17/03/2010

How to stop CUPS from asking for the root password

CUPS has a quite restrictive allow/deny policy. Cancelling jobs requires the owner or root (OK, makes sense), for starting and stopping printers you also need root privileges. My root password is befittingly cumbersome, so I looked for some kind of CUPS sudo.
The file to look for is /etc/cups/cupsd.conf, which can be conveniently edited from the CUPS web interface's (localhost:631) Administration tab.

There are two options: either disable the password prompt completely (convenient, but on the risky side), or give your own user CUPS admin rights.
First option: change the line "DefaultPolicy default" to "DefaultPolicy easy". No password prompt ever, even if you fiddle with the configuration files. Not sure I like that.
Second option: Get the password prompt to accept your own user. For this, change the line "SystemGroup sys root" to "SystemGroup sys root lp" and make sure your user is a member of the lp group.

Judging from the structure of cupsd.conf, I suppose it is possible to fine-tune individual permissions by changing/commenting out the  AuthType/Require user statements in specific <Limit> … </Limit> blocks, but I saw no need to do that.
The CUPS web interface will restart the server after changing the configuration, however, your login status is apparently preserved. Reopen the interface in a new browser window to re-login.

4 comments:

DaWuzzzz said...

Yeah! Thanks for finding out that. I was annoyed by that CUPS behaviour as well but was too lazy to find out how to improve this situation...

avocadohead said...

My pleasure...

maniootek said...

I have added line "DefaultPolicy easy" to top-level directives (in the beginning) of the the cupsd.conf file but log file says:
Default policy "easy" not found.

avocadohead said...

Oh dear, that post is 8 years old. If you look at the file structure, there needs to be a <Policy easy>...</Policy> block somewhere for this hack to work, which seems to have been removed in newer CUPS versions, probably for security reasons. See the example in here:
https://stackoverflow.com/questions/46582838/linux-how-to-setup-cups-conf-to-access-cups-web-interface-from-remote-machines
If you *really* want to give everybody all CUPS access, you could copy the respective policy block.