System Administration Guide: Printing

Privilege Requirements for Using Print Commands

The design of the Open Standard Print API (PAPI) implementation in the Oracle Solaris release makes it no longer necessary for applications, toolkits, and print commands to run with elevated privilege to interact with print services.

As a result, the following print commands are no longer installed SUID root:

Previously, these commands were installed SUID root because the commands required an elevated privilege for the following purposes:

This functionality is now localized in a small helper application, /usr/lib/print/lpd-port. As a result, any applications that use the RFC-1179 PAPI support no longer require elevated privilege. The lpd-port helper application contains minimal support for passing RFC-1179 protocol requests on a reserved port and allocating sequential job-id numbers. Although the helper application is installed SUID root, all elevated privileges are dropped until they are required. When necessary, the privilege is elevated for the required operation and then permanently dropped if the elevated privilege is no longer required. In the Oracle Solaris release, this process is accomplished through the use of privileges. On other platforms, the process is accomplished by using the setuid, seteuid, or setreuid functions.

If you have local printers that you do not want to share on the network, you can safely disable the printing network listeners. If you are running the Oracle Solaris release, or a CUPS server, the lpstat command provides you with more information about remote print queues and print jobs, as well as their capabilities when using IPP to communicate with those servers.

When IPP is in use, and with the proper authorization, the following operations can be performed on remote print queues and print jobs:

Also, you can now move print requests between queues on a print server and modify print requests remotely when IPP is in use.

For more information, see the privileges(5) man page. For step-by-step procedures, see Administering Printers on a Network When Using the Internet Printing Protocol (Task Map).