The Gentoo Printing Guide directs users to use the following pattern in cupsd.conf: Order allow,deny Allow localhost Allow 192.168.0.* Deny all According to http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order this configuration can only yield deny results, as my own experience confirms. There are two instances of similar constructs in the guide, which should leave out the final "Deny all" line. Reproducible: Always Steps to Reproduce: 1. Install cupsd 2. Follow the guide for setting up CUPS Remote Administration 3. Try to access the server remotely Actual Results: 403 Forbidden Expected Results: Common UNIX Printing System 1.3.8
. . . except we already tell you to use your own IP numbers, not 192.168.0.* See code listing 3.7.
Omg... you're alive!!! Let me explain this a bit: Reading the URL I have posted there I have found a table. In case you don't have time, you can easily find it by scrolling up and down and locking onto a bold blue text in a table, which reads Match Allow,Deny result Deny,Allow result On the last row we find that Match both Allow & Deny Final match controls: Denied Final match controls: Allowed Let me explain that for you: If a request using order "allow,deny" matches both allow and deny, the request is denied. Which means a Deny all directive would make any allow directive useless, since it will also match the Deny. Consequently, your Gentoo Printing Guide at address http://www.gentoo.org/doc/en/printing-howto.xml misdirects the users to a few hours of work. Can you please _tell us_ (well, others now) to not use Deny all for order allow,deny? Bug reopened. (In reply to comment #1) > . . . except we already tell you to use your own IP numbers, not 192.168.0.* > > See code listing 3.7. >
I would like to add/confirm that when following the Gentoo Printing Guide ( http://www.gentoo.org/doc/en/printing-howto.xml ) and adding the Deny all line to my cupsd.conf, I was left with the opposite of what I was trying to achieve. Would it be possible to remove the Deny all line, for example the one under the heading "Remote Printer Access"?
(In reply to comment #3) Pasting from the above URL, from "Allow,Deny": "First, all Allow directives are evaluated; at least one must match, or the request is rejected." Note that if an Allow matches, the request is not _allowed_ - it's just not _rejected_ for further evaluation. Coming back to the quide, here the request matches either 'localhost' or '192.168.0.' (i.e. internal network) "Next, all Deny directives are evaluated. If any matches, the request is rejected." So, request rejected. Period. "Last, any requests which do not match an Allow or a Deny directive are denied by default." The last phrase says that without a "Deny all" directive and no allow matching, the request is refused. No need for a Deny all. Somewhat poorly phrased, the same is described at http://www.cups.org/documentation.php/doc-1.4/ref-cupsd-conf.html#Order P.S. 12 months... come on...
Fixed in CVS.
