AW: [Desktop_printing] Role of CUPS and error handling
k1pfeifle at gmx.net
Fri Mar 24 10:05:07 PST 2006
On Friday 24 March 2006 15:01, Johannes Meixner wrote:
> On Mar 24 14:17 Kurt Pfeifle wrote (shortened):
> > On Friday 24 March 2006 12:26, Johannes Meixner wrote:
> > > Do you mean the problems when cupsd runs as lp?
> > > If yes, please read
> > > http://en.opensuse.org/SDB:Printer_Configuration_from_SUSE_LINUX_9.0_on
> > > it is all explained there in detail.
> > That's fine with *me*, and probably with most people on this list.
> > But it is not good and *easy* enough for most Aunt Tillie users...
> > Are you sure that all users who encounter a problem that stems from
> > SUSE's "RunAsUser" setting are immediately pointed to that website?
> > Are you also sure they follow the link? Are you sure they read it?
> > Are you sure they understand it?
> The answers are: No, no, no, no.
> We know very well all (hopefully all) the drawbacks
> when cupsd runs without unlimited privilleges.
> Not only the drawbacks about anything which does no longer work
> when cupsd runs without unlimited privilleges but also the
> drawbacks when cupsd, filters and backends run as the same user.
> Obviously any service just works well out of the box when
> the service has unlimited privilleges - it is the nice warm
> Windows like feeling that "everything" just works out of the box.
> With "everything" I mean "everything", really "everything",
> in particular "everything" from "everywhere" ;-)
I didnt disagree with the fundamentals.
You didn't get my point. But I didn't really make it clear enough
either; sorry about that.
My point is: We need to make it much, much, much more easy for
users to find out why their current action fails, if they deal
with a cupsd running as non-root. They need to be guided to a
way how to resolve this.
My proposal to solve this is: ....
(in other words: nothing specific right now).
> Obviously unlimit ed privilleges is not in general a good
> solution to get something just work out of the box.
> If it is good or not to run cupsd by default with unlimited
> privilleges is and was discussed in deep detail.
> We decided not to run cupsd by default with unlimited privilleges.
> In CUPS 1.2 "RunAsUser" is gone and the discussion may start again.
> > > Note that it is about a general company security policy
> > > and not about what a few printing guys may think.
> > That's what the company security politicians think; and what maybe
> > you and I think too.
> > But what do your *users* think? "F*#ck! SUSE is too secure to let me
> > simply print!?!"
> I know that some of our users may think this.
> On the other hand:
> Only CUPS web-admin access fails without "lppasswd".
> The rest of the CUPS web frontend works.
> YaST or "lpadmin" do not need any "lppasswd" because any
> printing admin tool which runs as root on localhost works
> without any "lppasswd" command.
> Unfortunately some printing admin tools (KDE or Gnome or both,
> it has changed and I do not remember exactly) do not run by default
> as root on localhost but do CUPS authentication by default
> even if the tool is used to talk to the cupsd on localhost.
> Our manual only describes to use YaST or lpadmin to set up queues
> and it describes the "cupsd runs as lp" stuff and the "lppasswd".
> Obviously the "F*#ck! SUSE" users try to use a admin tool which
> fails and then they don't even try to use YaST or read our manuals
> or use our support database but complain to the public ;-)
> We do care about our users (perhaps we don't care about
> "F*#ck! SUSE" users) but we do care about our users.
I didn't mean to say SUSE users think "F*#ck! SUSE" as one word :-)
But rather, my example quote was meant to be 2 sentences. Let me
try once more:
SUSE is too secure to let me simply print!?!"
> If an experienced user does not like it, it is well described
> what he can do.
Yes, it is well described.
My point is: make it so that users in trouble do not even need to
hunt for that description (my bet is, that less than 1% even do
this, and a minority of them does succeed in finding it).
My suggestion is: ( )
A large majority of "experienced users" even do not succeed on their
own when they have trouble at this point. And *some* of these end up
in my mail box crying for help (not @ SUSE's helpdesk).
> Kind Regards
> Johannes Meixner
More information about the Printing-summit