Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual page 463

cupsd Runs as the User lp
On start-up, cupsd changes from the user root to the user lp. This provides a much
higher level of security, because the CUPS print service does not run with unrestricted
permissions, only with the permissions needed for the print service.
However, the authentication (the password check) cannot be performed via /etc/
shadow, because lp has no access to /etc/shadow. Instead, the CUPS-specific
authentication via /etc/cups/passwd.md5 must be used. For this purpose, a CUPS
administrator with the CUPS administration group sys and a CUPS password must
be entered in /etc/cups/passwd.md5. To do this, enter the following as root:
lppasswd -g sys -a CUPS-admin-name
This setting is also essential if you want to use the CUPS administration Web front-end
or the KDE printer administration tool.
When cupsd runs as lp, /etc/printcap cannot be generated, because lp is not
permitted to create files in /etc/. Therefore, cupsd generates /etc/cups/
printcap. To ensure that applications that can only read queue names from /etc/
printcap continue to work properly, /etc/printcap is a symbolic link pointing
to /etc/cups/printcap.
When cupsd runs as lp, port 631 cannot be opened. Therefore, cupsd cannot be
reloaded with rccups reload. Use rccups restart instead.
Generalized Functionality for BrowseAllow and
BrowseDeny
The access permissions set for BrowseAllow and BrowseDeny apply to all kinds
of packages sent to cupsd. The default settings in /etc/cups/cupsd.conf are
as follows:
BrowseAllow @LOCAL
BrowseDeny All
and
<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Printer Operation 463