[cups.general] Q. Proper way to startup cupsd as a non-root userasopposed to debian hacks?
Michael Sweet
mike at easysw.com
Tue Jun 6 11:19:13 PDT 2006
wtautz wrote:
> ...
>> FWIW, the following will not work if you don't run as root:
>>
>> 1. Printing and browsing on port 631 (or any port < 1024)
>> 2. Automatic root authentication via certificates.
>> 3. Proxy authentication support (you'll need to hardcode
>> usernames and passwords in your device URIs again).
>> 4. Local account authentication via PAM (although I've
>> heard there is now a workaround for this by adding the
>> user you run cupsd as to a PAM group)
>> 5. LPD printing support.
>> 6. Legacy client support via /etc/printcap and
>> /etc/printers.conf. This kills printing from GNOME apps
>> on Solaris 10, for example.
>> 7. (future) Kerberos support.
>>
> Yes. Number 5 is a problem for me. This is why I gave up on ubuntu for
> the server. Thanks for
> the other info. I guess the real issue is security in general, i.e., we
> must have
> some process running as root and assuming there aren't any outright bugs
> in that process one should use some kind of external tool to provide further
> security. Perhaps a chroot?
> Or SeLinux?
Fedora Core and Red Hat Enterprise Linux already provide a CUPS
policy (for SELinux) that provides additional (sometimes too much! :)
protection/insurance on top of the built-in cupsd security measures
and privilege separation. I believe the current Fedora Core policies
are up-to-date for CUPS 1.2 - not sure about RHEL though...
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
More information about the cups
mailing list