On 1/13/23 8:53 PM, Chris Adams wrote:
Once upon a time, Robert Marcano <robert@xxxxxxxxxxxxxxxxx> said:
Nothing against driverless printing, this is something I really
like, bit I think all the move to HTTP is ignoring the feature that
is being removed, and that I have an use for. There is not possible
to have a printer connected to a computer that can't be restricted
by CUPS to be used by only a few authorized users. The admin can
implement CUPS authentication but an ipp://localhost:60000 open port
entirely open to anyone on the local machine to submit print jobs
directly bypassing CUPS.
I haven't tried it with firewalld or the newer nftables, but old
iptables could set rules based on user ID. I'd expect nftables also
implemented that, and firewalld could handle it in some fashion
(possibly a rich rule). With that, you could limit HTTP access to root
(I think cups runs as root).
Sounds like an ugly workaround, but betther than nothing. Looks possible
with nftables, it can even be possible to match the CUPS cgroup. But
there isn't anything for UID or cgroups on firewalld rich language syntax.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
