Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 306 — #332
i
i
i
i
i
i
i
i
13.6.2 Changes in the CUPS Print Service (cupsd)
There are three significant changes in the CUPS print service:
cupsd runs as the user lp.
Generalized functionality for BrowseAllow and BrowseDeny.
cupsd is activated by default.
For more information about these changes, see the Support Database article
“Printer Configuration from SUSE LINUX 9.0 on” at http://portal.
suse.com/sdb/en/2003/09/jsmeix_print-einrichten-90.html.
cupsd Runs as the User lp
On start-up, cupsd changes from the user root to the user lp. This pro-
vides a much higher level of security, as the CUPS print service does not
run with unrestricted permissions, but only with the permissions needed
for the print service.
However, the authentication (more precisely: the password check) cannot
be performed via /etc/shadow, as lp has no access to /etc/shadow.
Instead, the CUPS-specific authentication via /etc/cups/passwd.md5
must be used. For this purpose, a CUPS administrator with the CUPS
administration group sys and a CUPS password must be entered in
/etc/cups/passwd.md5. To do this, enter the following as root:
lppasswd -g sys -a <CUPS-admin-name>
When cupsd runs as lp, /etc/printcap cannot be generated, as lp is
not permitted to create files in /etc/. Therefore, cupsd generates /etc/
cups/printcap. To ensure that applications that can only read queue
names from /etc/printcap continue to work properly, /etc/printcap
is a symbolic link pointing to /etc/cups/printcap.
When cupsd runs as lp, port 631 cannot be opened. Therefore, cupsd
can no longer be reloaded with rccups reload. Use rccups restart
instead.
306 13.6. Special Features in SUSE LINUX