Re: CUPS permissions

To: debian-user@lists.debian.org
Subject: Re: CUPS permissions
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Thu, 26 Aug 2021 16:48:14 +0000
Message-id: <[🔎] YSfFzi4o9EqHPL1Q@einval.com>
In-reply-to: <YSez0iFh7MylHC/l@wooledge.org>
References: <[🔎] 09ac7323-ec90-69c7-071c-6538bc81244e@sdi-baja.com> <[🔎] b87e438a-e88b-21e0-feb6-602aafd5f2ef@gmail.com> <[🔎] 26082021130554.df09ac1ba4a4@desktop.copernicus.org.uk> <[🔎] c81da2ea-6acf-56d4-1fa0-e737820be2fc@sdi-baja.com> <[🔎] 26082021154537.a0e784551b99@desktop.copernicus.org.uk> <[🔎] YSert5aPHV3KVhGD@wooledge.org> <[🔎] 26082021162423.94b2974b5e90@desktop.copernicus.org.uk> <YSez0iFh7MylHC/l@wooledge.org>

On Thu, Aug 26, 2021 at 11:31:30AM -0400, Greg Wooledge wrote:
> On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> > On Thu 26 Aug 2021 at 10:56:55 -0400, Greg Wooledge wrote:
> > 
> > > On Thu, Aug 26, 2021 at 03:49:23PM +0100, Brian wrote:
> > > > On Thu 26 Aug 2021 at 06:18:21 -0700, Peter Ehlert wrote:
> > > > 
> > > > [...]
> > > > 
> > > > > > It would be useful to have the outputs of
> > > > > > 
> > > > > >    groups
> > > > > $ groups
> > > > > peter cdrom floppy audio dip video plugdev netdev
> > > > > > 
> > > > > > and
> > > > > > 
> > > > > >    grep SystemGroup /etc/cups/cups-files.conf
> > > > > $ grep SystemGroup /etc/cups/cups-files.conf
> > > > > SystemGroup lpadmin
> > > > > > 
> > > > > > from the OP.
> > > > 
> > > > Follow Keith Bainbridge's advice and add your user to the lpadmin
> > > > group. Edit /etc/group and /etc/group- to do this. I would use 'vigr'
> > > > and 'vigr -s'.
> > > 
> > > Near as I can tell, /etc/group- is simply a backup copy of /etc/group
> > > and shouldn't be edited.  You might be thinking of /etc/gshadow, which
> > > has something to do with group passwords, which are a thing I have *never*
> > > dealt with in my entire life.
> > 
> > I also forgot: after carrying out the corrected procedure, log out and
> > log back in.

_DON'T_ edit groups / shadow password files by hand unless really, absolutely 
necessary - the potential for mistakes is too high.

adduser [username] lpadmin as root/root equivalent using sudo is all that's 
needed. 

You don't need to reboot to do this: but you might need to log out/log back
in to pick up the added/changed groups for the user. 
> 
> This is the part that I don't quite understand.  How does that matter?
> Does the CUPS daemon connect to some already-running process of the
> user that you log into the web agent with?  Does that mean you have to
> run the web browser *as* the user you plan to use for printer admin, not
> just log into the CUPS web agent with that user?
> 
> That doesn't sound right, given the fact that you can log into the web
> agent as "root" without logging into Linux as root, or running the web
> browser as root.
> 
> Given the above, I'd expect that the web agent spawns a brand new process
> as root, and then inside of that, it drops privileges down to the user
> that you specified.
> 
> Unless "root" is a special hard-coded exception somehow...?
> 

All best, as ever,

Andy Cater

Reply to:

Follow-Ups:
- Re: CUPS permissions
  - From: Brian <ad44@cityscape.co.uk>

References:
- CUPS permissions
  - From: Peter Ehlert <pb21a@sdi-baja.com>
- Re: CUPS permissions
  - From: Keith Bainbridge <keithrboz@gmail.com>
- Re: CUPS permissions
  - From: Brian <ad44@cityscape.co.uk>
- Re: CUPS permissions
  - From: Peter Ehlert <pb21a@sdi-baja.com>
- Re: CUPS permissions
  - From: Brian <ad44@cityscape.co.uk>
- Re: CUPS permissions
  - From: Greg Wooledge <greg@wooledge.org>
- Re: CUPS permissions
  - From: Brian <ad44@cityscape.co.uk>
- Re: CUPS permissions
  - From: Greg Wooledge <greg@wooledge.org>

Prev by Date: Re: CUPS permissions
Next by Date: Re: CUPS permissions
Previous by thread: Re: CUPS permissions
Next by thread: Re: CUPS permissions
Index(es):
- Date
- Thread