CUPS全称为Common Unix Printing System,是类Unix系统上的通用打印系统,支持本地、远程打印。CUPS主要有以下组件或子系统组成:

  • print spooler/scheduler: convert LPD requests to IPP; provide a web-based interface for managing print jobs, configurations
  • filter system:convert the print data to specified formats
  • backend system:send data to print devices


CUPS Simple


[[email protected]]# pwd

[[email protected]]# tree 
├── classes.conf					
├── client.conf
├── cupsd.conf						--> CUPS服务配置
├── cupsd.conf.default
├── interfaces
├── lpoptions
├── paps.convs
├── ppd
├── printers.conf					--> 打印队列配置
├── snmp.conf
├── ssl
└── subscriptions.conf

3 directories, 10 files

以上配置文件介绍、作用、指令,大都可以使用man file来查看;若还有不明确的,可以访问CUPS服务的Online Help页面,内容比较详细。


When you enable remote administration, the server will use Basic authentication for adminstration tasks. The current CUPS server supports Basic, Digest, Kerberos, and local certificate authentication:

  • Basic authentication essentially places the clear text of the username and password on the network. Since CUPS uses the system username and password account information, the authentication information could be used to gain access to possibly privileged accounts on the server.

    Recommendation: Enable encryption to hide the username and password information - this is the default on MacOS X and systems with GNU TLS or OpenSSL installed.

  • Digest authentication uses an MD5 checksum of the username, password, and domain (“CUPS”), so the original username and password is not sent over the network. The current implementation does not authenticate the entire message and uses the client’s IP address for the nonce value, making it possible to launch “man in the middle” and replay attacks from the same client.

    Recommendation: Enable encryption to hide the username and password information.

  • Local certificate authentication passes 128-bit “certificates” that identify an authenticated user. Certificates are created on-the-fly from random data and stored in files under /var/run/cups/certs. They have restricted read permissions: root + system-group(s) for the root certificate, and lp + lp for CGI certificates. Because certificates are only available on the local system, the CUPS server does not accept local authentication unless the client is connected to the loopback interface ( or ::1) or domain socket.

    Recommendation: Ensure that unauthorized users are not added to the system group(s).

这里使用”Basic Authentication”介绍下使用系统账户访问CUPS服务的方式。


[[email protected]]# groupadd cupsadmin

[[email protected]]# useradd -g cupsadmin -s /sbin/nologin cupsuser

[[email protected]]# passwd  cupsuser


[[email protected]]# vim /etc/cups/cupsd.conf
... ...

# Administrator user group...
# 2013-05-06 [email protected]  customize SystemGroup to cupsadmin
SystemGroup cupsadmin

# Only listen for connections from the local machine.
#Listen localhost:631
# 2013-05-06 [email protected] listen on 631 port of all the interfaces
Listen 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
# 2013-05-06 [email protected] access control
<Location />
  Order allow,deny
  Allow all
  Require valid-user
  Require user @SYSTEM

# Restrict access to the admin pages...
# 2013-05-06 [email protected] access control
<Location /admin>
  Order allow,deny
  Allow all
  Require valid-user
  Require user @SYSTEM

# Restrict access to configuration files...
# 2013-05-06 [email protected] access control
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow all
  Require valid-user
  Require user @SYSTEM
... ...


[[email protected]]# service cups restart
Stopping cups:                                             [  OK  ]
Starting cups:                                             [  OK  ]




blog comments powered by Disqus


06 May 2013