i wanted to cancle all printing jobs on a network printer
cupsenable [printername]
cancel -a [printername]
cancel: purge-jobs failed: Forbidden
the user is member of the "lp" group
also i added @OWNER in the limits in the /etc/cups/cupsd.conf file where the purge-job and cancel-jobs are
after that i closed my sessions and tried again, same error again.
after that i explicitly added the user with whom i wanted to cancel the jobs
closed the sessions i had open and tried again -> didn't
maybe im missing something?
here is my cupsd.conf:
Listen /var/run/cups/cups.sock
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
# Allow remote access...
Order allow,deny
Allow all
</Location>
<Location /admin>
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel- Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get- Document>
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM sonex
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get- Document>
AuthType Default
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate- Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM sonex
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
maybe i am missing some sort of premission?
i cant make the user superuser because the customer is using this account and he should not be super user on the server.
I got here by googling:
cancel: cancel-job failed: Forbidden
My fix was to give the lp group permission to run cups commands and then add users to the lp group.
First, add lp to the SystemGroup in /etc/cups-files.conf...
# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
SystemGroup sys root lp
Restart cups...
systemctl restart cups
Add users to the lp group.
usermod -a -G lp user1
user1 can now run
cancel PRINTER-12345
and use the [Cancel Job] buttons on cups site (will be prompted for login).
Require user {user-name|@group-name} ...
Specifies that an authenticated user must match one of the named users or be a member of one of the named groups. The group name "@SYSTEM" corresponds to the list of groups defined by the SystemGroup directive in the cups-files.conf(5) file.
tldr;
/etc/cupsd.conf give permissions to @SYSTEM.
/etc/cups-files.conf SystemGroup defines @SYSTEM.