Running Linux, 5th Edition - Matthias Kalle Dalheimer [279]
ServerName gutenberg.example.com
This line sets the server name to gutenberg.example.com. CUPS accepts a large number of configuration directives; you should consult its manpage for complete details. Some sets of configuration directives are enclosed in sections delimited by lines that are enclosed in angle brackets:
AuthType Basic AuthClass System Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow from 192.168.1.0/24
This set of lines sets directives that apply only to certain functions of the server—in this case, those handled by the /admin (administrative) subsystem. You can use this feature to selectively modify the CUPS security functions (or other functions). The /admin area is particularly important for controlling access to the CUPS web-based administration tool. The options shown in the preceding example control features you may want to adjust:
AuthType
The AuthType directive tells CUPS what type of authentication to require for access to the location. In the case of /admin, this is usually set to Basic, which corresponds to password exchanges in cleartext. If you intend to administer the server from remote systems, you may want to change this to Digest, which adds encryption for the password exchange. (This feature requires that you set a password digest using the lppasswd program.) Some subsystems don't normally enable authentication; they use None for the AuthType. This configuration is a common default setting, and enables users to print without providing a password.
AuthClass
This directive tells CUPS what groups of users to accept. Possible values are Anonymous, User, System, and Group. The Anonymous option specifies that no authentication should be performed. User means that any valid username and password will grant access. System means that the user who authenticates must be a member of the CUPS system group. (This option varies from system to system, but it's normally sys, system, or root. You can set it with the SystemGroup option.) The Group option enables you to specify a Linux group name with the AuthGroupName directive, which must appear on another line.
Order
This directive tells CUPS whether to grant or deny access by default. If it's set to Deny,Allow, CUPS denies access unless it's explicitly granted. Setting the value to Allow,Deny grants access unless it's specifically denied.
Deny and Allow
These directives specify machines or networks from which access should be denied or allowed, respectively. You can specify machines by IP address, by network address, by hostname, by domain name (preceding the name with a dot), by the keywords All or None, or by the variables @IF (followed by a specific interface name in parentheses) or @LOCAL (for all local networks).
To enable web-based configuration, you should be sure that your CUPS configuration has an /admin location defined and that it grants access to the 127.0.0.1 address, as shown in the preceding example. That example also gives administrative access to users on the 192.168.1.0/24 network. Generally speaking, you should activate such access only for print servers that you want to administer remotely; opening this option up increases the security risks associated with running CUPS.
If you want to completely disable the CUPS web-based administrative tools (say, because you intend to use your distribution's own CUPS administrative programs instead), you should remove all the Allow directives and ensure that the configuration includes a Deny from All directive.
Enabling