SDB:Printer Configuration from SUSE LINUX 9.0 on

Şuraya atla: kullan, ara 


Version: 9.0

Situation

You want to configure your printer. Refer to the manuals of SUSE LINUX 9.0 for basic information. The following paragraphs provide further information, especially regarding the differences and peculiarities of SUSE LINUX 9.0 compared to earlier versions. Compare to the following articles:

  • "Printer Configuration from SuSE Linux 8.2"
  • "Printer Configuration with SuSE Linux 8.1"
  • "Printer Configuration with SuSE Linux 8.0"
  • "Installing a Printer from SuSE Linux 6.4 to 7.3"
  • "Installing a Printer"

The recommended print system in SUSE LINUX 9.0 is CUPS.

Changes in the CUPS Print Service (in cupsd)

  1. cupsd runs as the user lp
  2. Generalized functionality for BrowseAllow and BrowseDeny
  3. Automatic activation of cupsd following the installation of the cups package

cupsd Runs as the User lp

On start-up, cupsd changes from the user root to the user lp as specified in /etc/cups/cupsd.conf: 

User lp
Group lp
RunAsUser Yes

If "RunAsUser" is set to "No", cupsd will continue to run as root.

Advantage:
Improved security, as the CUPS print service does not run with unlimited permissions, but only with permissions needed for the print service.

Disadvantage:
The authentication (the password verification) cannot take place via /etc/shadow, as lp does not have access to /etc/shadow. Therefore "AuthType Basic" does not work in this case. Rather, the CUPS-specific authentication via /etc/cups/passwd.md5 must be used. In /etc/cups/cupsd.conf, this can be specified as follows: 

<Location /admin>
AuthType BasicDigest
AuthClass Group
AuthGroupName sys
...
</Location>

Additionally, the following command must be used (as the user root) to enter a CUPS-specific password for the user root in /etc/cups/passwd.md5: 

lppasswd -g sys -a root

If "AuthType" is set to "Basic", the password verification will take place with /etc/shadow. In this case, cupsd must run as root (i.e., "RunAsUser No").

Additional consequences:

  • If cupsd runs as lp, /etc/printcap cannot be generated, as lp is not permitted to create files in /etc/. For this reason, cupsd creates cupsd /etc/cups/printcap as specified in /etc/cups/cupsd.conf:
Printcap /etc/cups/printcap
For applications that can only read queue names from /etc/printcap to work properly, /etc/printcap is a symbolic link to /etc/cups/printcap.
  • As soon as cupsd starts running as lp, port 631 cannot be opened. Therefore, cupsd can no longer be reloaded with "rccups reload". Instead, use "rccups restart".
  • If HP all-in-one devices (e.g., HP OfficeJet) are addressed by way of the "ptal" service, this will not work if the user root set an unsuitable "umask" when executing "ptal-init setup". In this case, ptal would have created the directories /dev/ptal-printd and /var/run/ptal-* with insufficient access permissions. Suitable access permissions that enable cupsd to send data to ptal devices as the user lp can be set with the following command:
chmod a+rx /dev/ptal-printd /var/run/ptal-*
See the article "HP OfficeJet" for more information on HP all-in-one devices.

Generalized Functionality for BrowseAllow and BrowseDeny

The access conditions set for BrowseAllow and BrowseDeny now apply to all kinds of packets sent to cupsd.

The default settings in /etc/cups/cupsd.conf are as follows: 

BrowseAllow @LOCAL
BrowseDeny All

In this way, only LOCAL hosts can access cupsd. LOCAL hosts are hosts whose IP addresses belong to a non-PPP interface. For all other hosts (especially hosts that send packets to cups via a PPP interface), the packets are rejected immediately.

Access restrictions with BrowseAllow and BrowseDeny are checked first and therefore have the highest priority. Thus, 

BrowseAllow None
BrowseDeny All

causes all packets from all hosts to be rejected immediately, regardless of any other access settings (such as in <Location />...</Location>). Only packages from "localhost" (127.0.0.1) are not rejected.

The main difference between access conditions with BrowseAllow and BrowseDeny and access conditions with an approach such as <Location />...</Location> is as follows:

  • With BrowseAllow/BrowseDeny, the decision to grant or deny access is based exclusively on the data in the packet header. As no data from the actual packet is processed for the purpose of rejecting packets from unauthorized hosts, cupsd is less vulnerable to access from unauthorized hosts.
  • With <Location />...</Location>, the decision to grant or deny access is based on the data in the actual packet. This process is complex and presents more vulnerable spots in cupsd that could be exploited for an attack.

Result:
Access restrictions with BrowseAllow and BrowseDeny should be used to deny all access for unauthorized hosts immediately. For BrowseAllow, you would normally enter the network from which access is generally permitted. Several BrowseAllow entries can be used for several networks or several individual hosts. "BrowseDeny All" denies access from all other hosts. <Location />...</Location> can be used to define the detailed access conditions.

Customer feedback wanted:
In SUSE LINUX 9.0, the generalized functionality for BrowseAllow and BrowseDeny is implemented as the patch "cups-1.1.19-preauth_security.patch". The underlying purpose of this patch is to achieve the functionality described above (access decision exclusively based on the data in the packet header) without necessitating new keywords in /etc/cups/cupsd.conf for the configuration of the access conditions, as our purpose is to modify the code of cupsd as little as possible. This patch was necessary for automatically activating cupsd in SUSE LINUX 9.0 (see following section). Furthermore, it represents a proposal for a possible way of improving the security of cupsd. Nevertheless, the patch does not constitute the final solution. To be able to develop a conclusive solution, we need customer feedback in order to learn about any problems that could be caused by this patch.

Automatic Activation of cupsd Following the Installation of the cups Package

The two items mentioned above are vital preconditions, as otherwise the security would not be sufficient for an automatic activation of cupsd. A correctly configured firewall may not be available in all scenarios. Therefore, cupsd itself must meet these security requirements.

The cups package is installed within the scope of the standard installation. The automatic activation of cupsd now enables comfortable access to queues of CUPS network servers without any additional manual actions. In this way, we comply with the frequently-expressed wish for comfortable out-of-the-box access to CUPS queues in the network -- especially for network client hosts to which no printers are connected.

Changes in LPRng and lpdfilter

From SUSE Linux 9.0 on, filtering in the LPRng and lpdfilter printing system takes place as follows (see the corresponding section in the Administration Guide):

  • If a PostScript printer is attached, the Post­Script data is directly sent to the printer:
printing data
   |
   v
lpdfilter: conversion to PostScript
   |
   v
PostScript printer
  • If there is no PostScript printer attached, Ghostscript is used to create printer-specific data. The printer-specific parameters for the Ghostscript command are saved in the following locations ("queue" must be replaced with the real queue name):
    • In the cm line in the file /etc/printcap as hitherto
    • In the file /etc/lpdfilter/queue/upp as hitherto
    • From SUSE Linux 9.0 on, in the file /etc/lpdfilter/queue/ppd, too.
      This is the case if lpdfilter has been configured with YaST.
      Through this, the conversion to printer-specific data is performed in the same way as in the CUPS printing system with the filter foomatic-rip, which uses for the Ghostscript command data included in the same Foomatic PPD file used for the CUPS printing system.
      If lpdfilter is configured by means of YaST, filtering in the LPRng and lpdfilter printing system takes place as follows:
  printing data
     |
     v
  lpdfilter: conversion to PostScript only
     |
     |    ____ PPD file matching the printer model
     |   |     (/etc/lpdfilter/queue/ppd)
     v   v
  foomatic-rip: conversion to the printer language with Ghostscript
     |
     v
  printer

<keyword>print,printer,cups,yast2,setup,90,9.0,configuration,lprng,lpdfilter,foomatic</keyword>

"https://tr.opensuse.org/index.php?title=SDB:Printer_Configuration_from_SUSE_LINUX_9.0_on&oldid=2955" adresinden alındı.