cups icon indicating copy to clipboard operation
cups copied to clipboard
verified publisher icon OpenPrinting

AUTH: two Requires and Satisfy all does not work

Open mvogt1 opened this issue 7 months ago • 4 comments

Description The given config for <Location /admin> does not work. It grants access to /admin for user joe, although joe is forbidden as admin.

Here is the config for "joe" on the cups server:

# joe is part of department_i
$ grep joe /etc/group
dep_i:x:813:joe

# joe is not part of printadmin
$ cat /etc/group | grep printadmin
printadmin:x:995:

# but joe is part of the group @SYSTEM
$ grep dep_i /etc/cups/cups-files.conf
SystemGroup sys root dep_i

To Reproduce With this setup

<Location /admin>
  # Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
  Satisfy all

  Encryption Required
  Order allow,deny
  AuthType Basic
  Require user @SYSTEM
  Require group printadmin
  Allow 10.136.17.0/24
</Location>

joe has access to /admin. (Rest is untouched from the default cupsd.conf)

Expected behavior joe has no access to /admin because he is not listed in the group printadmin.

System Information:

  • OS and its version: RedHat 9.6
  • CUPS version 2.3.3op2

mvogt1 avatar Jun 26 '25 13:06 mvogt1

Try:

Require user @SYSTEM,@printadmin

michaelrsweet avatar Jun 26 '25 13:06 michaelrsweet

Nope.

I have modified it Require user @SYSTEM,@printadmin and indeed joe is now forbidden, good.

But if I add joe now to the group printadmin he is still forbidden, bad.

As a result:

$ grep joe /etc/group
printadmin:x:995:joe

and

<Location /admin>
  # Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
  Satisfy all

  Encryption Required
  Order allow,deny
  AuthType Basic
  Require user @SYSTEM,@printadmin

  Allow 10.136.17.0/24
</Location>

is forbidden, but from my understanidng of the config, it should be allowed.

Changing it to:


<Location /admin>
  # Specifies that all Allow, AuthType, Deny, Order, and Require conditions must be satisfied to allow access.
  Satisfy all

  Encryption Required
  Order allow,deny
  AuthType Basic
  Require user @printadmin

  Allow 10.136.17.0/24
</Location>

works. Thus its not possible to chain Require user @SYSTEM,@printadmin

mvogt1 avatar Jun 26 '25 15:06 mvogt1

It should be possible to specify multiple potential groups. I am not in front of a computer this week but I know that we use multiple groups for a variety of policy rules, so either I am remembering the syntax wrong or the “Satisfy all” is being too aggressive…

michaelrsweet avatar Jun 26 '25 17:06 michaelrsweet

Looking at this for CUPS 2.5...

michaelrsweet avatar Sep 21 '25 00:09 michaelrsweet