On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote: > On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
[...] > > I also forgot: after carrying out the corrected procedure, log out and > > log back in. > > This is the part that I don't quite understand. How does that matter? The system needs to be updated on the groups the user is in. CUPS will consult it. > Does the CUPS daemon connect to some already-running process of the > user that you log into the web agent with? Does that mean you have to > run the web browser *as* the user you plan to use for printer admin, not > just log into the CUPS web agent with that user? > > That doesn't sound right, given the fact that you can log into the web > agent as "root" without logging into Linux as root, or running the web > browser as root. > > Given the above, I'd expect that the web agent spawns a brand new process > as root, and then inside of that, it drops privileges down to the user > that you specified. > > Unless "root" is a special hard-coded exception somehow...? My understanding is: 1. Administration operations in CUPS require an administrator to authenticate. 2. An administrator is either the root user or a member of the lpadmin group. The group is distro-specific. 3. Either of the two previous users have to be authorised by username/password when the web interface is used. This is not the case for lpadmin use. 4. The browser is run as the user. Authentication to CUPS is a separate issue. 5. pam comes into this somewhere, but I give up at that point. -- Brian.
