[cups.general] Q. Proper way to startup cupsd as a non-root user asopposed to debian hacks?

Michael Sweet mike at easysw.com
Tue Jun 6 08:20:58 PDT 2006 

wtautz wrote:
> Michael, Does cups allow running as a non-root user? Obviously
> I know I could just start it up as a non-root user but that clearly
> implies it would have limited capabilities from the start.
> 
> Most daemons that run as a non-root user usually start up
> as root and then exec a child with lesser priviledges *after*
> they checked things like permissions and the like.

Actually, it is a crap shoot whether the daemon will do this
for you, however for CUPS we MUST run as root in order to do
many common things.  As I covered in my presentation at the
Linux Printing Summit this year, running as an unprivileged
user is actually *less* secure with CUPS, as you lose the
privilege separation between scheduler and filters which have
a lot less auditing done on them...

> The debian boys have hardwired the userid cupsys into
> the code. It would be nice if there were a way to do this
> in a cleaner way using your original source. Perhaps a compile
> time define or perhaps the USER variable could be used to
> identify the userid that cupsd should run as? I know
> you've deprecated RunAsUser but....

We aren't going to bring back RunAsUser.  All of the Linux distros
already provide helper functions for their init scripts to run as
a different user, I suggest you look there if you really want to
cripple your CUPS install.  You will also need to update the
/etc/services file on every system that wants to print with the
new port number for the IPP service...

FWIW, the following will not work if you don't run as root:

     1. Printing and browsing on port 631 (or any port < 1024)
     2. Automatic root authentication via certificates.
     3. Proxy authentication support (you'll need to hardcode
        usernames and passwords in your device URIs again).
     4. Local account authentication via PAM (although I've
        heard there is now a workaround for this by adding the
        user you run cupsd as to a PAM group)
     5. LPD printing support.
     6. Legacy client support via /etc/printcap and
        /etc/printers.conf. This kills printing from GNOME apps
        on Solaris 10, for example.
     7. (future) Kerberos support.

You are also leaving yourself open to filter-based attacks because
of the loss of privilege separation.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com

More information about the cups mailing list