On 1/13/23 8:53 PM, Chris Adams wrote:
Once upon a time, Robert Marcano <robert(a)marcanoonline.com>
said:
> Nothing against driverless printing, this is something I really
> like, bit I think all the move to HTTP is ignoring the feature that
> is being removed, and that I have an use for. There is not possible
> to have a printer connected to a computer that can't be restricted
> by CUPS to be used by only a few authorized users. The admin can
> implement CUPS authentication but an ipp://localhost:60000 open port
> entirely open to anyone on the local machine to submit print jobs
> directly bypassing CUPS.
I haven't tried it with firewalld or the newer nftables, but old
iptables could set rules based on user ID. I'd expect nftables also
implemented that, and firewalld could handle it in some fashion
(possibly a rich rule). With that, you could limit HTTP access to root
(I think cups runs as root).
Sounds like an ugly workaround, but betther than nothing. Looks possible
with nftables, it can even be possible to match the CUPS cgroup. But
there isn't anything for UID or cgroups on firewalld rich language syntax.