When I try to change some settings of my printer using HPLIP it tells me to add myself to the lp an sys group. Is that safe ? What are those groups used for ?
Best regards,
Greg
As what user are you trying to do this? Normal user or root?
When you want to change typical systems settings, you should be root (what if every user could change those settings at his own gusto).
Or, this seems be the case here, root could allow the power to do changes here to one (or more) users by adding those groups to them. Sort of distribution of administrative powers.
I’m trying to do this as a normal user. Once I’ve added myself to those groups (using YaST with root power) I can manage my printer using HPLIP. I was wondering what have I enabled myself to tweak on my system because I know more or less what the audio group is for and some other groups but I’ve got no idea what lp an sys groups are for. I’m particularly worried about the sys group as the name implies it gives a lot of power.
Best regards,
Greg
I thought I explained it above. Normaly on a home system, as yours may be, you do not give all sorts of different administrative powers to may be the only real end-user. Why should you? You do administrative actions as root. I d not know why you want to do this printer configuration as normal user. Most people do this as root like all system configuration.
On bigger (groups of many) systems (like in a company) I can imagine that the task of maintaining printer configurations (many printers) can be delegated to a seperate department. Thus one creates a user for that task on all the systems (and there are tools like NIS to do this very efficient across all systems) and gives it the power to manage printer configurations by letting it use those groups (it will most probably even have one of those groups as the default group and not be in group users).
Never forget that Linux, as a form of Unix, is in principle fit for a multi user, multi login, multi tasks, multi systems environment. And even if you do not use all of those features, it is unavoidable that you touch them when using Linux and that you must be aware of them to understand some of the things you experience (like independent HOME directories and thus independent personal environment configurations, user/group ownership and protection, possibilities of root and many more).
I wanted to change some default settings of the printer and this HPLIP icons shows up in the tray so I didn’t know how to start it as root and I didn’t want to log in as root to the desktop session so I’ve added myself to those groups, changed what I wanted and removed myself from those groups once more. Anyway it’s not possible to for example cancel a printing task without the powers from those groups (I’m not sure which one because I haven’t tested this yet) and I would like to be able to do this as a normal user.
I’m attaching the screenshots of the HPLIP tray icon and the window in which You can cancel the printing jobs so that You know what I’m talking about 
HPLIP_tray_icon
HPLIP_cancel_task_window
Best regards,
Greg
On 2011-05-06 07:06, glistwan wrote:
> I wanted to change some default settings of the printer and this HPLIP
> icons shows up in the tray so I didn’t know how to start it as root and
> I didn’t want to log in as root to the desktop session so I’ve added
> myself to those groups, changed what I wanted and removed myself from
> those groups once more. Anyway it’s not possible to for example cancel a
> printing task without the powers from those groups (I’m not sure which
> one because I haven’t tested this yet) and I would like to be able to do
> this as a normal user.
It is possible to cancel a print job using cups, via web or via command
line, as plain user. Rather, a user can cancel his own jobs.
I don’t use hplip, even though I have an HP printer. No idea why it needs
those privileges - unless it is bypassing cups.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
I use hplip myself and if I want to change the default printer or paper size, I just run the Web Interface for CUPS. It will ask for the root user name and password if that is required.
menu Run Command is:
desktop-launch http://localhost:631/
OR Just This in Firefox:
http://localhost:631/
Thank You,
Thanks for the very helpful suggestion both I’ll try out the http way and report back.
Best regards,
Greg
I can confirm that the webgui for cups allows me to cancel print jobs. It launches a dialog in which it asks for credentials.
The HPLIP job canceling without lp and sys rights does not ask for any credentials and what is more it hangs the print job and later cancellation via web achieves nothing but I don’t care about this as long as the webgui works nice. Thank You all for help.
Best regards,
Greg
I can confirm that the webgui for cups allows me to cancel print jobs. It launches a dialog in which it asks for credentials.
The HPLIP job canceling without lp and sys rights does not ask for any credentials and what is more it hangs the print job and later cancellation via web achieves nothing but I don’t care about this as long as the webgui works nice. Thank You all for help.
Best regards,
Greg
Happy to hear that Cups works. It is hard to know the thought on the hplip operation, but at least there is an alternative that works for you.
Thank You,
So… what about the question, is it safe for normal user to be in sys group?
In order to e.g. reset the printer after out-of-paper, you need to enter root credentials (unless you are in sys group, apparently), which is not the way to go, imho.
Cheers,
Pasi
On 2014-07-27 13:56, pendix wrote:
>
> In order to e.g. reset the printer after out-of-paper, you need to enter
> root credentials (unless you are in sys group, apparently), which is not
> the way to go, imho.
No, you don’t.
cer-g@minas-tirith:~> echo "Hello, world" > p.txt
cer-g@minas-tirith:~> lpr p.txt
cer-g@minas-tirith:~> lpq
cp1510n_ps is ready and printing
Rank Owner Job File(s) Total Size
active cer-g 32 p.txt 1024 bytes
cer-g@minas-tirith:~> lprm 32
cer-g@minas-tirith:~> lpq
cp1510n_ps is ready
no entries
cer-g@minas-tirith:~> groups
users
cer-g@minas-tirith:~>
See? No credentials asked.
If the desktop doesn’t know how to do it, that’s a different problem.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” (Minas Tirith))
I don’t think best practice was made clear…
Do not add your regular User account to an Admin/root group, it’s bad practice which increases your risk of compromise.
Instead, use “sudo” for temporary and “su” for longer privilege escalation.
Also, Carlos’ example above is not relevant, there is a big difference between creating a print job and managing printer settings, the former can be done by almost any User while the latter requires elevated permissions.
TSU
On 2014-07-27 21:36, tsu2 wrote:
> Also, Carlos’ example above is not relevant, there is a big difference
> between creating a print job and managing printer settings, the former
> can be done by almost any User while the latter requires elevated
> permissions.
He did not say “manage printer settings”. He said “reset the printer
after out-of-paper”, and for that thing, being a job control thing, you
do not need to be root. There are things that may, things that do not,
require elevated privileges.
And cups can be adjusted to allow a plain user to configure a printer, too.
But desktops are known for ignoring cups requirements, and request
“root” when a plain user can also do it.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” (Minas Tirith))