PDA

View Full Version : CUPS is asking for username/password for admin


darndog
05-13-2004, 07:38 AM
This is an issue that has come up recently on a few machines I support, Now my CUPS (Localhost:631) is requesting a password to access printer configuration, I guess there is a default but I haven't been able to find it anywhere, anyone know how to sort this?

G4 400 AGP, 10.3.3 all updates applied.

biovizier
05-13-2004, 01:45 PM
The requirement for a password to access CUPS admin functions might have been introduced with the May 2004 security update. The behaviour is specified in
etc/cups/cupsd.conf
If you haven't previously made any changes to this file, you could probably get away with replacing the current cupsd.conf file with the cupsd.conf.applesaved file in the same directory, if you have one. (back up both files first, just in case).

Instructions for editing cupsd.conf can be found at
http://localhost:631/sam.html
Based on that, you should be able to comment out the lines:
<Limit GET>
AuthType Basic
AuthClass System
</Limit>
that appear between the <Location /admin> </Location> tags near the end of the file to disable the requirement for a password. Keep in mind that you would be losing the security benefits of requiring a password though.

[edit] forgot to mention restarting cups after making changes:
sudo killall -HUP cupsd

In my case, CUPS suddenly started asking for a password, but would accept nothing short of root, which I normally keep disabled. Although I eventually got it working using AuthType Digest, I get the impression from other forums that something is not right about changes made by recent updates. Any comments from people experienced with CUPS would be appreciated.

[edit2] Changed AuthType to ShadowHash and it seems to be accepting admin passwords normally now.

Cap'n Hector
05-23-2004, 10:40 AM
In Mac OS X 10.3, CUPS was updated to ask for the root password when you use it. It looks like the above change addresses thatů

darndog
05-24-2004, 06:17 PM
Thanks for that.

looking through the Secunia advisory (http://secunia.com/advisories/11303/) on the update that changed this reveals this unhelpful bit of info:
3) An unspecified vulnerability exists within the CUPS Printing system.

Whatever it is Apple aren't telling, but assuming that it needed patching I wonder if I should permanently change the admin settings, I think I will use your advice to temporarily enable admin on the occasions I need access.

chris_on_hints
08-06-2004, 06:52 AM
I have the identical problem, and have noticed that if you set "AuthType ShadowHash", CUPS admin accepts any user name/pwd, not just the ones specified by the "SystemGroup lp,admin" line. I have tried using my non-admin user, and it lets it right in.... (only with correct pwd, so its not a gaping security hole)

maybe this is why apple chose to lock down the CUPS admin??

i think in the meantime, if you do need easy and regular access to CUPS admin via the web interface, make sure you limit the hosts allowed access to your own machine:

Order Deny,Allow
Deny From All
Allow From 127.0.0.1

(and maybe even set up your fire wall to limit access to the 631 port to 'trusted' computers just in case...!!)

This should be fine as long as you trust the other users of your machine to keep their passwords safe and not to muck with the settings....

chris_on_hints
08-08-2004, 09:29 AM
UPDATE - after setting the "AuthType ShadowHash" (see posts above), i can now get into the admin section of the web interface, but CAN NO LONGER PRINT.

I had to turn it back to "AuthType Basic" to get it to work again. I checked the /var/log/cups/error_log and found the following entries:

the most interesting one is the one relating to shadowhash - maybe this explains why using this setting lets any user in??

I [06/Aug/2004:13:00:51 +0100] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [06/Aug/2004:13:00:51 +0100] Configured for up to 100 clients.
I [06/Aug/2004:13:00:51 +0100] Allowing up to 100 client connections per host.
I [06/Aug/2004:13:00:51 +0100] Full reload is required.
I [06/Aug/2004:13:00:52 +0100] LoadPPDs: Read "/private/etc/cups/ppds.dat", 211 PPDs...
I [06/Aug/2004:13:00:52 +0100] LoadPPDs: No new or changed PPDs...
I [06/Aug/2004:13:00:53 +0100] Full reload complete.
E [06/Aug/2004:13:00:53 +0100] StartListening: Unable to bind socket - Address already in use.
I [06/Aug/2004:13:01:09 +0100] Listening to 0:631
W [06/Aug/2004:13:01:09 +0100] Unknown authorization type ShadowHash on line 836.
I [06/Aug/2004:13:01:09 +0100] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [06/Aug/2004:13:01:09 +0100] Configured for up to 100 clients.
I [06/Aug/2004:13:01:09 +0100] Allowing up to 100 client connections per host.
I [06/Aug/2004:13:01:09 +0100] Full reload is required.
I [06/Aug/2004:13:01:10 +0100] LoadPPDs: Read "/private/etc/cups/ppds.dat", 211 PPDs...
I [06/Aug/2004:13:01:10 +0100] LoadPPDs: No new or changed PPDs...
I [06/Aug/2004:13:01:11 +0100] Full reload complete.