New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support supplementary groups for filters/backends/helper programs #5236
Comments
Considering for a future CUPS release. |
scheduler/util.c is only used by the cupsd helper programs. Any group mapping needs to probably happen in cups-exec.c. Anyways, the whole printer driver interface is deprecated, and we can't see adding more functionality here as the whole shebang is going to be dropped. |
Thank you for responding to the request. Does the deprecation extend to all uses of the User and Group from cups-files.conf? Will the initial issue still exist with 2.3.x and if so how would you recommend solving it. |
@loqs Ultimately we don't know for sure whether the new cupsd (after 2.3.x) will depend on external programs, although this seems likely at least for security reasons. We can revisit pulling in the supplemental groups at that time, but right now we are not comfortable introducing it for drivers when those drivers are going away. WRT the group ID being different between the build and execution systems (which IMHO is insane for a system group), since CUPS uses the group name the numeric value at build time should not matter. Use the name, not the ID, in any configuration files. And stick with a system group that is part of the OS install and consistent across systems, not a group that is created when a package is installed. |
cups 2.2.6
In cups-files.conf
user cups is also a member of the lp group to allow access to local devices.
However cups backends are called with only the uid and git set without setting the additional groups
so backends that are not executed as root such as the usb backend only have acess to group cups and not the additional group lp preventing the access of devices owned root:lp
Downstream bug report that lead to encountering this issue https://bugs.archlinux.org/task/56818#comment165778
Changing
cups/scheduler/util.c
Line 303 in 58c3683
Adds the additional groups the restricted user is a member of and allows the usb backend to find a new usb printer. No additional testing was done.
Can additional group support please be added for supplementary groups.
The text was updated successfully, but these errors were encountered: