Cups cancle jobs gives forbidden error

Question

i wanted to cancle all printing jobs on a network printer

cupsenable [printername]
cancel -a [printername]
cancel: purge-jobs failed: Forbidden

the user is member of the "lp" group

also i added @OWNER in the limits in the /etc/cups/cupsd.conf file where the purge-job and cancel-jobs are

after that i closed my sessions and tried again, same error again.

after that i explicitly added the user with whom i wanted to cancel the jobs

closed the sessions i had open and tried again -> didn't

maybe im missing something?

here is my cupsd.conf:

Listen /var/run/cups/cups.sock
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
# Allow remote access...
Order allow,deny
Allow all
</Location>
<Location /admin>
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs     Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel- Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get- Document>
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class        CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM sonex
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs  Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-  Document>
AuthType Default
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-   Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer             Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM sonex
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM sonex
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>

maybe i am missing some sort of premission?

i cant make the user superuser because the customer is using this account and he should not be super user on the server.

Answer 1

I got here by googling:

cancel: cancel-job failed: Forbidden

My fix was to give the lp group permission to run cups commands and then add users to the lp group.

First, add lp to the SystemGroup in /etc/cups-files.conf...

# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
SystemGroup sys root lp

Restart cups...

systemctl restart cups

Add users to the lp group.

usermod -a -G lp user1

user1 can now run

cancel PRINTER-12345

and use the [Cancel Job] buttons on cups site (will be prompted for login).

From the cupsd.conf man page

Require user {user-name|@group-name} ...

Specifies that an authenticated user must match one of the named users or be a member of one of the named groups. The group name "@SYSTEM" corresponds to the list of groups defined by the SystemGroup directive in the cups-files.conf(5) file.

tldr;

/etc/cupsd.conf give permissions to @SYSTEM.

/etc/cups-files.conf SystemGroup defines @SYSTEM.

Answer 2

Solved by adding the user with the cancel command to the sudoers file

sonex    ALL=(ALL)     NOPASSWD: /etc/bin/cancel -a *

seems that there somehow is no way to solve it through the config file to clear the whole printing jobs only for single ones