PolicyKit and printing

gtk-dialog-authentication-100The latest release of Fedora allows more flexibility with configuring print queues and managing print jobs. This is because it is now able to use PolicyKit to do these things, which means you get to choose when and whether users should be prompted for authentication when performing administration tasks on printers or jobs. The implementation is slightly tricky, so I’ll explain the details.

Before PolicyKit awareness was added there was already adjustable policy controlling IPP operations.  This ‘CUPS policy’ mechanism is provided by the CUPS scheduler, cupsd, and its configuration is in the file /etc/cups/cupsd.conf.  This controls which IP addresses are allowed to access various HTTP locations corresponding to the CUPS configuration actions (such as http://cups-server:631/admin), and which IP address, users, groups, and classes of users can carry out the various IPP operations such as cancelling jobs.  It also specifies whether and how users must authenticate themselves.

This CUPS policy is great for managing CUPS servers remotely but is not consistent with the method used by the rest of the desktop environment, PolicyKit.  Although the CUPS policy can be adjusted using a fairly easy to use list of check-boxes (available in both the CUPS web interface and via System→Administration→Printing), it is not fine-grained enough to be as useful as PolicyKit can be.  The CUPS policy itself is very fine-grained, but this power is only unleashed by editing configuration files.

With PolicyKit the policy can be adjusted easily using a graphical tool, to make it easier to perform certain tasks for those needing to do so.  The intention is for Fedora “spins” to have appropriate default policies depending on their target audience, so that a desktop spin might allow the active console user to perform all administration tasks without asking for authentication for example.

We have two types of policy then, CUPS policy and PolicyKit policy, for controlling print administration tasks.  The CUPS policy in Fedora is unmodified from the upstream CUPS releases, and is fairly restrictive.  The default PolicyKit policy for printing administration in Fedora is also fairly restrictive, and the overall policy is only as restrictive as the most relaxed of the two.

The implementation consists of a package called cups-pk-helper (created by Vincent Untz) which provides the D-Bus system service which is the mechanism for the policy — it performs the administration tasks on behalf of its clients by talking to the CUPS scheduler using IPP.  It runs as root so the default CUPS policy allows it to perform all administration tasks.  It can authenticate itself as root by connecting over a UNIX domain socket (CUPS will use peer credentials to discover the requesting user) or, if that is not possible, by proving that it can read a certificate file only readable by root.

At present the only client for this system service is the printer configuration tool accessible from System→Administration→Printing.  The CUPS web interface and command line tools only use IPP directly.

How fine-grained is the policy?  Here are the defined operations:

  • Set a printer as system default printer
  • Enable/disable a printer
  • Add/remove/edit a local printer
  • Add/remove/edit a remote printer
  • Add/remove/edit a class
  • Get/set server settings
  • Restart/cancel/edit a job you own
  • Restart/cancel/edit a job owned by another user
  • Get the list of available devices (available in Fedora 11 soon)

For each of these operations, the policy depends on who is attempting to carry out the operation:

  • Someone on the active console
  • Someone on the console but inactive
  • Anyone else

For each of these groups of users, the policy can be that they are disallowed altogether, that they are allowed without authentication, or that they require authentication either as themselves or with the root password.  If authentication is required it can be:

  • Required every time
  • Required once but not needed for the rest of the time the configuration program is running
  • Required once per session
  • Required once and not again

Here is a screenshot of the program used for editing this policy, accessible from System→Preferences→Authorizations:

Editing policy