Choose your language

Choose your login

Support

How to downgrade the execution privilege of the Print Deploy server on Linux and macOS

THE PAGE APPLIES TO:

In Linux and Mac environments, the Print Deploy server runs under a root user by default. In order to improve the security of the Print Deploy server, it is recommended to downgrade the execution privilege of the Print Deploy server to a non-root user.

From PaperCut NG/MF 23.0.5 and later, fresh installations of Print Deploy will run under the papercut user by default. However, existing installations (even if upgraded) will continue to run under the root user until the steps mentioned below are implemented.

  • If you have upgraded to 23.0.5 or later, you will need to perform the steps below to downgrade the execution privileges of Print Deploy. 
  • If you have installed 23.0.5 or later from scratch, the Print Deploy server will already be running under the papercut user, so you do not need to perform the below steps.

Pre-requisites

  • PaperCut NG/MF 23.0.5 or later is required* 
  • Papercut NG/MF has to be installed on a Linux server according to the guide here .
  • Papercut NG/MF has to be installed on a Mac server according to the guide here .
  • It is highly recommended to back up the Print Deploy server folder and pc-print-deploy.service file before making any changes.
  • In high availability environments and clustered environments, Make sure all the Print Deploy servers are stopped before making any changes. Also, in shared file systems, ownership changes should be visible to all the Print Deploy servers. Run instructions on all the Print Deploy servers.

* While you can execute the below steps on PaperCut 23.0.4 or earlier, it will break the Print Deploy server auto-update process, so our recommendation is to upgrade to 23.0.5 or later before manually running the steps below.

Linux steps

  1. Log in to the Linux server as root.

  2. Stop pc-print-deploy service.

    systemctl stop pc-print-deploy
    
  3. Open the systemd service file of pc-print-deploy.

    vi /etc/systemd/system/pc-print-deploy.service
    
  4. Add User=papercut to the file as below.

    [Unit]
    Description=Automatically deploys printers through a server configuration
    ConditionFileIsExecutable=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
    
    [Service]
    StartLimitInterval=5
    StartLimitBurst=10
    ExecStart=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
    User=papercut
    
    Restart=always
    RestartSec=120
    
    [Install]
    WantedBy=multi-user.target
    
  5. Change the ownership of the Print Deploy folder to papercut.

    chown -R papercut:papercut <PAPERCUT_HOME>/providers/print-deploy
    
  6. Reload the systemd daemon and start pc-print-deploy service.

    systemctl daemon-reload
    systemctl start pc-print-deploy
    
  7. Make sure the service is running under papercut user.

    ps -ef | grep pc-print
    

    The output should be like below.

    papercut  1234     1  0 12:00 ?        00:00:00 /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy
    

macOS steps

  1. Stop pc-print-deploy service.

    sudo launchctl unload /Library/LaunchDaemons/papercut-print-deploy.plist
    
  2. Open the systemd service file of pc-print-deploy (this example uses ‘vi’ to edit - or you can use your preferred editor)

    sudo vi /Library/LaunchDaemons/papercut-print-deploy.plist
    
  3. Edit the .plist file to include the UserName key:
    (Add in the two lines below) 

    ​​​<key>UserName</key>
    <string>papercut</string>

    Under the line <string>PaperCut MF Print Deploy server</string> as below:

  4. <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
      <dict>
        <key>Label</key>
        <string>papercut.print-deploy</string>
        <key>OnDemand</key>
        <false/>
        <key>RunAtLoad</key>
        <true/>
        <key>ProgramArguments</key>
        <array>
            <string>/Applications/PaperCut MF/providers/print-deploy/mac/pc-print-deploy</string>
        </array>
        <key>ServiceDescription</key>
        <string>PaperCut MF Print Deploy server</string>
          <key>UserName</key>
          <string>papercut</string>
      </dict>
    </plist>
    
  5. Change the ownership of the Print Deploy folder to papercut.

    sudo chown -R papercut:papercut "/Applications/PaperCut MF/providers/print-deploy/"
    
  6. Start pc-print-deploy service.

    sudo launchctl load /Library/LaunchDaemons/papercut-print-deploy.plist
    
  7. Make sure the service is running under papercut user.
    (you should see the pc-print-deploy process running under the user papercut)

    ps aux | grep pc-print
    

Categories: How-to Articles , Security


Keywords: print deploy server , linux , security

Comments

Last updated June 13, 2024