[cups.development] permission of lpd, ipp, mdns changes

Michael R Sweet msweet at apple.com
Mon Nov 5 15:05:22 PST 2007


Doil Lee wrote:
> Hi,
> 
>>From Mac OS Leopard release, I've found that permission of lpd, ipp, mdns backends has been changed from 755 to 700. Is there any specific reason for the change?

Yes, beginning with CUPS 1.2, backends with world execute permissions
are run as the user "lp" (or "_lp", as is used on Leopard) while
backends without world execute permisssions are run as root.  This
further limits what is running as root while simultaneously preventing
users from running these backends (which require root access) directly.

The lpd backend needs root access to reserve a privileged IP source
port (a requirement of RFC 1179).

The IPP backend needs root access to access authentication
credentials, both the proxy kind introduced in CUPS 1.2 (username,
password, and domain) and Kerberos credentials which were introduced
in CUPS 1.3.

The mdns backend needs root access since it runs the lpd or IPP
(or socket) backends based on the type of connection supported by
the remote end.

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer





More information about the cups-devel mailing list