[cups] installing and running CUPS as an unprivileged user
Jörg Thümmler
listen at vordruckleitverlag.de
Tue Jun 22 07:02:43 PDT 2021
Am 22.06.21 um 15:11 schrieb Matthias Apitz:
>
> Hello,
>
> The background of my question is, that our IT department does not want
> to give us (the development team) root or sudo access to our development
> SuSE Linux servers anymore.
>
> That's why we are undertaking currently an investigation how
> our Library Management System could be developed, deployed (also to customers)
> and started as an ordinary user (once the DBS PostgreSQL is started as root).
>
> There are still some open questions in our own software, but one mayor issue is
> CUPS itself. We are compiling CUPS from source with a destination directory
> which can be owned by an ordinary user, so in principle the deployment
> could be done that way. Ofc currently some files are set to be owned by
> root:lp and some dirs / spooling areas have special perms as well. Also the
> standard LISTEN port 631 could also only created by root.
>
> My question here to the group is: was such changes for CUPS already
> investigated and changes undertaken by CUPS implementers? Is it worth to
> follow such path or should we better say to IT: for CUPS no way (as for
> PostgreSQL or Sybase DBS).
>
> Thanks in advance for any comments or pointers.
>
> matthias (CUPS user since ages)
>
Hello,
as you mentioned: there are a lot of security issues with this idea.
I've never heard someone tryin' to circumvent root privileges at this
place. As printers are treated as (special) files you would have a lot
of problems to secure this. And as I think, you won't have the right to
create a special user with the rights to operate cups too, if you aren't
root. And operate this by ordinary user: I would say: never. Such a user
would need rights to write directly to special files, what is definitely
a horrible idea, imagine you have the dev/<disk> files here and other
devices...
It might be a bad but possible idea to create a special write_to_file
backend piping to real backends, what does not say, who creates the
devices for real printing.
You can create the spool dirs in users homedir (man 5 cups.files) and
you can try to build some autoconfiguring mechanism, which builds an
cups printer entry by using lpadmin from a own created "printers.conf"
but this mechanism will need root, at least "lp" privileges.
If there's no way to get root rights: someone must install the servers:
he shall by advised to install cups with cupsd.conf and cups.files
templates you created. You put all the privilege excalation things here,
so your unprivileged user can manage cups then. Ugly...
--
cu
jth
Death penalty in numbers:
==========================
PR of China: 1.900 million habitants / some 100 cases of death, more
hidden ones...???
Germany: 83 million habitants / 0 cases of death, there may be hidden
ones by secret services, but a few
More information about the cups
mailing list