Re: Deny printer access to normal users in OS X

• Subject: Re: Deny printer access to normal users in OS X
• From: Troy Bennett <email@hidden>
• Date: Fri, 12 Sep 2003 10:14:15 -0500

Message: 4
Date: Thu, 11 Sep 2003 15:32:27 -0500
Subject: Deny printer access to normal users in OS X
From: Troy Bennett <email@hidden>
To: email@hidden

Hi

I have a lab of Mac g3's running 10.2.6 with all available patches.

Does any one know who to set up OS X so that only the admins of a
computer can use the printers in Print Center?

To save money for my department we want to prevent students from
printing to the lab printer, but we would like the professors to be
able to print.

If you have any ideas or suggestions please email me back at
email@hidden

Edit (using sudo) the file /etc/cups/cupsd.conf, and change the section which by defaults says:

<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From @LOCAL
</Location>

so that it now reads:

<Location />
AuthType Basic
AuthClass Group
AuthGroupName admin
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From @LOCAL
</Location>

that is by inserting the three lines:

AuthType Basic
AuthClass Group
AuthGroupName admin

after the <Location />. This will deny all access to your printers to any other than an admin user. No printing, no adding/deleting printers, not even seeing the list of existing printers. Admin users will be able to do all of the above, and without them needing to give a password (this is handled automatically by the print system).

Equally, you may wish to allow all your users to print, but not to add or delete printers. This same mechanism will work for that purpose, but the three lines should be inserted at the start of the <Location /admin> section, at the end of the cupsd.conf file, not in the <Location /> section. You also need to comment (insert a # character at the start of each line) the two exist Auth directives in the <Location /admin> section. Specifically, that section by default looks like:

<Location /admin>
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#

AuthType None
AuthClass Anonymous

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1

#Encryption Required
</Location>

and you would want to change it to look like:

<Location /admin>
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#

#AuthType None
#AuthClass Anonymous

AuthType Basic
AuthClass Group
AuthGroupName admin


## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1

#Encryption Required
</Location>

Finally, note that any changes you may to the cupsd.conf file won't take effect until the next reboot, unless you tell the cups daemon to apply them immediately. You can do this using the command:

killall -HUP -u root -s -c cupsd

Hope this helps,
James
--
James Goodlet, Assistant Director (Network Services),
Computing Service, University of Sussex, Brighton BN1 9QJ.

• Follow-Ups:
  • Home Directory Issues Workgroup Manager
    • From: Mark Anderson <email@hidden>

• Prev by Date: Re: Deny printer access to normal users in OS X
• Next by Date: Home Directory Issues Workgroup Manager
• Previous by thread: Re: Deny printer access to normal users in OS X
• Next by thread: Home Directory Issues Workgroup Manager
• Index(es):
  • Date
  • Thread