[cups] installing and running CUPS as an unprivileged user

Jörg Thümmler listen at vordruckleitverlag.de
Tue Jun 22 07:02:43 PDT 2021 

Am 22.06.21 um 15:11 schrieb Matthias Apitz:
> 
> Hello,
> 
> The background of my question is, that our IT department does not want
> to give us (the development team) root or sudo access to our development
> SuSE Linux servers anymore.
> 
> That's why we are undertaking currently an investigation how
> our Library Management System could be developed, deployed (also to customers)
> and started as an ordinary user (once the DBS PostgreSQL is started as root).
> 
> There are still some open questions in our own software, but one mayor issue is
> CUPS itself. We are compiling CUPS from source with a destination directory
> which can be owned by an ordinary user, so in principle the deployment
> could be done that way. Ofc currently some files are set to be owned by
> root:lp and some dirs / spooling areas have special perms as well. Also the
> standard LISTEN port 631 could also only created by root.
> 
> My question here to the group is: was such changes for CUPS already
> investigated and changes undertaken by CUPS implementers? Is it worth to
> follow such path or should we better say to IT: for CUPS no way (as for
> PostgreSQL or Sybase DBS).
> 
> Thanks in advance for any comments or pointers.
> 
> 	matthias (CUPS user since ages)
> 

Hello,

as you mentioned: there are a lot of security issues with this idea. 
I've never heard someone tryin' to circumvent root privileges at this 
place. As printers are treated as (special) files you would have a lot 
of problems to secure this. And as I think, you won't have the right to 
create a special user with the rights to operate cups too, if you aren't 
root. And operate this by ordinary user: I would say: never. Such a user 
would need rights to write directly to special files, what is definitely 
a horrible idea, imagine you have the dev/<disk> files here and other 
devices...

It might be a bad but possible idea to create a special write_to_file 
backend piping to real backends, what does not say, who creates the 
devices for real printing.

You can create the spool dirs in users homedir (man 5 cups.files) and 
you can try to build some autoconfiguring mechanism, which builds an 
cups printer entry by using lpadmin from a own created "printers.conf" 
but this mechanism will need root, at least "lp" privileges.

If there's no way to get root rights: someone must install the servers: 
he shall by advised to install cups with cupsd.conf and cups.files 
templates you created. You put all the privilege excalation things here, 
so your unprivileged user can manage cups then. Ugly...

-- 
cu

jth

Death penalty in numbers:
==========================
PR of China: 1.900 million habitants  / some 100 cases of death, more 
hidden ones...???

Germany: 83 million habitants / 0 cases of death, there may be hidden 
ones by secret services, but a few

More information about the cups mailing list