Comment 1 for bug 52350

Revision history for this message
Kurt Pfeifle (pfeifle) wrote : Ubuntu's hard-wired "RunAsUser cupsys" breaks CUPS authentication via nsswitch.conf + LDAP + PAM

Is your LDAP authentication working alright for other services?

IMHO, your bug report should be renamed to a line like the heading of my own comment.

Ubuntu cupsys 1.2.x packages are patched to retain the "RunAsUser" feature (which is now deprecated and removed -- for good reasons! -- by the original CUPS developers) in their distro, which makes cupsd run as user "cupsys" under all circumstances. (However, I assume this is just what Dapper inherited from Debian, and it is the same in Debian...).

That creates all kinds of problems when users want to follow one of the standard HOWTOs floating around the 'net to set up a certain behaviour of their printing system. Things like the ones outlined by a recent posting of Mike Sweet on CUPS.org don't work as expected:

 - lpd backend printing towards older LPD servers which require source
   ports 721-731 (the CUPS option of appending "?reserve=yes" will fail)
   (see also Ubuntu bug #47773)

 - automatic root authentication via certificates (Ubuntu bug #26964 ?)

 - proxy authentication support in 1.2.x (no Ubuntu bug report [yet])

 - PAM-based local authentication (very likely the cause of your own
   Ubuntu problem, reported as this bug #52350)

 - support for legacy Unix clients via /etc/printcap or /etc/printers.conf
   (probably never a problem for Ubuntu -- but running as user completely
   breaks printing for all Gnome apps on Solaris 10, for example).

 - future Kerberos support (as is currently under development by a Google
   Summer of Code student)

At least, the "RunAsUser" experiment in CUPS 1.1.x was a *configurable* parameter, controllable via a cupsd.conf directive.

Now, what's the absolutely worst thing about the Ubuntu (and Debian as well ??) RunAsUser patch is that you can't set it back to "RunAsUser No"!

You can't re-gain the full original functionality of CUPS, as it was designed by its original developers: The Ubuntu(/Debian?) "RunAsUser" thingie is non-configurable; it is *not* an option to be reversed by a user; it is simply hard-coded into their patched sources.

You can't even work around it by by-passing the "/etc/init.d/cupsys start" script, and by starting "/usr/sbin/cupsd" directly as root from the commandline: cupsd will always run as the "cupsys" user...

In effect, this is not only a patch, it is a fork of CUPS (OK, I'll add another "IMHO" to my last sentence...).