[cups] Running CUPS backends (e.g., IPP) as non-root
Brian Norris
computersforpeace at gmail.com
Thu Feb 11 14:37:24 PST 2016
Hi,
I'm looking at running cupsd as a non-root, sandboxed process on Linux,
and I'm stumbling across the problem of the IPP backend
(/usr/libexec/cups/backend/ipp) being restricted to only run as root
(permissions are 700). I see that some piece of my question has been
addressed previously:
https://www.cups.org/pipermail/cups-devel/2012-April/013673.html
But is that still the status quo? It seems like the question of
privileges is somewhat orthogonal to the question of "am I running as
root." With (e.g.) modern Linux capabilities, it's possible to not be
root, yet still be granted sufficient permissions to get privileged
ports.
I realize I could hack around this myself in various ways (e.g, 'chmod
755 /usr/libexec/cups/backend/foo'), but I wanted to see if you were
considering alternatives to this permissions-based check. For instance,
instead of saying "Backends are run either as a non-privileged user or
as root if the file permissions do not allow user or group execution"
[1], we could instead make this configurable (e.g., in cupsd.conf).
Regards,
Brian
[1] http://www.cups.org/documentation.php/api-filter.html#OVERVIEW
More information about the cups
mailing list