- Jamf Nation Community
- Products
- Jamf Pro
- Allow Non-Admin Users to Add Printers in Leopard
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Allow Non-Admin Users to Add Printers in Leopard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 01:24 AM
Hi,
I want users to be able to add printers without filling in the administrators password.
I did some research and found out that I just need to remove the following lines from the /etc/cups/cupsd.conf:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer$
AuthType Default
Require user @AUTHKEY(system.print.admin) @admin @lpadmin
Order deny,allow
</Limit>
Source: http://mattson.edgemereroadrunners.com/?p=291
Does anyone know I can remove these lines with a bash script? I don't want to replace the file by making use of a package.
Thanks in advance!
Kind Regards,
Martin van Diemen
t +31(0) 205677744
G-Star International B.V.
www.g-star.com
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 04:46 AM
Rather than follow the instructions at the given link, and deleting these
lines, I would add another group to these limit statements. You could use
"staff" or if you need to keep certain people from messing with printers,
you could create a new group for this purpose.
I wouldn't delete the statements because that's a sledgehammer approach to
the problem. Instead of giving out a key to the proverbial gate, deletion
tears the gate from its hinges and allows anyone and everyone in.
You can find & replace text using sed. I'm not great with sed, but I did
develop a script through trial & error to perform this task on another
config file. I'll pass it on when I get to the office today.
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 08:02 AM
Here are the relevant lines from the script I mentioned:
# find the line containing "KEYSTRING" and replace that line with
"REPLACEMENT LINE"
# and write the resulting modified file to a second file (file.tmp)
/usr/bin/sed -e "s/^KEYSTRING *=.*/REPLACEMENT LINE/" /path/to/original/file
/path/to/original/file.tmp
# move file.tmp to file
mv /path/to/original/file.tmp /path/to/original/file
I hope this helps.
Of course, if anyone can suggest a simpler find & replace method, I'm all
ears.
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
On Thu, Dec 18, 2008 at 7:46 AM, Miles Leacy <miles.leacy at themacadmin.com>wrote:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 08:07 AM
I'll give that a try.
Thank you!
Kind Regards,
Martin van Diemen
t +31(0) 205677744
G-Star International B.V.
www.g-star.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 08:16 AM
Hi Martin... When we first moved to Leopard (which was at 10.5.2 at the
time), we added 'Require valid-user' to the following:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default>
AuthType Default Require user @SYSTEM Require valid-user Order deny,allow
That would at least enable end users to add and remove printers either
through an application or in the CUPS admin page. However, since we upgraded
to 10.5.5 a month ago, we found that process no longer works and ended up
removing the two lines you mentioned. I had brought this up to one of our
Apple reps and they replied to system updates would likely reset the CUPS
config file each time you run an incremental update.
I would agree with Miles that blowing away the CUPS statements probably
isn't the most delicate solution, but I haven't been able to find a better
one. I wouldn't say our Mac deployment is huge (100 corporate Macs and
another 100 spread out in retail land), but I'm not going to run around to
add and delete printers because Apple changed that option to admin only.
Robb Gibson
System Engineer - eMMS, Publishing Systems
OfficeMax : 263 Shuman Blvd. : Naperville, IL 60563
(630) 864-5242
On 12/18/08 6:46 AM, "Miles Leacy" <miles.leacy at themacadmin.com> wrote:
Rather than follow the instructions at the given link, and deleting these lines, I would add another group to these limit statements. You could use "staff" or if you need to keep certain people from messing with printers, you could create a new group for this purpose. I wouldn't delete the statements because that's a sledgehammer approach to the problem. Instead of giving out a key to the proverbial gate, deletion tears the gate from its hinges and allows anyone and everyone in. You can find & replace text using sed. I'm not great with sed, but I did develop a script through trial & error to perform this task on another config file. I'll pass it on when I get to the office today. ---------- Miles A. Leacy IV • Certified System Administrator 10.4 • Certified Technical Coordinator 10.5 • Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com <http://www.themacadmin.com> On Thu, Dec 18, 2008 at 4:24 AM, Martin van Diemen <martin-van-diemen at g-star.com> wrote: Hi, I want users to be able to add printers without filling in the administrators password. I did some research and found out that I just need to remove the following lines from the /etc/cups/cupsd.conf: <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer$ AuthType Default Require user @AUTHKEY(system.print.admin) @admin @lpadmin Order deny,allow </Limit> Source: http://mattson.edgemereroadrunners.com/?p=291 Does anyone know I can remove these lines with a bash script? I don't want to replace the file by making use of a package. Thanks in advance! Kind Regards, Martin van Diemen t +31(0) 205677744
G-Star International B.V. www.g-star.com <http://www.g-star.com>
Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper
Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 08:21 AM
If you want to avoid the "sledgehammer approach" and want to stay ahead of
OS updates, you could run your /etc/cups/cupsd.conf modification script as
an "after" script in the same policy you use to run software update.
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 09:10 AM
I'm sure you all know this, but I think it should be mentioned that the change to requiring admin privs to add printers was made to close a fairly serious security hole in the OS. Installing a printer can install code as part of the print handler that gets run as root. Therefore, a malicious user could create a "printer" and install it and when they print to it it will run whatever code they have in the "printer" as root. I'm sure your imagination can figure out what could happen next.
Though this is a threat, I have never actually seen it done in the real world, however I have demonstrated it while I was doing some heavy work with the printing system last year, and it isn't as difficult as you might think.
I would suggest an alternative to this, Casper's Self Service. Since local printers will be added automatically when they are detected (usually) you should only need to worry about network printers, and Self Service can do this without opening security holes in the OS.
With that being said, one thing that I have had a problem with is that the default error policy for printers is to pause the printer and since only an admin can unpause a printer, that has been a real treat. I run a script to change this policy by running lpadmin like this:
printers=lpstat -a | awk '{print $1}'
for printer in $printers
do
log "Changing error policy on $printer"
lpadmin -p "$printer" -o printer-error-policy=abort-job
done
This will just abort the job instead of pausing the printer and affecting all users.
Another option is to just modify the permissions, without getting rid of them completely. Forgive me if this is elementary, but I think it's good to have a good understanding of what things do before deleting lines in config files.
Where you have the <Limit ... stuff the Require key allows you to:
list users with privileges by username
list groups prepended by @ (eg @admin @lpadmin)
have the security agent prompt to privs (eg @AUTHKEY(system.print.admin)
If you just take out the @AUTHKEY bit and add @staff to the list (or any other group) you should then be able to do the functions listed in <limit ... </Limit>. This will allow you to still have some sort of permission scheme though, instead of leaving it wide open.
As far as updates overwriting this, I would have to support Miles approach.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2008 09:29 AM
Good points, Ryan.
I would suggest self-service for printers at all times unless you have been
directed by your superiors to give clients the ability to add their own. In
that case, I'd be sure to inform your superiors (in documented form) of why
this should not be done and exactly what the risk is. This way, if the hole
is ever exploited, you can prove your due diligence.
One exception might be for mobile users, though it might be better (from a
security standpoint) if your organization issues portable printers to mobile
users. This way you know what printer they'll use, and you can package the
software and deploy it for them as part of a configuration.
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
