Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://friedcheese.us/objects/abd589a4-3421-4a1b-96b6-0edcbbab5c14">feld (feld@friedcheese.us)'s status on Friday, 27-Sep-2024 05:46:19 JST</a><a href="https://friedcheese.us/users/feld" title="feld@friedcheese.us"><img src="https://gnusocial.jp/avatar/274913-48-20241012191855.webp" width="48" height="48" alt="feld" style="position: absolute; left: 0; top: 0;">feld</a><div><a href="https://pony.social/@cult/113205788465088532" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><a href="https://pony.social/@cult">@cult</a> how do you bind to :631 as non-root? CUPS itself would need to drop privs but it doesn't have that capability. It's completely missing from cupsd.conf<br><br>I could work around it and allow cupsd to bind to :631 as non-root on FreeBSD pretty easily, but that's a much harder problem on Linux these days. Linux's option for this (CAP_NET_BIND_SERVICE) requires you to bless a *binary* to bind on reserved ports, not a user or group.<br><br>If you want to do it with a user or group you have to wrap the command with something like authbind which is not a transparent change at all</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3733244#notice-7309892">In conversation</a><time datetime="2024-09-27T05:46:19+09:00" title="Friday, 27-Sep-2024 05:46:19 JST">about 4 months ago</time> <span>from <span><a href="https://friedcheese.us/objects/abd589a4-3421-4a1b-96b6-0edcbbab5c14" rel="external" title="Sent from friedcheese.us via ActivityPub">friedcheese.us</a></span></span><a href="https://friedcheese.us/objects/abd589a4-3421-4a1b-96b6-0edcbbab5c14">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
feld (feld@friedcheese.us)'s status on Friday, 27-Sep-2024 05:46:19 JSTfeld
in reply to
- CULTPONY :verified: :verified:
@cult how do you bind to :631 as non-root? CUPS itself would need to drop privs but it doesn't have that capability. It's completely missing from cupsd.conf

I could work around it and allow cupsd to bind to :631 as non-root on FreeBSD pretty easily, but that's a much harder problem on Linux these days. Linux's option for this (CAP_NET_BIND_SERVICE) requires you to bless a *binary* to bind on reserved ports, not a user or group.

If you want to do it with a user or group you have to wrap the command with something like authbind which is not a transparent change at all
In conversationabout 4 months ago from friedcheese.uspermalink

Public

Embed Notice

HTML Code

Corresponding Notice