[cups] Running CUPS backends (e.g., IPP) as non-root

Michael Sweet msweet at apple.com
Fri Feb 12 13:51:43 PST 2016


Brian,

> On Feb 11, 2016, at 2:37 PM, Brian Norris <computersforpeace at gmail.com> wrote:
> 
> Hi,
> 
> I'm looking at running cupsd as a non-root, sandboxed process on Linux,
> and I'm stumbling across the problem of the IPP backend
> (/usr/libexec/cups/backend/ipp) being restricted to only run as root
> (permissions are 700). I see that some piece of my question has been
> addressed previously:
> 
> https://www.cups.org/pipermail/cups-devel/2012-April/013673.html
> 
> But is that still the status quo? It seems like the question of
> privileges is somewhat orthogonal to the question of "am I running as
> root." With (e.g.) modern Linux capabilities, it's possible to not be
> root, yet still be granted sufficient permissions to get privileged
> ports.

In the case of the IPP backend, it is not about privileged ports but of having access to user credentials as root.

Recent versions of CUPS (since 2.0) support the backend with group read/execute (just not world read/execute).

> I realize I could hack around this myself in various ways (e.g, 'chmod
> 755 /usr/libexec/cups/backend/foo'), but I wanted to see if you were
> considering alternatives to this permissions-based check. For instance,
> instead of saying "Backends are run either as a non-privileged user or
> as root if the file permissions do not allow user or group execution"
> [1], we could instead make this configurable (e.g., in cupsd.conf).

That itself would open up a security hole; conceptually it could be in the cups-files.conf file, but that still requires local configuration changes.

Another option is to provide your own backend (which could be mostly-a-copy of the standard IPP backend) that you run instead, or just make your IPP calls directly from the program that is using the IPP backend.  Heck, you could even use ipptool for this...

_________________________________________________________
Michael Sweet, Senior Printing System Engineer




More information about the cups mailing list