AW: [Desktop_printing] Role of CUPS and error handling

Kurt Pfeifle k1pfeifle at gmx.net
Fri Mar 24 10:05:07 PST 2006 

On Friday 24 March 2006 15:01, Johannes Meixner wrote:
> 
> Hello,
> 
> On Mar 24 14:17 Kurt Pfeifle wrote (shortened):
> > On Friday 24 March 2006 12:26, Johannes Meixner wrote:
> > > Do you mean the problems when cupsd runs as lp?
> > > If yes, please read
> > > http://en.opensuse.org/SDB:Printer_Configuration_from_SUSE_LINUX_9.0_on
> > > it is all explained there in detail.
> > 
> > That's fine with *me*, and probably with most people on this list.
> > But it is not good and *easy* enough for most Aunt Tillie users...
> > 
> > Are you sure that all users who encounter a problem that stems from
> > SUSE's "RunAsUser" setting are immediately pointed to that website?
> > Are you also sure they follow the link? Are you sure they read it?
> > Are you sure they understand it?
> 
> The answers are: No, no, no, no.
> 
> We know very well all (hopefully all) the drawbacks
> when cupsd runs without unlimited privilleges.
> 
> Not only the drawbacks about anything which does no longer work
> when cupsd runs without unlimited privilleges but also the
> drawbacks when cupsd, filters and backends run as the same user.
> 
> Obviously any service just works well out of the box when
> the service has unlimited privilleges - it is the nice warm
> Windows like feeling that "everything" just works out of the box.
> With "everything" I mean "everything", really "everything",
> in particular "everything" from "everywhere" ;-)

I didnt disagree with the fundamentals.

You didn't get my point. But I didn't really make it clear enough
either; sorry about that.

My point is: We need to make it much, much, much more easy for
users to find out why their current action fails, if they deal
with a cupsd running as non-root. They need to be guided to a
way how to resolve this.

My proposal to solve this is: .... 

     (in other words: nothing specific right now).

> Obviously unlimit ed privilleges is not in general a good 
> solution to get something just work out of the box.
> 
> If it is good or not to run cupsd by default with unlimited
> privilleges is and was discussed in deep detail.
> We decided not to run cupsd by default with unlimited privilleges.
> In CUPS 1.2 "RunAsUser" is gone and the discussion may start again.
> 
> 
> > > Note that it is about a general company security policy
> > > and not about what a few printing guys may think.
> > 
> > That's what the company security politicians think; and what maybe
> > you and I think too.
> > 
> > But what do your *users* think? "F*#ck! SUSE is too secure to let me
> > simply print!?!"
> 
> I know that some of our users may think this.
> 
> On the other hand:
> 
> Only CUPS web-admin access fails without "lppasswd".
> The rest of the CUPS web frontend works.
> YaST or "lpadmin" do not need any "lppasswd" because any
> printing admin tool which runs as root on localhost works
> without any "lppasswd" command.
> Unfortunately some printing admin tools (KDE or Gnome or both,
> it has changed and I do not remember exactly) do not run by default
> as root on localhost but do CUPS authentication by default 
> even if the tool is used to talk to the cupsd on localhost.
> Our manual only describes to use YaST or lpadmin to set up queues
> and it describes the "cupsd runs as lp" stuff and the "lppasswd".
> Obviously the "F*#ck! SUSE" users try to use a admin tool which
> fails and then they don't even try to use YaST or read our manuals
> or use our support database but complain to the public ;-)
> 
> We do care about our users (perhaps we don't care about
> "F*#ck! SUSE" users) but we do care about our users.

I didn't mean to say SUSE users think "F*#ck! SUSE" as one word :-)

But rather, my example quote was meant to be 2 sentences. Let me
try once more: 

  "Shit!
   SUSE is too secure to let me simply print!?!"

Better?    :-)

> If an experienced user does not like it, it is well described
> what he can do.

Yes, it is well described. 

My point is:  make it so that users in trouble do not even need to
hunt for that description (my bet is, that less than 1% even do
this, and a minority of them does succeed in finding it).

My suggestion is: (  )

A large majority of "experienced users" even do not succeed on their 
own when they have trouble at this point. And *some* of these end up 
in my mail box crying for help (not @ SUSE's helpdesk).

> Kind Regards
> Johannes Meixner

Cheers,
Kurt

More information about the Printing-summit mailing list