[cups.general] cupsd and the /etc/cups/certs directory
Michael Sweet
mike at easysw.com
Tue Dec 21 08:40:59 PST 2004
Marc Balmer wrote:
> I see that cupsd creates files in /etc/cups/certs. What are these iles
> needed for?
These are the local authentication certificates created to allow
users in the SystemGroup and CGI programs to obtain their cached
credentials when accessing the local server.
Basically, programs that use the CUPS API will look at this directory
when authenticating for localhost; first the process ID is looked up,
then "0" (root/system group), and then the traditional password
prompt is used.
The root certificate (/etc/cups/certs/0) is refreshed periodically
(by default every 5 minutes) and is owned by user root and the first
group listed as a SystemGroup. This allows administrative users to
authenticate without a password.
Every time a CGI program is executed with authentication, a
temporary certificate is generated so that the CGI programs can
authenticate as the same user. The certificates are revoked
(deleted) when the CGI program exits.
The certificates themselves are 128-bit random numbers; the
association between certificate and username is stored in memory
only, so the security is as good as the underlying OS.
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Publishing Software http://www.easysw.com
More information about the cups
mailing list