Help

What risks are there of adding users to the Printer Admin group?

YakDev
New Contributor

Posted on ‎11-03-2023 06:25 AM

Hi All! 

I've recently run into the issue of users receiving an admin popup when trying to print. Of course I've found the solution of adding the users to the printer admin group. 

My main question is two-fold. 

1. Is there a better way to do this, without adding them to the printer admin group? I've found some information around creating a custom CUPS policy that allows regular users to have more rights around printing, but haven't researched exactly what's going to be needed here, as it seemed like it was going to be very complex and time intensive to make work correctly.

2. What risks are present from adding users to the printer admin group? The info I found regarding the CUPS policy pointed towards users being able to add and remove printers, meaning they can run printer install packages as root. This info i found was a little dated and I am not sure how much of that info may have changed in the meantime with recent OSes.

Any help is greatly appreciated! 

0 Kudos
Reply
2 REPLIES 2

dsavageED
Contributor III

Posted on ‎11-06-2023 03:32 AM

To allow users to usefully interact with printers, we have always done the following;

/usr/sbin/dseditgroup -o edit -a everyone -t group _lpoperator
# Might also want...
/usr/bin/security authorizationdb write system.print.operator allow

What this allows is for users to unpause or otherwise configure a printer and to add a usb printer. It's always worked for us, though these days we only have 1 follow me style print queue.

0 Kudos
Reply

YakDev
New Contributor

Posted on ‎11-08-2023 12:55 PM

@dsavageED Thank you! 

 

That is exactly what I was looking for. 

0 Kudos
Reply