To use the administration with the web front-end (CUPS) or the printer administration tool (KDE), the user root must be set up as CUPS administrator with the CUPS administration group sys and a CUPS password. This can be done as root with the following command:
lppasswd -g sys -a root
If this is not done, administration with the web interface or with the administration tool is not possible, because the authentication fails if no CUPS administrator has been configured. Instead of root, any other user can also be appointed as CUPS administrator (see Changes in the CUPS Print Service (cupsd)).
There are three significant changes in the CUPS print service:
For more information about these changes, see the Support Database article "Printer Configuration from SUSE LINUX 9.0 on" at http://portal.suse.com/sdb/en/2003/09/jsmeix_print-einrichten-90.html.
On start-up, cupsd changes from the user root to the user lp. This provides a much higher level of security, as the CUPS print service does not run with unrestricted permissions, but only with the permissions needed for the print service.
However, the authentication (more precisely: the password check) cannot be performed via /etc/shadow, as lp has no access to /etc/shadow. Instead, the CUPS-specific authentication via /etc/cups/passwd.md5 must be used. For this purpose, a CUPS administrator with the CUPS administration group sys and a CUPS password must be entered in /etc/cups/passwd.md5. To do this, enter the following as root:
lppasswd -g sys -a <CUPS-admin-name>
When cupsd runs as lp, /etc/printcap cannot be generated, as lp is not permitted to create files in /etc/. Therefore, cupsd generates /etc/cups/printcap. To ensure that applications that can only read queue names from /etc/printcap continue to work properly, /etc/printcap is a symbolic link pointing to /etc/cups/printcap.
When cupsd runs as lp, port 631 cannot be opened. Therefore, cupsd can no longer be reloaded with rccups reload. Use rccups restart instead.
The access permissions set for BrowseAllow and BrowseDeny apply to all kinds of packages sent to cupsd. The default settings in /etc/cups/cupsd.conf are as follows:
BrowseAllow @LOCAL
BrowseDeny All
and
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 127.0.0.2
Allow From @LOCAL
In this way, only LOCAL hosts can access cupsd on a CUPS server. LOCAL hosts are hosts whose IP addresses belong to a non-PPP interface (more precisely: interfaces whose IFF_POINTOPOINT flags are not set) and whose IP addresses belong to the same network as the CUPS server. Packets from all other hosts are rejected immediately.
In a standard installation, cupsd is activated automatically, enabling comfortable access to the queues of CUPS network servers without any additional manual actions. The two first items are vital preconditions for this feature, as otherwise the security would not be sufficient for an automatic activation of cupsd.
The YaST printer configuration sets up the queues for CUPS using only the PPD files installed in /usr/share/cups/model/ on the system. To determine the suitable PPD files for the respective printer model, YaST compares the vendor and model determined during the hardware detection with the vendors and models in all PPD files available in /usr/share/cups/model/ on the system. For this purpose, the YaST printer configuration generates a database from the vendor and model information extracted from the PPD files. When you select a printer from the list of vendors and models, receive the PPD files matching the respective vendor and model.
The configuration using only PPD files and no other information sources has the advantage that the PPD files in /usr/share/cups/model/ can be modified freely. The YaST printer configuration recognizes changes and regenerates the vendor and model database. For example, if you only have PostScript printers, normally you do not need the Foomatic PPD files in the cups-drivers package or the GimpPrint PPD files in the cups-drivers-stp package. Instead, the PPD files for your PostScript printers can be copied directly to /usr/share/cups/model/ (if they do not already exist in the manufacturer-PPDs package) to achieve an optimum configuration for your printers.
The generic PPD files in the cups package have been complemented with adapted Foomatic PPD files for PostScript level 1 and level 2 printers: /usr/share/cups/model/Postscript-level1.ppd.gz and /usr/share/cups/model/Postscript-level2.ppd.gz
Normally, the Foomatic printer filter "foomatic-rip" is used together with Ghostscript for non-PostScript printers. Suitable Foomatic PPD files have the entries "*NickName: ... Foomatic/Ghostscript driver" and "*cupsFilter: ... foomatic-rip". These PPD files are located in the cups-drivers package.
YaST prefers a Foomatic PPD file if the following conditions are met:
Instead of "foomatic-rip", the CUPS filter "rastertoprinter" from GimpPrint can be used for many non-PostScript printers. This filter and suitable GimpPrint PPD files are available in the cups-drivers-stp package. The GimpPrint PPD files are located in /usr/share/cups/model/stp/ and have the entries "*NickName: ... CUPS+Gimp-Print" and "*cupsFilter: ... rastertoprinter".
The manufacturer-PPDs package contains PPD files from printer manufacturers that are released under a sufficiently liberal license. PostScript printers should be configured with the suitable PPD file of the printer manufacturer, as this file enables the use of all functions of the PostScript printer. YaST prefers a PPD file from the manufacturer-PPDs package if the following conditions are met:
Accordingly, YaST does not use any PPD file from the manufacturer-PPDs package in the following cases:
If a PPD file from the manufacturer-PPDs package is suitable for a PostScript printer, but YaST does not use it for the above-mentioned reasons, select the respective printer model manually in YaST.