AW: [Desktop_printing] Role of CUPS and error handling

Michael Sweet mike at easysw.com
Fri Mar 24 06:47:23 PST 2006 

Robert L Krawitz wrote:
>    From: Kurt Pfeifle <k1pfeifle at gmx.net>
>    Date: Fri, 24 Mar 2006 14:17:44 +0000
> 
>    That's fine with *me*, and probably with most people on this list.
>    But it is not good and *easy* enough for most Aunt Tillie users...
> 
>    Are you sure that all users who encounter a problem that stems from
>    SUSE's "RunAsUser" setting are immediately pointed to that website?
>    Are you also sure they follow the link? Are you sure they read it?
>    Are you sure they understand it?
> 
> I agree that I think it could be simplified, but that's another
> matter.  There are other ways of handling some of the details
> (e. g. create /etc/printcap in advance, owned by the user 'lp'), which
> can be worked out.
> 
>    The thing is: Once you overdo with "security", and make stuff too
>    difficult to cope with, users tend to switch off security altogether.
>    Which has then led to the defeat of the security expert's own goals
>    (Which begs the question: are security architects really interested
>    in creating better security in real life for end users? Or are some 
>    security experts only erecting the technical security hurdles in order 
>    to have a good excuse and wash their hands in it if is just torn down? 
>    (Mind you: I'm guilty of that sometimes too; it is a very comfortable
>    thing to tell the user "You should not have..." if you are tired to
>    deal with the same challenge day-in, day-out...)
> 
>    Security is not just a technical challenge; it also has to do with
>    user psychology.
> 
>    On Friday 24 March 2006 12:26, Johannes Meixner wrote:
> 
>    > Choose what you prefer (choose exactly one):
>    > [ ] cupsd runs by default but not as root (which requires lppasswd)
>    > [ ] no cupsd running by default at all
>    > Note that it is about a general company security policy
>    > and not about what a few printing guys may think.
> 
>    That's what the company security politicians think; and what maybe
>    you and I think too.
> 
>    But what do your *users* think? "F*#ck! SUSE is too secure to let me
>    simply print!?!"
> 
> That's for SUSE to concern itself with.  Personally, I think choice is
> great.  If people decide they don't want to deal with the hassle,
> they're free to switch if they please.
> 
> Modern computers are very complicated systems, and the less that runs
> as root the better.  CUPS is a particularly complex service that among
> other things runs a variety of third party programs that may not have
> been audited for security.

... which is why those third-party filters are run as an unprivileged
user ("lp" by default) and why in CUPS 1.2 backends are run as the
unprivileged user if they have global read+execute permissions.

Running as an unprivileged user does not, by itself, provide that
much extra security.  It may limit the "damage" that can be done to
a system, but it can also open up other vulnerabilities due to the
reduced privilege separation offered by a single account.

In the case of CUPS 1.1.x, the "RunAsUser" feature actually offered
less security in many ways.  That coupled with the extreme loss of
functionality were the reasons for removing it from 1.2.

If SuSE uses SELinux in their distribution, they'll be able to run
CUPS either as root or "lp", and provide the necessary SELinux
policies to allow it to do what it needs to do, and no more.  They
can also run CUPS on an alternate port like 8631 - it'll kill
interoperability, but then they can run cupsd by default.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com

More information about the Printing-summit mailing list