[Casper] Allow Non-Admin Users to Add Printers in Leopard

Ryan Harter rharter at uwsp.edu
Thu Dec 18 09:10:21 PST 2008 

I'm sure you all know this, but I think it should be mentioned that  
the change to requiring admin privs to add printers was made to close  
a fairly serious security hole in the OS.  Installing a printer can  
install code as part of the print handler that gets run as root.   
Therefore, a malicious user could create a "printer" and install it  
and when they print to it it will run whatever code they have in the  
"printer" as root.  I'm sure your imagination can figure out what  
could happen next.

Though this is a threat, I have never actually seen it done in the  
real world, however I have demonstrated it while I was doing some  
heavy work with the printing system last year, and it isn't as  
difficult as you might think.

I would suggest an alternative to this, Casper's Self Service.  Since  
local printers will be added automatically when they are detected  
(usually) you should only need to worry about network printers, and  
Self Service can do this without opening security holes in the OS.

With that being said, one thing that I have had a problem with is that  
the default error policy for printers is to pause the printer and  
since only an admin can unpause a printer, that has been a real  
treat.  I run a script to change this policy by running lpadmin like  
this:

printers=`lpstat -a | awk '{print $1}'`
for printer in $printers
do
	log "Changing error policy on $printer"
	lpadmin -p "$printer" -o printer-error-policy=abort-job
done

This will just abort the job instead of pausing the printer and  
affecting all users.

Another option is to just modify the permissions, without getting rid  
of them completely.  Forgive me if this is elementary, but I think  
it's good to have a good understanding of what things do before  
deleting lines in config files.

Where you have the <Limit ... stuff the Require key allows you to:

list users with privileges by username
list groups prepended by @ (eg @admin @lpadmin)
have the security agent prompt to privs (eg @AUTHKEY(system.print.admin)

If you just take out the @AUTHKEY bit and add @staff to the list (or  
any other group) you should then be able to do the functions listed in  
<limit ... </Limit>.  This will allow you to still have some sort of  
permission scheme though, instead of leaving it wide open.

As far as updates overwriting this, I would have to support Miles  
approach.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

On Dec 18, 2008, at 10:21 AM, Miles Leacy wrote:

> If you want to avoid the "sledgehammer approach" and want to stay  
> ahead of OS updates, you could run your /etc/cups/cupsd.conf  
> modification script as an "after" script in the same policy you use  
> to run software update.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Thu, Dec 18, 2008 at 11:16 AM, Gibson, Robb <RobbGibson at officemax.com 
> > wrote:
> Hi Martin... When we first moved to Leopard (which was at 10.5.2 at  
> the time), we added "Require valid-user" to the following:
>
> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify- 
> Class CUPS-Delete-Class CUPS-Set-Default>
> AuthType Default
> Require user @SYSTEM
> Require valid-user
> Order deny,allow
>
> That would at least enable end users to add and remove printers  
> either through an application or in the CUPS admin page. However,  
> since we upgraded to 10.5.5 a month ago, we found that process no  
> longer works and ended up removing the two lines you mentioned. I  
> had brought this up to one of our Apple reps and they replied to  
> system updates would likely reset the CUPS config file each time you  
> run an incremental update.
>
> I would agree with Miles that blowing away the CUPS statements  
> probably isn't the most delicate solution, but I haven't been able  
> to find a better one. I wouldn't say our Mac deployment is huge (100  
> corporate Macs and another 100 spread out in retail land), but I'm  
> not going to run around to add and delete printers because Apple  
> changed that option to admin only.
>
> <image.gif>
> Robb Gibson
> System Engineer - eMMS, Publishing Systems
> OfficeMax  :  263 Shuman Blvd.  :  Naperville, IL 60563
> (630) 864-5242
>
>
>
>
> On 12/18/08 6:46 AM, "Miles Leacy" <miles.leacy at themacadmin.com>  
> wrote:
>
> Rather than follow the instructions at the given link, and deleting  
> these lines, I would add another group to these limit statements.   
> You could use "staff" or if you need to keep certain people from  
> messing with printers, you could create a new group for this purpose.
>
> I wouldn't delete the statements because that's a sledgehammer  
> approach to the problem.  Instead of giving out a key to the  
> proverbial gate, deletion tears the gate from its hinges and allows  
> anyone and everyone in.
>
> You can find & replace text using sed.  I'm not great with sed, but  
> I did develop a script through trial & error to perform this task on  
> another config file.  I'll pass it on when I get to the office today.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com <http://www.themacadmin.com>
>
>
>
>
> On Thu, Dec 18, 2008 at 4:24 AM, Martin van Diemen <martin-van-diemen at g-star.com 
> > wrote:
> Hi,
>
> I want users to be able to add printers without filling in the  
> administrators password.
>
> I did some research and found out that I just need to remove the  
> following lines from the /etc/cups/cupsd.conf:
>
> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify- 
> Class CUPS-Delete-Class CUPS-Set-Default>
>     AuthType Default
>     Require user @SYSTEM
>     Order deny,allow
> </Limit>
> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer  
> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs  
> Deactivate-Printer Activate-Printer Restart-Printer$
>     AuthType Default
>     Require user @AUTHKEY(system.print.admin) @admin @lpadmin
>     Order deny,allow
> </Limit>
>
> Source: http://mattson.edgemereroadrunners.com/?p=291
>
> Does anyone know I can remove these lines with a bash script? I  
> don't want to replace the file by making use of a package.
>
> Thanks in advance!
>
> Kind Regards,
>
> Martin van Diemen
>
> t +31(0) 205677744
> __________________
>
> G-Star International B.V.
> www.g-star.com <http://www.g-star.com>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
> <ATT00001.txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081218/a42c6bef/attachment.htm

More information about the Casper mailing list