CUPS and cupsd.conf on Linux

Accessing a CUPS driven printer without password

I had to do a few print-outs with my old printer, and realized the old cupsd.conf didn’t do any more what I wanted it to do, namely running my printer on my home network, via http://127.0.0.1:631/, and without having to type in usernames and passwords there every time I wanted to change some printer settings.

After lots of googling I found a solution: I forgot where I found the template, and how much I changed it to make it work the way it should. You’ll find it below.

Please note that this configuration file is for a secure home network. That is I’m the only one using that printer. So if in doubt whether it’s a good idea or not to use this cupsd.conf – then for the sake of your network security: don’t use it.

Note the cups Debian packages installed with this file :

$ dpkg -l | grep -i cups
ii  cups                                  1.3.10-1                       Common UNIX Printing System(tm) - server
ii  cups-bsd                              1.3.10-1                       Common UNIX Printing System(tm) - BSD comman
ii  cups-client                           1.3.10-1                       Common UNIX Printing System(tm) - client pro
ii  cups-common                           1.3.10-1                       Common UNIX Printing System(tm) - common fil
ii  cups-driver-gutenprint                5.2.3-2+b1                     printer drivers for CUPS
ii  gutenprint-doc                        5.2.3-2                        users' guide for Gutenprint and CUPS
ii  libcups2                              1.3.10-1                       Common UNIX Printing System(tm) - libs
ii  libcupsimage2                         1.3.10-1                       Common UNIX Printing System(tm) - image libs

So here goes /etc/cups/cupsd.conf:

#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel debug

# Administrator user group...
#SystemGroup lpadmin


# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order deny,allow
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Encryption Required
  Order deny,allow
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType None
#  Require user @SYSTEM
  Order deny,allow
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an administrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
#    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType None
#    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType None
#    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
#    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#

An important part to stop access without authentication do seem to play the ‘Require user’ instances, that are commented out above.

I wouldn’t be astonished if the code above could be written much easier, more efficient, and yes, more beautiful than here – if all we want is unrestricted access to some printer: I did not have the time so far to find that solution. Please leave a comment here if you have one.

Thanks in anticipation.