Re: CUPS permissions
On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> On Thu 26 Aug 2021 at 10:56:55 -0400, Greg Wooledge wrote:
>
> > On Thu, Aug 26, 2021 at 03:49:23PM +0100, Brian wrote:
> > > On Thu 26 Aug 2021 at 06:18:21 -0700, Peter Ehlert wrote:
> > >
> > > [...]
> > >
> > > > > It would be useful to have the outputs of
> > > > >
> > > > > groups
> > > > $ groups
> > > > peter cdrom floppy audio dip video plugdev netdev
> > > > >
> > > > > and
> > > > >
> > > > > grep SystemGroup /etc/cups/cups-files.conf
> > > > $ grep SystemGroup /etc/cups/cups-files.conf
> > > > SystemGroup lpadmin
> > > > >
> > > > > from the OP.
> > >
> > > Follow Keith Bainbridge's advice and add your user to the lpadmin
> > > group. Edit /etc/group and /etc/group- to do this. I would use 'vigr'
> > > and 'vigr -s'.
> >
> > Near as I can tell, /etc/group- is simply a backup copy of /etc/group
> > and shouldn't be edited. You might be thinking of /etc/gshadow, which
> > has something to do with group passwords, which are a thing I have *never*
> > dealt with in my entire life.
>
> I also forgot: after carrying out the corrected procedure, log out and
> log back in.
This is the part that I don't quite understand. How does that matter?
Does the CUPS daemon connect to some already-running process of the
user that you log into the web agent with? Does that mean you have to
run the web browser *as* the user you plan to use for printer admin, not
just log into the CUPS web agent with that user?
That doesn't sound right, given the fact that you can log into the web
agent as "root" without logging into Linux as root, or running the web
browser as root.
Given the above, I'd expect that the web agent spawns a brand new process
as root, and then inside of that, it drops privileges down to the user
that you specified.
Unless "root" is a special hard-coded exception somehow...?
Reply to: