./configure option to select whether the "usb" backend should run as root

[tillkamppeter]

Probably most distributions make the USB raw devices for printers accessible for the "lp" user by group ownerships and permissions or by using ACLs. Probably therefore CUPS installs the "usb" backend with 755 permissions so that it gets executed as the unprivileged "lp" user.

Some distributions (at lease Debian, Ubuntu, and probably everything derived from that) run "usb" as root, simply by removing the executable bits for group and others (744) after running make install during the package build.

The same I do in the CUPS Snap. As in the Snap I cannot create an "lp" user and group and I also cannot change ownerships and permissions of the raw USB devices from within the Snap, I need to run the "usb" backend as root. Currently I am, also changing the permissions of the backend after "make install", actually as a "prime-override" in snapcraft.yaml.

Now I want to ask if one could add a new option to ./configure, like --enable-usb-backend-run-as-root to let make install to install the "usb" backend with 744 permissions right away.

I habe looked into the backend/Makefile and I was not sure how to best implement this without breaking anything.

[surajkulriya]

If we define a new variable like INSTALL_BIN_WITH_ROOT_PRIVILEGE=$(INSTALL) -c -m 744 -s and use this instead of INSTALL_BIN=$(INSTALL) -c -m 755 -s in backend/Makefile for installing usb backend, when given option like you said --enable-usb-backend-run-as-root with ./configure will solve the issue?
Thanks

[surajkulriya]

hello @tillkamppeter
another thing I noticed is that you can use --with-exe-file-perm=744 option with ./configure to install usb backend with 744 permissions. But that way all your binary files and scripts files too will be installed with 744 permissions.
Thanks

[tillkamppeter]

@surajkulriya thanks, the suggestion in your first posting looks reasonable, but the way in your second posting does not work, as filters always run unprivileged and the command line tools also need to be run by any user, so thay cannot be set with 744 mode.

[surajkulriya]

@tillkamppeter ok,
So best way to implement could be, we define another option --with-exe-usb-backend-perm=VAL in ./configure file. And we already have --with-exe-file-perm. So there arrives 4 possible cases:

User give none of these input:
We install all files with 755 permissions.

User give both of these options input, with maybe same or different variable
"usb" and other files that are non "usb" gets installed with there corresponding permissions.

User give input only --with-exe-file-perm but not --with-exe-usb-backend-perm:
All files including "usb backend" gets installed with --with-exe-file-perm value.

User give input only --with-exe-usb-backend-perm but not --with-exe-file-perm:
"usb" backend gets installed with input permission but other binary files gets installed with 755 permission.

What's your thoughts? Should we implement it in this way ?

[michaelrsweet]

I think the simplest solution is to treat the USB backend as a run-as-root backend on all platforms besides macOS since it talks directly to local device files that, without explicit configuration, will require root access.

[tillkamppeter]

@michaelrsweet OK, let us go this way.

[michaelrsweet]

[master bf5f504] Install the USB backend to run as root.