Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5 Allow non-admin users to add and remove printers' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5 Allow non-admin users to add and remove printers
Authored by: dhoit on Oct 08, '08 09:32:31AM

This is a bad idea. You are allowing access to a lot of things that should be restricted in your quest to open printing to standard users. (Also, the security command line tool should be used to make changes to /etc/authorization in 10.5+.)
The better solution here is to edit the cupsd.conf file in /etc/cups/. With a simple one line change, you can grant access to standard users. The modified cupsd.conf file can be pushed to all your machines, and you don't risk hosing things by mucking around with the authorization database.
Under the section commented "#All administration operations require an administrator to authenticate", you will find a line that looks like "Require user @SYSTEM" . Replace it with the line "Require user @AUTHKEY(system.print.admin) @admin @lpadmin"
All users are part of lpadmin by default, so all users now have access to add printers.
The only catch to this is, limited users can't add printers from the System Preferences control panel. The unlock key there is not for the cups printing authorization we just changed, but for the panel, and uses an /etc/authorization general rule for system preferences. When the user clicks print in an application though, they can choose "add printer" and get the standard add printer form. Everything works as expected from there.
Related: man cupsd.conf, man security


---
--DH



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: macsadmn on Oct 08, '08 09:48:23AM

Thanks for the feedback. We were not aware that there is a security command line tool to modify /etc/authorization; we'll definitely have to look into that. As for allowing access to a lot of other things... that's why I mentioned using Workgroup Manager to lock those "other" system preferences down. As previously stated, we are aware of the hints that involved modifying /etc/cups/cupsd.conf, but..."those hints did not allow a standard way for a non-admin user to [add and] remove printers" (i.e. through the system preference).

If only Apple would allow a user or group defined option of adding and removing printers in 10.5 manageable through Workgroup Manager :-)

Thanks again for the feedback.



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: dhoit on Oct 08, '08 11:01:51AM

Well, I can't force you to leave it alone, but I would highly suggest you avoid making that specific change to authorization.
Its a pain that Apple has left so much of System Preferences at the default admin ruleset, but until they fix it, changing that one setting opens the door to a lot of other things.
If you are really worried about the user being able to add printers in "A standardized way" and doing it from the print dialog is not good enough, you can always make an alias to /System/Library/CoreServices/AddPrinter and place it on their dock. They get an easy way to make em, but not delete them. (although a link to localhost:631/printers provides an easy enough delete...)

Good luck.


---
--DH



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: tmoldovan on Oct 10, '08 09:41:40AM

Thank you!



[ Reply to This | # ]