Essential System Administration, Third Edition

The Common Unix Printing System (CUPS) is another project aimed at improving, and ultimately superceding, the traditional printing subsystems. CUPS is distinguished by the fact that it was designed to address printing within a networking environment from the beginning, rather than being focused on printing within a single system. Accordingly, it has features designed to support both local and remote printing, as well as printers directly attached to the network. We will take a brief look at CUPS in this section. The homepage for the project is http://www.cups.org.

CUPS is implemented via the Internet Printing Protocol (IPP). This protocol is supported by most current printer manufacturers and operating systems. IPP is implemented as a layer on top of HTTP, and it includes support for security-related features such as access control, user authentication, and encryption. Given this structure, CUPS requires a web server on printer server systems.

Architecturally, CUPS separates the print job handling and device spooling functions into distinct modules. Print jobs are given a identifier number and also have a number of associated attributes: their destination, priority, media type, number of copies, and so on. As with other spooling subsystems, filters may be specified for print queues and/or devices in order to process print jobs. TheCUPS system provides many of them. Finally, backend programs are responsible for sending print jobs to the actual printing devices.

CUPS also supports printer classes: groups of equivalent printers fed by a single queue (we've previously also referred to such entities as printer pools). CUPS extends this construct by introducing what it calls "implicit classes." Whenever distinct printers and/or queues on different servers are given the same name, the CUPS system treats the collection as a class, controlling the relevant entities as such. In other words, multiple servers can send jobs to the same group of equivalent printers. In this way, implicit classes may be used to prevent any individual printing device or server system from becoming a single point of failure. Classes may be nested: a class can been a member of another class.

13.7.1 Printer Administration

CUPS supports the lpr, lpq, and lprm commands and the lp, lpstat, and cancel commands from the BSD and System V printing systems, respectively. For queue and printer administration, it offers two options: command-line utilities, including a version of the System V lpadmin command, or a web-based interface. The latter is accessed by pointing a browser at port 631: for example, http://localhost:631 for the local system.

The following commands are available for managing and configuring print queues. Note that all of them except lpinfo specify the desired printer as the argument to the -p option:

lpstat

View queue status.

accept and reject

Allow/prevent jobs from being sent to the associated printing device.

enable and disable

Allow/prevent new print jobs from being submitted to the specified queue.

lpinfo

Display information about available printers (-v) or drivers (-m).

lpadmin

Configure print queues.

Here is an example lpadmin command, which adds a new printer:

# lpadmin -plj4 -D"Finance LaserJet" -L"Room 2143-A" \ -vsocket://192.168.9.23 -mlaserjet.ppd

This command add a printer named lj4 located on the network using the indicated IP address. The printer driver to be used is laserjet.ppd (several are provided with the CUPS software). The -D and -L options provide descriptions of the printer and its location, respectively.

In general, the -v option specifies the printing device as well as the method used to communicate with it. Its argument consists of two colon-separated parts: a connection-type keyword (which selects the appropriate backend module), followed by a location address. Here are some syntax forms:

parallel:/dev/device Local parallel port serial:/dev/device Local serial port usb:/dev/usb/device Local USB port ipp://address/port IPP-based network printer lpd://address/DEVICE LPD-based network printer socket://address[:port] Network printer using another protocol (e.g., JetDirect)

The CUPS version of lpadmin has several other useful options: -d to specify a system default printer (as under System V), -c and -r to add/remove a printer from a class, and -x to remove the print queue itself.

Under CUPS, printers need only be configured on the server(s) where the associated queues are located. All clients on the local subnet will be able to see them once CUPS is installed and running on each system.

13.7.1.1 CUPS configuration files

CUPS maintains several configuration files, stored in the /etc/cups directory. Most of them are maintained by lpadmin or the web-based administrative interface. The one exception, which you may need to modify manually, is the server's main configuration file, cupsd.conf.

Here are some sample annotated entries (all non-system-specific values are the defaults):

ServerName painters.ahania.com Server name. ServerAdmin root@ahania.com CUPS administrator's email address. ErrorLog /var/log/cups/error_log Log file locations. AccessLog /var/log/cups/access_log PageLog /var/log/cups/page_log Printer accounting data. LogLevel info Log detail (other levels: debug, warn, error). MaxLogSize 1048571 Rotate log files when current is bigger than this. PreserveJobFiles No Don't keep files after print job completes. RequestRoot /var/spool/cups Spool directory. User lp Server user and group owners. Group sys TempDir /var/spool/cups/tmp CUPS temporary directory. MaxClients 100 Maximum client connections to this server. Timeout 300 Printing timeout period in seconds. Browsing On Let clients browse for printers. ImplicitClasses On Implicit classes are enabled.

13.7.1.2 Access control and authentication

Printer access control, user authentication, and encryption are also enabled and configured in the cupsd.conf configuration file.^[9]

^[9] These features are somewhat in flux as of this writing, so there may be additional capabilities in your version of CUPS. Consult the CUPS documentation for details on the current state of things.

Encryption is controlled by the Encryption entry:

Encryption IfRequested

The entry indicates whether or not to encrypt print requests (in order to use encryption, the OpenSSL library must be linked into the CUPS facility). The default is to encrypt files if the server requests it; other values are Always and Never. Additional keywords may be added as other encryption methods become available.

There are two main entries related to user authentication:

AuthType

Source of authentication data, one of: None, Basic (use data in the Unix password and group file, transmitted Base64-encoded), and Digest (use the file passwd.md5 in /etc/cupsd for authentication data). The last method offers a medium level of security against network sniffing. The CUPS system provides the lppasswd command for maintaining the passwd.md5 file.

AuthClass

Method of authentication. The default is Anonymous (perform no authentication). Other options are User (valid username and password are required), System (user must also belong to the system group, which can be defined using the SystemGroup entry), and Group (user must also belong to the group specified in the AuthGroupName entry).

The encryption- and user authentication-related entries are used to specify requirements for specific printers or printer classes. These are defined via stanzas like the following in the configuration file:

<Location /item> [Encryption entry] The ordering here is not significant. [Authentication entries] [Access control entries] </Location>

The pseudo-HTML directives delimit the stanza, and the item specified in the opening tag indicates the entities to which the stanza applies.^[10] It can take one of the following forms:

^[10] Again, note the similarity to the Apache configuration file syntax.

/ Defaults for the CUPS system. /printers Applies to all non-specified printers. /printers/name Applies to a specific printer. /classes Applies to all non-specified classes. /classes/name Applies to the specified class. /admin Applies to CUPS administrative functions.

Here a some example stanzas (which also introduce the access control directives):

<Location /> System defaults. Order Deny,Allow Interpret Allow list as overrides to Deny list. Deny From All Deny all access . . . Allow From 127.0.0.1 . . . except from the local host. </Location> <Location /printers> Order Allow,Deny Interpret Deny list as exceptions to Allow list. Allow From .ahania.com Allow access from these domains . . . Allow From .essadm.com Deny From 192.168.9.0/24 . . . but exclude this subnet. </Location> <Location /classes/checks> Applies to class named checks. Encryption Always Always encrypt. AuthType Digest Require valid user account and password. AuthClass Group Restrict to members of the finance group. AuthGroupName finance Order Deny,Allow Deny From All Deny all access . . . Allow From 10.100.67.0/24 . . . except from this subnet. </Location> <Location /admin> Access for administrative functions. AuthType Digest Require valid user account and password. AuthClass System Limit to system group members. Order Deny,Allow Deny From All Restrict access to the local domain. Allow From .ahania.com </Location>

Consult the CUPS documentation for information about the facility's other features as well as its installation procedure.