default</TT></TD> | |
426 | <TD>Yes</TD> | |
427 | <TD>Gets the server/network default printer or class.</TD> | |
428 | </TR> | |
429 | <TR> | |
430 | <TD NOWRAP><TT>CUPS-Get-Printers</TT></TD> | |
431 | <TD>Yes</TD> | |
432 | <TD>Gets a list of printers and/or classes.</TD> | |
433 | </TR> | |
434 | <TR> | |
435 | <TD NOWRAP><TT>CUPS-Add-Modify-Printer</TT></TD> | |
436 | <TD>Yes</TD> | |
437 | <TD>Adds or modifies a printer.</TD> | |
438 | </TR> | |
439 | <TR> | |
440 | <TD NOWRAP><TT>CUPS-Delete-Printer</TT></TD> | |
441 | <TD>Yes</TD> | |
442 | <TD>Removes a printer.</TD> | |
443 | </TR> | |
444 | <TR> | |
445 | <TD NOWRAP><TT>CUPS-Get-Classes</TT></TD> | |
446 | <TD>Yes</TD> | |
447 | <TD>Gets a list of classes.</TD> | |
448 | </TR> | |
449 | <TR> | |
450 | <TD NOWRAP><TT>CUPS-Add-Modify-Class</TT></TD> | |
451 | <TD>Yes</TD> | |
452 | <TD>Adds or modifies a class.</TD> | |
453 | </TR> | |
454 | <TR> | |
455 | <TD NOWRAP><TT>CUPS-Delete-Class</TT></TD> | |
456 | <TD>Yes</TD> | |
457 | <TD>Removes a class.</TD> | |
458 | </TR> | |
459 | <TR> | |
460 | <TD NOWRAP><TT>CUPS-Accept-Jobs</TT></TD> | |
461 | <TD>Yes</TD> | |
462 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
463 | attribute to true.</TD> | |
464 | </TR> | |
465 | <TR> | |
466 | <TD NOWRAP><TT>CUPS-Reject-Jobs</TT></TD> | |
467 | <TD>Yes</TD> | |
468 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
469 | attribute to false.</TD> | |
470 | </TR> | |
471 | <TR> | |
472 | <TD NOWRAP><TT>CUPS-Set-Default</TT></TD> | |
473 | <TD>Yes</TD> | |
474 | <TD>Sets the server/network default printer or class.</TD> | |
475 | </TR> | |
476 | <TR> | |
477 | <TD NOWRAP><TT>CUPS-Get-Devices</TT></TD> | |
478 | <TD>Yes</TD> | |
479 | <TD>Gets a list of printer devices.</TD> | |
480 | </TR> | |
481 | <TR> | |
482 | <TD NOWRAP><TT>CUPS-Get-PPDs</TT></TD> | |
483 | <TD>Yes</TD> | |
484 | <TD>Gets a list of printer drivers or manufacturers.</TD> | |
485 | </TR> | |
486 | <TR> | |
487 | <TD NOWRAP><TT>CUPS-Move-Job</TT></TD> | |
488 | <TD>Yes</TD> | |
489 | <TD>Moves a job to a different printer or class.</TD> | |
490 | </TR> | |
491 | <TR> | |
492 | <TD NOWRAP><TT>CUPS-Authenticate-Job</TT></TD> | |
493 | <TD>Yes</TD> | |
494 | <TD>Authenticates a job for printing.</TD> | |
495 | </TR> | |
496 | </TBODY> | |
497 | </TABLE></DIV> | |
498 | ||
499 | ||
500 | <H2 CLASS="title"><A NAME="CREATING">Creating Your Own Policies</A></H2> | |
501 | ||
502 | <P>The easiest way to create a new policy is to start with the | |
503 | default policy and then make changes to the copy. The first | |
504 | change you'll make is to give the policy a new name. Policy names | |
505 | can use the same characters as a printer name, specifically all | |
506 | printable characters except space, slash (/), and pound (#):</P> | |
507 | ||
508 | <PRE CLASS="command"> | |
509 | <Policy mypolicy> | |
510 | </PRE> | |
511 | ||
512 | <P>Then you need to decide exactly what limits you want for the | |
513 | policy. For example, if you want to allow any user to cancel any | |
514 | other users' jobs, you can change the <TT>Cancel-Job</TT> limits | |
515 | to:</P> | |
516 | ||
517 | <PRE CLASS="command"> | |
518 | <Limit Cancel-Job> | |
519 | Order deny,allow | |
520 | </Limit> | |
521 | </PRE> | |
522 | ||
523 | <P>The directives inside the <TT>Limit</TT> subsection can use | |
524 | any of the normal limiting directives: <A | |
525 | HREF="ref-cupsd-conf.html#Allow"><TT>Allow</TT></A>, <A | |
526 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>, <A | |
527 | HREF="ref-cupsd-conf.html#Deny"><TT>Deny</TT></A>, <A | |
528 | HREF="ref-cupsd-conf.html#Encryption"><TT>Encryption</TT></A>, <A | |
529 | HREF="ref-cupsd-conf.html#Require"><TT>Require</TT></A>, and <A | |
530 | HREF="ref-cupsd-conf.html#Satisfy"><TT>Satisfy</TT></A>. <A | |
531 | HREF="#TABLE02">Table 2</A> lists some basic "recipes" for | |
532 | different access control rules.</P> | |
533 | ||
534 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="Access Control Recipes"> | |
535 | <CAPTION>Table 2: <A NAME="TABLE02">Access Control Recipes</A></CAPTION> | |
536 | <THEAD> | |
537 | <TR> | |
538 | <TH>Access Level</TH> | |
539 | <TH>Directives to Use</TH> | |
540 | </TR> | |
541 | </THEAD> | |
542 | <TBODY> | |
543 | <TR> | |
544 | <TD>Allow Everyone</TD> | |
545 | <TD><PRE>Order deny,allow | |
546 | Allow from all</PRE></TD> | |
547 | </TR> | |
548 | <TR> | |
549 | <TD>Allow Everyone on the Local Network</TD> | |
550 | <TD><PRE>Order deny,allow | |
551 | Allow from @LOCAL</PRE></TD> | |
552 | </TR> | |
553 | <TR> | |
554 | <TD>Deny Everyone/Disable Operation(s)</TD> | |
555 | <TD><PRE>Order allow,deny | |
556 | Deny from all</PRE></TD> | |
557 | </TR> | |
558 | <TR> | |
559 | <TD>Require Login (System) Password</TD> | |
560 | <TD><PRE>AuthType Basic</PRE></TD> | |
561 | </TR> | |
562 | <TR> | |
563 | <TD>Require CUPS (lppasswd) Password</TD> | |
564 | <TD><PRE>AuthType BasicDigest</PRE></TD> | |
565 | </TR> | |
566 | <TR> | |
567 | <TD>Require the Owner of a Job or Subscription</TD> | |
568 | <TD><PRE>Require user @OWNER</PRE></TD> | |
569 | </TR> | |
570 | <TR> | |
571 | <TD>Require an Administrative User</TD> | |
572 | <TD><PRE>Require user @SYSTEM</PRE></TD> | |
573 | </TR> | |
574 | <TR> | |
575 | <TD>Require Member of Group "foogroup"</TD> | |
576 | <TD><PRE>Require user @foogroup</PRE></TD> | |
577 | </TR> | |
578 | <TR> | |
579 | <TD>Require "john" or "mary"</TD> | |
580 | <TD><PRE>Require user john mary</PRE></TD> | |
581 | </TR> | |
582 | <TR> | |
583 | <TD>Require Encryption</TD> | |
584 | <TD><PRE>Encryption Required</PRE></TD> | |
585 | </TR> | |
586 | </TABLE></DIV> | |
587 | ||
588 | ||
589 | <H3>Creating a Policy for a Computer Lab</H3> | |
590 | ||
591 | <P>One common operating scenario is a computer lab. The lab is | |
592 | managed by one or more technicians that assist the users of the | |
593 | lab and handle the basic administration tasks. <A | |
594 | HREF="#LISTING02">Listing 2</A> shows an operation policy that | |
595 | only allows access from the lab's subnet, 10.0.2.x, and allows | |
596 | the lab technicians, who are members of a special UNIX group for | |
597 | that lab called "lab999", to do job, printer, and subscription | |
598 | management operations.</P> | |
599 | ||
600 | <PRE CLASS="command"> | |
601 | <EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM> | |
602 | ||
603 | 1 <Policy lab999> | |
604 | 2 # Job- and subscription-related operations must be done | |
605 | by the owner, a lab technician, or an adminstrator... | |
606 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job | |
607 | Restart-Job Purge-Jobs Set-Job-Attributes | |
608 | Create-Job-Subscription Renew-Subscription | |
609 | Cancel-Subscription Get-Notifications Reprocess-Job | |
610 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
611 | CUPS-Move-Job Cancel-Job CUPS-Authenticate-Job> | |
612 | 4 Require user @OWNER @lab999 @SYSTEM | |
613 | 5 Order allow,deny | |
614 | 6 Allow from 10.0.2.0/24 | |
615 | 7 </Limit> | |
616 | 8 | |
617 | 9 # All administration operations require a lab technician | |
618 | or an adminstrator to authenticate... | |
619 | 10 <Limit Pause-Printer Resume-Printer | |
620 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
621 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
622 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
623 | Restart-Printer Shutdown-Printer Startup-Printer | |
624 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
625 | CUPS-Reject-Jobs CUPS-Set-Default> | |
626 | 11 AuthType Basic | |
627 | 12 Require user @lab999 @SYSTEM | |
628 | 13 Order allow,deny | |
629 | 14 Allow from 10.0.2.0/24 | |
630 | 15 </Limit> | |
631 | 16 | |
632 | 17 # All other operations are allowed from the lab network... | |
633 | 18 <Limit All> | |
634 | 19 Order allow,deny | |
635 | 20 Allow from 10.0.2.0/24 | |
636 | 21 </Limit> | |
637 | 22 </Policy> | |
638 | </PRE> | |
639 | ||
640 | ||
641 | <H2 CLASS="title"><A NAME="SELECT">Using Policies</A></H2> | |
642 | ||
643 | <P>Once you have created a policy, you can use it in two ways. | |
644 | The first way is to assign it as the default policy for the | |
645 | system using the <A | |
646 | HREF="ref-cupsd-conf.html#DefaultPolicy"><TT>DefaultPolicy</TT></A> | |
647 | directive in the <VAR>cupsd.conf</VAR> file. For example, add the | |
648 | following line to the <VAR>cupsd.conf</VAR> file to use the | |
649 | "lab999" policy from the previous section:</P> | |
650 | ||
651 | <PRE CLASS="command"> | |
652 | DefaultPolicy lab999 | |
653 | </PRE> | |
654 | ||
655 | <P>To associate the policy with one or more printers, use either | |
656 | the <A HREF="man-lpadmin.html">lpadmin(8)</A> command or the web | |
657 | interface to change the operation policy for each printer. When | |
658 | using the <B>lpadmin</B> command, the <TT>-o | |
659 | printer-op-policy=name</TT> option sets the operation policy for | |
660 | a printer. For example, enter the following command to use the | |
661 | "lab999" policy from the previous section with a printer named | |
662 | "LaserJet4000":</P> | |
663 | ||
664 | <PRE CLASS="command"> | |
665 | lpadmin -p LaserJet4000 -o printer-op-policy=lab999 | |
666 | </PRE> | |
667 | ||
668 | <P>To make the same change in the web interface, go to the | |
669 | printer's web page, for example | |
670 | "http://localhost:631/printers/LaserJet4000", and click on the | |
671 | <VAR>Set Printer Options</VAR> button. Scroll down to the bottom | |
672 | of the page and choose the desired policy from the pull-down | |
673 | list. Click on <VAR>Save Changes</VAR> to change the policy for | |
674 | the printer.</P> | |
675 | ||
676 | </BODY> | |
677 | </HTML> |