Re: CUPS permissions
On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote:
> On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
[...]
> > I also forgot: after carrying out the corrected procedure, log out and
> > log back in.
>
> This is the part that I don't quite understand. How does that matter?
The system needs to be updated on the groups the user is in. CUPS will
consult it.
> Does the CUPS daemon connect to some already-running process of the
> user that you log into the web agent with? Does that mean you have to
> run the web browser *as* the user you plan to use for printer admin, not
> just log into the CUPS web agent with that user?
>
> That doesn't sound right, given the fact that you can log into the web
> agent as "root" without logging into Linux as root, or running the web
> browser as root.
>
> Given the above, I'd expect that the web agent spawns a brand new process
> as root, and then inside of that, it drops privileges down to the user
> that you specified.
>
> Unless "root" is a special hard-coded exception somehow...?
My understanding is:
1. Administration operations in CUPS require an administrator to
authenticate.
2. An administrator is either the root user or a member of the
lpadmin group. The group is distro-specific.
3. Either of the two previous users have to be authorised by
username/password when the web interface is used. This is not
the case for lpadmin use.
4. The browser is run as the user. Authentication to CUPS is a
separate issue.
5. pam comes into this somewhere, but I give up at that point.
--
Brian.
Reply to: