CUPS/group rules

[Ante Karamatić]

I have one quesstion/sugesstion on CUPS or/and groups rules.

When one creates user on Ubuntu system (via adduser command), that user
is not in any group - great, just what I want. But, that user is able to
print - huh?! But he isn't able to remove his print job (lprm) - get's
assked for a password, cause of Auth* instructions in /jobs location in
cupsd.conf.

So, default user can do DOS on printer, and, if he wants, he can't stop
it. Putting user in 'lp' group does nothing, cause that group doesn't
have any permissons on cups. Putting it in lpadmin fixes this, but... He
can remove all print jobs then, even if root prints them. This isn't
such a big problem on desktop, but makes Ubuntu default install unusable
for a bit complicated print server.

Suggestion is to remove Auth instructions for /jobs location and create
enviorment in which only users in lp group will be able to print and
delete their own print jobs. Another group, lpadmin, should be able to
delete all jobs, stop/start printer, etc. Should lpadmin group be able
to add new printers? Well, best thing would be - no, but I understand
that we love our desktop users, so they should be able to easily add new
printers (via wizards, etc...). Default user shouldn't be able to print.
I have a problem where I want to enable printing for 5 users, but not
for the rest of 600 :).

Any toughts?

-- 
Ante Karamatic|--|ivoks(@)grad.hr|--|PGP: D3BDA225
http://master.grad.hr/~ivoks/|--|ICQ: 64631782
May, 15. <herve> we're fixing the universe, it's not an easy duty!