[cups-devel] CUPS running on alternative port and alternative domain socket: Access via localhost restricted

Michael Sweet msweet at apple.com
Wed Oct 12 12:35:51 PDT 2016


Till,

> On Oct 11, 2016, at 10:57 PM, Till Kamppeter <till.kamppeter at gmail.com> wrote:
> ...
> Of the second CUPS daemon the web interface works correctly and all read-only operations with CUPS' command line tools work correctly, both with "-h localhost:10631" and with "-h /var/snap/cups/x1/var/run/cups.sock". But if one issues a command which changes something in the system, like cancelling jobs or creating print queues, this works only with "-h /var/snap/cups/x1/var/run/cups.sock" and not with "-h localhost:10631". Also to make cups-browsed working with this CUPS daemon one needs to make it use the domain socket and not localhost:10631 (note that cups-browsed creates queues). If you try to do these operations which change something via localhost:10631 you are asked for your password and if you do them as root (via "sudo") you are asked for the password of root. With the domain socket the very same operations get simply done (user is in "lpadmin" group).

More than likely PAM isn't allowing your snap-based CUPS install to authenticate against local user accounts (the error_log should say something).

> This means that an operation through "localhost:10631" needs the password from any user but the very same operation via domain socket needs no password. And the very standard cupsd on port 631 does not need the password in both cases.

There are some tricks that libcups uses to switch to the domain socket for local access when port 631 is specified, which would bypass PAM and the authentication stuff.  But the same will not happen when connecting to port 10631.

_________________________________________________________
Michael Sweet, Senior Printing System Engineer




More information about the cups-devel mailing list