Allow non-wheel user to manage printers

Hello!

We’re currently evaluating Fedora Workstation as an alternative to Ubuntu at work. On Ubuntu we needed to add our non-wheel, non-sudo users to the groups lpadmin for managing printers and netdev for managing network connections. These groups do not exist on Fedora. How do I allow my users to manage printers on their own? Is there any group I could add them to to make it work? Do I need to add some polkit rules?

Any hints?

There are a couple of (default) groups that may do what you wish.
lp
printadmin (probably similar to the lpadmin group on ubuntu)

and a variety of groups for network functions depending upon what is desired.
With Workstation the normal user has some access to network control through the gnome settings control panel

Additionally, if you wish you could create a dedicated group for those users then add some very specific files within the /etc/sudoers.d/ directory giving that group access to the exact commands you wish to enable for them. Members of that group could then use sudo and only have access to the explicitly defined commands.

1 Like

Try if “printadmin” does the trick, that should be desired behavior.

Alternatively if the actions can be allowed with polkit, add the user to that group and allow only users in that group to manage printers.

Disclaimer, ChatGPT gave me most of this:

pkexec cat > /etc/polkit-1/rules.d/50-CUSTOM-printer-admin.rules <<EOF
polkit.addRule(function(action, subject) {
    if (action.id == "org.opensuse.cupspkhelper.mechanism.*" &&
        subject.isInGroup("printadmin")) {
        return polkit.Result.YES;
    }
});
EOF

The action is supposed to be called like that, you may want to choose specific actions only (instead of all *), list them with

pkaction --action-id org.opensuse.cupspkhelper.mechanism.*

As far as I know, if the group doesnt work out of the box this is a fedora bug. Polkit rules are the cool new stuff, and such a rule should be in place, so that this group works as it is supposed to.

2 Likes

Adding the account to the sys group allows access to the admin interface of CUPS, but in the GNOME Control Center I still cannot unlock the printer settings with said account. But your polkit rule is a very good hint. I want to understand it before I implement it so it can take some time until I report results. But AFAIU it looks good.

One thing, though, puzzles me. How did Canonical achieve it that GNOME Control Center does not ask for unlocking the printer settings tab? It is just unlocked if the user is in the lpadmin group. But I cannot find where they did it. Well, it’s not important, just a mystery.

I managed to get it to work, though not with a rule but with a localauthority file:

# /etc/polkit-1/localauthority/20-org.d/gnome-control-center_printadmin.pkla
[Allow printadmin members to administrate printers]
Identity=unix-group:printadmin
Action=org.opensuse.cupspkhelper.mechanism.all-edit
ResultAny=no
ResultInactive=no
ResultActive=yes

I have to admit that I don’t completely understand what I did here. Especially the Result lines are a bit opaque for me. I tried ResultActive=auth_self but the button “Unlock” didn’t work anymore, then.

I definitely have to dive deeper into polkit.

1 Like

Huh, I was amazed that worked, did some searching, and found this project which uses JavaScript rules to parse the pkla files.

History: polkit removed support for pkla files over a decade ago. (Debian has refused to update to newer polkit ever since.) You theoretically shouldn’t use the pkla format anymore, but apparently you still can! Since it works for you, I can’t think of any reason not to.

Feels like writing out a comparable rule using JavaScript should have worked, though. I wonder if the check action.id == "org.opensuse.cupspkhelper.mechanism.*" from the rule proposed above is actually correct. That looks like a normal JS string equality comparison, not a pattern match, so I suspect that’s probably checking for a literal * in the action ID.

2 Likes

That may be (I am overasked) and in general it will be best to define what you actually want to allow.

Use || to define multiple things at once. Try if the command to list the actions work for displaying what you need.

Also, is this polkit rule default? Because it seems it should.

this belongs to the set of “wheel-less” things that need manual config