Hi! For a very long time, apparently, we ship smbspool backend for cups in samba package in a wrong way.
source3/client/smbspool_krb5_wrapper.c reads: /* * This is a helper binary to execute smbspool. * * It needs to be installed or symlinked as: * /usr/lib/cups/backend/smb * * The permissions of the binary need to be set to 0700 so that it is executed * as root. The binary switches to the user which is passed via the environment * variable AUTH_UID, so we can access the kerberos ticket. */ And we have: /usr/lib/cups/backend/smb => /usr/bin/smbspool Is it okay for smbspool to be run as root to start with ? Or does cups run things as different user when it has wider than 0700 file permissions? Should it be usr/lib/cups/backend/smb => usr/libexec/samba/smbspool_krb5_wrapper instead? (This is how the move to libexec "affects" cups: it doesn't). But overall, does it really matter? What this wrapper is supposed to do, what _is_ this $AUTH_UID thing, when we are run from cups? Is it a local user who submitted a print job, and the backend runs under this local user? How about remote print jobs? Just guessing here. Can cups people answer some of that? Thanks! /mjt