Tuesday, February 1, 2011

CUPS, SSL, and delegating queue administration

I had this working pretty quickly with the 1.3.x series of CUPS, so was surprised to see that 1.4.4 did not like a similar configuration.  Turns out that some measures were taken to prevent DNS rebinding attacks that make the previous config only partly useful.

By the numbers, here is the process to get https working for the web interface and how to delegate control of a queue to a group other than lpadmin (or whatever group is listed as the system group.)

  1. Install CUPS
  2. Create a certificate
  3. Put the certificate in a common place, like /etc/ssl
  4. Edit /etc/cups/cupsd.conf
  5. Check firewall ports
  6. Modify the print queue
1. Install CUPS
Do whatever you are comfortable with.  I run Debian, so a simple

aptitude install cups

gets the basic set up installed.  You will probably want gutenprint,  maybe hplip, for printer drivers.  The Debian package 1.4.4-2 has a bug that throws errors on the ServerCertificate directive.  The package to use is at least 1.4.4-7.  You can read about the bugs if you want the long story.

2. Create a certificate
Just google it, there are lots of options on how to do this.  At work we use a certificate authority, so I would generate a private key for the server and a certificate request in .pem format, which works fine with CUPS.  The documentation shows .crt extensions on the certificates in the examples, so I'm going to assume that works as well.

3. Put the certificate in a common place, like /etc/ssl
This is optional, put the certificate wherever you like.  I put it here because I don't have to think about it or open up the config file to find out where the certificates are that the service is using.  Besides, if I ever need to run a web server that needs SSL it makes sense to keep it in a common location.

4. Edit /etc/cups/cupsd.conf
This is where the magic happens.  In addition to whatever else is in the cupsd.conf file by default, you will need these additional directives for the service to use SSL.

ServerName myprintserver.domain.com
SSLListen 192.168.1.10:443
SSLListen myprintserver.domain.com:443
ServerAlias myprintserver.domain.com
ServerCertificate /etc/ssl/mycert.pem
ServerKey /etc/ssl/myprivatekey.pem

To allow access to the server, add allows to the root location section.

<Location />
Order allow,deny
Allow from 192.168.1
</Location>

If you want to allow access to the 'admin' and 'admin/conf' pages, you'll have to add the Allow directive to those Locations as well.

Copy <Policy default> (the whole section) and paste it at the bottom of the file.  Change 'default' to some other name, I'll use 'mydefault' here.  For each set of permissions defined in a Limit section that you want to delegate to another admin, add the name of the Unix group with the '@' symbol to the Require user directive (labprintadmin is the Unix group below.)

<Policy mydefault>
   <Limit...>
        Require user @OWNER @labprintadmin @SYSTEM
        Order deny, allow
   </Limit>
...
</Policy> 
 
Restart CUPS for the changes to take effect.  Also, the Unix group will have to exist and have users in it for this to work.

addgroup labprintadmin
adduser labadmin labprintadmin 
 
5. Check firewall ports
Open up 443 to whatever needs to access it, make sure it is listed in /etc/hosts.allow if you're using tcpwrappers, etc.

6. Modify the print queue
Now to apply the policy to the queue that the labprintadmin group should manage.

lpadmin -p LabPrinter -o printer-op-policy=mydefault

I verify the change in /etc/cups/printers.conf and restart the service if the OpPolicy directive does not have the new policy listed.

That should do it.

    What's this all about?

    This is a collection of notes relating to system administration, programming, and other technically related stuff. Whenever I work out a fix to something that was frustrating, painful, poorly documented, etc., I write it down so I don't ever have to go through it again. Well, as long as I've remembered that I wrote it down once before. I already have a collection of these posted elsewhere that will be migrating here soon.

    And the name? I heard this story on NPR this morning about tools never dying, which was interesting and pretty entertaining.  At the close of the story, the host of the show mentioned that the story could be read at the author's blog on the NPR website, where he 'even has his own slash!'  I thought it was funny and with the subject this blog will be devoted to, the reference to slashdot was relevant.