[Casper] Allow Non-Admin Users to Add Printers in Leopard

Thu Dec 18 09:29:56 PST 2008

Good points, Ryan.
I would suggest self-service for printers at all times unless you have been
directed by your superiors to give clients the ability to add their own.  In
that case, I'd be sure to inform your superiors (in documented form) of why
this should not be done and exactly what the risk is.  This way, if the hole
is ever exploited, you can prove your due diligence.

One exception might be for mobile users, though it might be better (from a
security standpoint) if your organization issues portable printers to mobile
users.  This way you know what printer they'll use, and you can package the
software and deploy it for them as part of a configuration.

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

On Thu, Dec 18, 2008 at 12:10 PM, Ryan Harter <rharter at uwsp.edu> wrote:

> I'm sure you all know this, but I think it should be mentioned that the
> change to requiring admin privs to add printers was made to close a fairly
> serious security hole in the OS.  Installing a printer can install code as
> part of the print handler that gets run as root.  Therefore, a malicious
> user could create a "printer" and install it and when they print to it it
> will run whatever code they have in the "printer" as root.  I'm sure your
> imagination can figure out what could happen next.
>
> Though this is a threat, I have never actually seen it done in the real
> world, however I have demonstrated it while I was doing some heavy work with
> the printing system last year, and it isn't as difficult as you might think.
>
> I would suggest an alternative to this, Casper's Self Service.  Since local
> printers will be added automatically when they are detected (usually) you
> should only need to worry about network printers, and Self Service can do
> this without opening security holes in the OS.
>
> With that being said, one thing that I have had a problem with is that the
> default error policy for printers is to pause the printer and since only an
> admin can unpause a printer, that has been a real treat.  I run a script to
> change this policy by running lpadmin like this:
>
> printers=`lpstat -a | awk '{print $1}'`
> for printer in $printers
> do
> log "Changing error policy on $printer"
> lpadmin -p "$printer" -o printer-error-policy=abort-job
> done
>
> This will just abort the job instead of pausing the printer and affecting
> all users.
>
> Another option is to just modify the permissions, without getting rid of
> them completely.  Forgive me if this is elementary, but I think it's good to
> have a good understanding of what things do before deleting lines in config
> files.
>
> Where you have the <Limit ... stuff the Require key allows you to:
>
> list users with privileges by username
> list groups prepended by @ (eg @admin @lpadmin)
> have the security agent prompt to privs (eg @AUTHKEY(system.print.admin)
>
> If you just take out the @AUTHKEY bit and add @staff to the list (or any
> other group) you should then be able to do the functions listed in <limit
> ... </Limit>.  This will allow you to still have some sort of permission
> scheme though, instead of leaving it wide open.
>
> As far as updates overwriting this, I would have to support Miles approach.
> *
> Ryan Harter*
> UW - Stevens Point
> Workstation Developer
> 715.346.2716
> Ryan.Harter at uwsp.edu
>
> On Dec 18, 2008, at 10:21 AM, Miles Leacy wrote:
>
> If you want to avoid the "sledgehammer approach" and want to stay ahead of
> OS updates, you could run your /etc/cups/cupsd.conf modification script as
> an "after" script in the same policy you use to run software update.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Thu, Dec 18, 2008 at 11:16 AM, Gibson, Robb <RobbGibson at officemax.com>wrote:
>
>>  Hi Martin... When we first moved to Leopard (which was at 10.5.2 at the
>> time), we added "Require valid-user" to the following:
>>
>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
>> CUPS-Delete-Class CUPS-Set-Default>
>>
>> AuthType Default
>> Require user @SYSTEM
>> Require valid-user
>> Order deny,allow
>>
>>
>> That would at least enable end users to add and remove printers either
>> through an application or in the CUPS admin page. However, since we upgraded
>> to 10.5.5 a month ago, we found that process no longer works and ended up
>> removing the two lines you mentioned. I had brought this up to one of our
>> Apple reps and they replied to system updates would likely reset the CUPS
>> config file each time you run an incremental update.
>>
>> I would agree with Miles that blowing away the CUPS statements probably
>> isn't the most delicate solution, but I haven't been able to find a better
>> one. I wouldn't say our Mac deployment is huge (100 corporate Macs and
>> another 100 spread out in retail land), but I'm not going to run around to
>> add and delete printers because Apple changed that option to admin only.
>>
>> <image.gif>
>> *Robb Gibson
>> *System Engineer - eMMS, Publishing Systems
>> OfficeMax  :  263 Shuman Blvd.  :  Naperville, IL 60563
>> (630) 864-5242
>>
>>
>>
>>
>> On 12/18/08 6:46 AM, "Miles Leacy" <miles.leacy at themacadmin.com> wrote:
>>
>> Rather than follow the instructions at the given link, and deleting these
>> lines, I would add another group to these limit statements.  You could use
>> "staff" or if you need to keep certain people from messing with printers,
>> you could create a new group for this purpose.
>>
>> I wouldn't delete the statements because that's a sledgehammer approach to
>> the problem.  Instead of giving out a key to the proverbial gate, deletion
>> tears the gate from its hinges and allows anyone and everyone in.
>>
>> You can find & replace text using sed.  I'm not great with sed, but I did
>> develop a script through trial & error to perform this task on another
>> config file.  I'll pass it on when I get to the office today.
>>
>> ----------
>> Miles A. Leacy IV
>>
>>  Certified System Administrator 10.4
>>  Certified Technical Coordinator 10.5
>>  Certified Trainer
>> Certified Casper Administrator
>> ----------
>> voice: 1-347-277-7321
>> miles.leacy at themacadmin.com
>> www.themacadmin.com <http://www.themacadmin.com>
>>
>>
>>
>>
>> On Thu, Dec 18, 2008 at 4:24 AM, Martin van Diemen <
>> martin-van-diemen at g-star.com> wrote:
>>
>> Hi,
>>
>> I want users to be able to add printers without filling in the
>> administrators password.
>>
>> I did some research and found out that I just need to remove the following
>> lines from the /etc/cups/cupsd.conf:
>>
>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
>> CUPS-Delete-Class CUPS-Set-Default>
>>     AuthType Default
>>     Require user @SYSTEM
>>     Order deny,allow
>> </Limit>
>> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
>> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
>> Deactivate-Printer Activate-Printer Restart-Printer$
>>     AuthType Default
>>     Require user @AUTHKEY(system.print.admin) @admin @lpadmin
>>     Order deny,allow
>> </Limit>
>>
>> Source: http://mattson.edgemereroadrunners.com/?p=291
>>
>> Does anyone know I can remove these lines with a bash script? I don't want
>> to replace the file by making use of a package.
>>
>> Thanks in advance!
>>
>> Kind Regards,
>>
>> Martin van Diemen
>>
>> t +31(0) 205677744
>> __________________
>>
>> G-Star International B.V.
>> www.g-star.com <http://www.g-star.com>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>>
>> ------------------------------
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
> <ATT00001.txt>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081218/ad0f7c1a/attachment.html 