This is a topic I’ve seen covered in many places, however most of the articles I see on this topic only get part of the solution or solve it in a way that creates unnecessary security issues. In light of this, I’ve decided to talk about what I consider to be the best practices on the subject and the reasons why.
Why Did Apple Limit The Printing System?
Unless you know why Apple imposed security restrictions on the printing system, it seems pretty silly and detrimental to users. After I understood the reasons behind the change, it made a lot of sense.
When you add a printer in CUPS (Common UNIX Printing System, the printing software under the proverbial hood) and specify a PPD file for that printer, the PPD file can, and often does, run software as root. This function of the printing system could be used to run malicious code. To help mitigate this risk, administrator authentication is required if the logged in user is not an administrative user or if the “Require password to unlock each System Preferences pane” box has been checked in the Security System Preferences Pane. None of this is an issue in the “typical” home computer installation since there is only one user and that user is an administrator. For environments that require extra security, indicated by having standard (non-admin) user accounts and/or system preference restrictions, this vulnerability is closed.
Make A Spare Key; Don’t Remove the Door
Many of the blogs and forum posts I’ve read on this subject advocate the removal of CUPS security features. If this sounds like a good idea, ask yourself this; if you wanted to give someone access to your home, would you take your front door off its hinges or give this person a key? I think the answer is clear.
Understanding The Lock
Before we can make our “spare key”, we need to understand how the lock works. to do that, we’ll look at the default CUPS configuration file, found at
/private/etc/cups/cupsd.conf and how it defines CUPS Operation policies. Every Mac OS X Leopard installation includes detailed documentation on this subject at http://localhost:631/help/policies.html (link opens in a new window) For our purposes, we’ll look at the specific section of the cupsd.conf file that covers adding, deleting and setting default printers, but this URL is your best reference for CUPS operation and configuration.
# All administration operations require an administrator to authenticate... <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit>
The line that reads
Require user @SYSTEM is what dictates that administrative authentication is required.
Making the Spare Key
Many people are recommending deleting or commenting out this block of text. This is the equivalent of taking the door off of the hinges that I mentioned. Instead, we can modify this block to grant permission to groups that we define, rather than removing the security feature. If we add user or group names to the line that reads
Require user @SYSTEM, those users and members of those groups will be granted the add, delete and set default permissions. See the example below…
# All administration operations require an administrator to authenticate... <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM @admin @lpadmin @mycustomgroup mycustomuser Order deny,allow </Limit>
This modification allows the members of the admin, lpadmin and mycustomgroup groups and the user mycustomuser to add, delete and set default printers. Group names require the preceding “@” character, usernames do not.
There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way. The CUPS help file (link at the top of this article) contains details on 38 different printing system operations that can be governed by the cupsd.conf file and detailed instructions on creating your own policies within the file. Using that information, you should be able to configure virtually any required or desired security settings.
2 thoughts on “Printing For Non-Admins In Leopard”
Can AD groups be used?
Yes, so long as the group can be resolved by the computer, meaning the computer is bound to the given directory.