Cups

如何在 CUPS 中啟用對管理頁面的遠端訪問

  • July 8, 2021

我正在尋找訪問 CUPS Web 界面的管理頁面的權限。

我可以訪問該頁面,並且可以瀏覽該站點的大部分內容,但遺憾的是,管理頁面仍然被遠端資源鎖定。

我確實設置了Allow from all並且Allow all現在到處都嘗試過,但我仍然無法訪問該頁面。

我錯過了什麼?

配置文件

#
#
# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Allow connection from remote hosts
Port 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols all

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
<Location />
 Order allow,deny
 Allow from all
</Location>

# Restrict access to the admin pages...
<Location /admin>
 Order allow,deny
 Allow from all
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
 AuthType Default
 Order allow,deny
 Allow from all
</Location>

# Set the default printer/job policies...
<Policy default>
 # Job/subscription privacy...
 JobPrivateAccess default
 JobPrivateValues default
 SubscriptionPrivateAccess default
 SubscriptionPrivateValues default

 # Job-related operations must be done by the owner or an administrator...
 <Limit Create-Job Print-Job Print-URI Validate-Job>
   Order deny,allow
   Allow from all
 </Limit>

 <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
   Require user @OWNER @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 # All administration operations require an administrator to authenticate...
 <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
   AuthType Default
   Require user @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 # All printer operations require a printer operator to authenticate...
 <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
   AuthType Default
   Require user @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 # Only the owner or an administrator can cancel or authenticate a job...
 <Limit Cancel-Job CUPS-Authenticate-Job>
   Require user @OWNER @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 <Limit All>
   Order deny,allow
   Allow from all
 </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
 # Job/subscription privacy...
 JobPrivateAccess default
 JobPrivateValues default
 SubscriptionPrivateAccess default
 SubscriptionPrivateValues default

 # Job-related operations must be done by the owner or an administrator...
 <Limit Create-Job Print-Job Print-URI Validate-Job>
   AuthType Default
   Order deny,allow
   Allow from all
 </Limit>

 <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
   AuthType Default
   Require user @OWNER @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 # All administration operations require an administrator to authenticate...
 <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
   AuthType Default
   Require user @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 # All printer operations require a printer operator to authenticate...
 <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
   AuthType Default
   Require user @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 # Only the owner or an administrator can cancel or authenticate a job...
 <Limit Cancel-Job CUPS-Authenticate-Job>
   AuthType Default
   Require user @OWNER @SYSTEM
   Order deny,allow
   Allow from all
 </Limit>

 <Limit All>
   Order deny,allow
   Allow from all
 </Limit>
</Policy>

Dockerfile

#
#   Add a Printer user
#
RUN useradd \
   --groups=sudo,lp,lpadmin \
   --create-home \
   --home-dir=/home/print \
   --shell=/bin/bash \
   print

#
#   Set the password for the printer user
#
RUN echo print:sdsds | chpasswd

我要做的是在標籤下方的以下塊中:</Policy>

<Location />
   Order allow,deny
   Allow localhost
   Allow from 192.168.0.*
   Allow from 10.0.*.*
</Location>

Listen 0.0.0.0:631

特別是對於管理員訪問,vanilla 配置通常具有:

<Location /admin/conf>
 AuthType Default
 Require user @SYSTEM
 Order allow,deny
</Location>

為了創建一個合適的使用者帳戶,您只需要創建一個作為該lpadmin組成員的使用者(我建議您確實需要對 admin 部分進行某種身份驗證):,sudo useradd -g lpadmin cupsadmin然後設置密碼。

另請參閱https://askubuntu.com/questions/387217/cups-admin-user-and-password-saucy

更新:以下內容應該作為起點,也恰好解決了@DavidGatti 最初提出的問題 - 它不像原始配置那樣完整/精細,但可以重新添加策略配置。

但是,此配置確實取消了使用 @SYSTEM 使用者,而是接受任何“本地”有效使用者。配置的案例是在 docker 容器中執行 CUPS,因此似乎最好避免要求任何“特殊”的東西,除了使用者密碼之外,以提供對 CUPS 的管理員訪問權限。

# Disable cups internal logging - use logrotate instead
MaxLogSize 0

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
#PageLogFormat

Listen /run/cups/cups.sock
Listen 0.0.0.0:631
Port 631

# Show shared printers on the local network.
Browsing On
BrowseLocalProtocols dnssd

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
# This config allow anyone access to the WUI
<Location />
 Order allow,deny
 Allow all
</Location>

# Restrict access to the admin pages...
# Allows anyone to try and access admin pages.
# Any local user's credentials will be accepted
<Location /admin>
 AuthType Basic
 Require valid-user
 Allow all
 Order allow,deny
</Location>

# Restrict access to configuration files...
# Any local user's credentials will be accepted
<Location /admin/conf>
 AuthType Basic
 Require valid-user
 Allow all
 Order allow,deny
</Location>

# Restrict access to log files...
# Any local user's credentials will be accepted
<Location /admin/log>
 AuthType Basic
 Require valid-user
 Allow all
 Order allow,deny
</Location>

Browsing On

您可能還會在如何配置杯子以允許遠端列印和身份驗證和本地列印中找到一些不錯的指針?

引用自:https://serverfault.com/questions/836266