mike at easysw.com
Thu Jul 29 07:01:36 PDT 2004
Troels Arvin wrote:
> Why does cupsd run as root? - Couldn't it change to a dedicated user
> after having aquired the relevant port(s)? ntpd, named, and others do
> I want to run cupsd as a non-root user to minimize the impact if a
> security hole is found in Cups.
First, RTFM. The "RunAsUser" option does this, however it is not
enabled by default for some very good reasons; when "RunAsUser" is
1. All filters and backends have write access to the
configuration files in /etc/cups, spool files in
/var/spool/cups, and log files in /var/log/cups,
2. The LPD backend is unable to reserve a priviledged port,
which disables printing to some LPD printers and print
3. You have to provide write access for the "lp" user and/or
"sys" group to all parallel, USB, serial, and SCSI devices
that you use. This may open additional security holes.
4. The scheduler (cupsd) cannot be restarted without killing
the process and starting it again if you listen on a
priviledged port like the default port 631; this means that
SIGHUP and remote updates of cupsd.conf will not work,
resulting in more down time when you make configuration
In short, you lose functionality and have the possibility of a
vulnerable filter or backend trashing your print server
The CUPS programs that run as root, along with the CUPS API which
they use, have been audited nearly a dozen times over the past
several years. In addition, the last security advisory that could
provide a root exploit was reported against CUPS 1.1.14, which was
released 2.5 years ago...
The CUPS filters have received much less auditing, and so it is
more likely that an attacker could use a vulnerability in those
programs to disrupt your CUPS server when you use the "RunAsUser"
You can run cupsd in either mode, but my personal recommendation
is to not run with the "RunAsUser" mode.
In the future, we hope to leverage the selinux stuff to provide
the best of both worlds: don't run as root, but still be able
to change to other users (perhaps "lpfilter" and "lpbackend")
and reserve priviledged ports so that you don't lose the
functionality and don't open yourself up to additional exploits
when using "RunAsUser" or its successor.
Michael Sweet, Easy Software Products mike at easysw dot com
Printing Software for UNIX http://www.easysw.com
More information about the cups