cupsenable issues 'client-error-not-authorized' when queue has ACL

[michaelrsweet]

Version: 2.0.2
CUPS.org User: arney

I ran this minimal script as 'root'

/usr/sbin/lpadmin -E -p Testo -v /dev/null
/usr/sbin/lpadmin -E -p Testo -u allow:sshd
/usr/sbin/cupsenable -E Testo
echo $?

and always got the error

cupsenable: Operation failed: client-error-not-authorized
1

on every of the following systems systems:

Centos 7.1 (Cups 1.6.3)
Ubuntu 12.04 (Cups 1.7.2)
Ubuntu 15.04 (Cups 2.0.2)

In each case, the queue was actually in enabled state post-run.

Further investigation showed that the error will show if and only if 'root' is not a member of the ACL, i.e. '-u allow:sshd' will lead to an error whereas '-u allow:sshd,root' will not.

In all cases, the cupsd.conf came unmodified from the vendor packages and included

All printer operations require a printer operator to authenticate...

AuthType Default Require user @System Order deny,allow

No such behavior was observed for cupsaccept/cupsreject/cupsdisable.

[michaelrsweet]

This is behaving as designed - the allow/deny user stuff has been around a lot longer than the operation policy stuff and takes precedence over it (backwards compatibility...)

I'll track this as a documentation change to the policies help file and lpadmin man page, to make it clear that you need to allow root (or the corresponding system groups) explicitly.

[leoarnold]

That would be very helpful since it is quite unexpected for root to be denied anything ;-)

[michaelrsweet]

[master f80e6f3] Documentation changes (Issue #4781)