+4Jeff,
I think a lot of folks are thinking that modifying the CUPS configuration file will allow users to add printers via System Preferences -- I know that's what I thought until I started reading deeper.
I have discovered if you want to give users quick access to adding printers, instead of sending them to a print dialog, you can place an alias to /System/Library/CoreServices/AddPrinter.app in their dock or on their desktop.
--
Bryan Vines
Systems Administrator
Watts Guerra Craft LLP
+9True; AddPrinter.app will bring up the same dialogue you'll find if you add a printer from the Print menu of an app. However, you'll still need to modify cupsd.conf since a standard user will still be asked to authenticate as an admin.
+9I know you weren't implying you didn't have to leave it unmodified. So, you're right: that's a faster and better way to allow them to add printers. :)
+8Tiger's Printer Setup Utility has a PrintingReset.sh command within it's
contents folder, is anyone aware of a similar command within Leopard client?
I'd love to provide our end users with a Self Service policy for blowing
away any printers they've acquired and then simply add new ones (again
through Self Service) based on their location in our organization.
We've gone the route of modifying the cups.conf file, but the next security
update or OS update always seems to fix it again.
Robb Gibson
System Engineer - eMMS, Publishing Systems
OfficeMax : 263 Shuman Blvd. : Naperville, IL 60563
(630) 864-5242
Easiest way I know to do it, short of an Apple supplied script/method, would
be to delete/move the printers.conf file and restart cups:
#!/bin/bash
#
# Name: removeallprinters.sh
# Date: 4-3-09
# Author: Steve Wood (swood at integerdallas.com)
#
# This script will move the current printers.conf file to printers.conf.old
so we can remove
# all printers from the machine.
mv /etc/cups/printers.conf printers.conf.old
# now restart cupsd
killall -HUP cupsd
exit 0
Steve Wood
Director of IT
swood at integerdallas.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
+8Thanks Steve, I'll give it a whirl!
It's probably worth mentioning to everyone that a similar discussion took
place back in December and Ryan Harter observed that the reason that CUPS
requires an admin authorization for adding and removing printers was to
close a security hole in the OS.
+31I just edited the /etc/cups/cupsd.conf file to allow non admins access
to install printers and it did not work. Am I missing something?
+9Did you kill cupsd? I usually restart instead of a killall. Should work. BTW, what security hole was supposed to be fixed by requiring admins to install printers?
Sent from my iPhone
The security risk is that when you install a printer, the backend, or even the PPD can run code. A malicious user could potentially write a "printer driver" and then install the printer and, when printed to, it would execute that code as root (or at least the lp user, I'm not really sure).
This was actually a pretty big vulnerability from what I've read. I did some work with the printing system and emailed quite a bit with Michael Sweet (the guy who invented cups), he seems to think it's a good idea.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
+9That's what I remember reading... But wouldn't installing a printer that OS X already has drivers for negate that danger? Installing a printer via the method we're discussing and installing a new print driver use two different methods, right? In other words, even if you allow a standard user to install printers via cupsd.conf modification, installing a driver would still require admin privs, wouldn't it?
Sent from my iPhone
Well, in theory, yes. But one thing I remember reading was them saying PPDs could fire off the arbitrary code. I thought PPDs were just a description of the printer, but they can tell CUPS if there are any programs (perhaps for formatting, it's been about a year since my work with CUPS) that need to be run on the job before it gets sent to the backend. I could be wrong, but I think I remember Adobe doing something with this.
That would allow you to put a program on your desktop, and also a PPD setup to fire off that program, then add a printer and tell it to use that PPD, which doesn't need to be installed, and then it will fire off the program in the alternate user context.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
+9If a PPD can be modified without admin privs, that's pretty cool. Thanks for the details. :)
Sent from my iPhone
Easy as pie. You can download a ppd from the web, say, if you need to install a printer and that's all it needs. Or you can just go to / Library/Printers/PPDs/Contents/Resources/ and copy one to your desktop. Then just pick one and copy it to your desktop. they are all gz'ed up in there, but you just unzip it and it's just a text file, add a ppd extension if you want. Since you copied it, you now have ownership.
In the olden days before Casper on my campus (up until last summer) we had loginhooks on the machines that mounted a network share and ran a series of scripts. One of these installed the correct printers if they weren't installed, determined by the computers location in AD, and used PPDs that we stored on the servers, not the ones on the local machines.
The reason we used PPDs from the server is because we had customized them based on the printer's capabilities, duplexing, third tray, etc. The lpadmin command lets you add a printer and point it to any ppd file, it doesn't have to be in any particular spot, or even on the local machine.
Hence, you could easily just copy a ppd out to /Library/..., modify it, and then install a printer that uses that ppd.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.