CUPS how to limit access to Web admin page to my IP address range?

Latest response

Hello,

I followed this document and managed to add a user to access the CUPS admin page via web.
https://access.redhat.com/solutions/35312

I looked at many other CUPS pages, but there is too much generic information. I would like to limit access to my corporate network. In that article it says to set Listen 0.0.0.0:631, but that gives access to any machine. Correct? Can someone explain what this actually means?

I added my Linux user and IP address range to these sections, so it seems to work:

# Restrict access to the server...
<Location />
  Order allow,deny
# Enable this, so the web page is displayed properly...
  Require user @SYSTEM user1
  Allow 172.18.*.* 10.142.*.*
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Require user @SYSTEM user1
  Allow 172.18.*.* 10.142.*.*
</Location>

How do those work in conjunction with Listen 0.0.0.0 ?

I also tried to change the Listen IP address, like 172.18.0.0, but it does not allow to access the admin page.

What does the 0.0.0.0 mean? Should it be my server host name or my server host IP address?

Thanks in advance.
Ryszard

Responses

Hi Ryszard, The listen directive is configuring which IPv4 addresses the service binds to when it starts. This does not directly control or limit what has access to the service.

When it comes to binding a listening port, 0.0.0.0 is the everywhere address. Where 127.0.0.1 is the localhost only, the 0.0.0.0 would be All IPv4 addresses on the host.

If your server has multiple interfaces but you only want the CUPS service available through one of them, specify the specific IP address of that interface as the Listen directive.

Thank you very much, that is a really nice explanation. Regards Ryszard

Hi, having trouble with adding myself "user1" to the cups admin group. There is an example: https://access.redhat.com/solutions/38537 which shows the @cupsadmin group. However, there doesn't see to be a group like this. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-users-groups-standard-groups

The command would be "useradd -G ", but there is no lpadmin or cupsadmin in /etc/group file.

https://www.putorius.net/how-to-add-user-to-group.html

Thanks, Ryszard

I don't see any groups or users that get created from the CUPS packages. Creating the users and groups is likely out of scope from the solution you reference, as it would vary depending on your environment and if the accounts & groups are local or network based such as with LDAP or Kerberos.

To make the group, you can use the groupadd command which should create it locally: groupadd cupsadmin.

Some other commands that may help: getent will lookup the group entry getent group cupsadmin id will give you information including group memberships of a given id id -a user1

(If there is no /etc/group file, check to make sure it was not accidentally overwritten or replaced. You may have a backup file at /etc/group- but there could be other issues that need investigating)

I see, sorry, I must have mistyped /etc/group, it is there. So actually the @cupsadmin is just and example of a group I have to create, then add users to "cupsadmin". So "cupsadmin" is just a name we can use instead of "user1" and access is granted via this?

# Encryption Required Order allow,deny Allow from all Require user @SYSTEM @cupsadmin

@cupsadmin is checked against /etc/group, not /etc/passwd where users are located?

Thanks again. Ryszard