Credential in PPD file: Is there a way to hide it?

Question

We have a copying machine that can be used as a printer. In order to do that, I have to provide a credential in plain in the Xerox.ppd file.

Problem: Any user on the system can grep credential /etc/cups/ppd/Xerox.ppd no matter if CUPS allows him to use that printer.

Being more restrictive on the file permissions of that file makes it impossible for users to set options like paper format and duplex/simplex, so that's no option. For example, I want lpoptions -l to keep working.

Is there a way to overcome this?

Answer 1

In researching this it does not appear that there's a method for blocking users from accessing the contents of the PPD file.

• Re: Unable to Print to Networked Konica Minolta BizHub C280
• Re: How do I set the default value in a PPD. (xerox accounting)
• Printing to Xerox with XSA accounting from Linux

So without this option your only viable option to restrict access would be to lock the .ppd files down.Locking that file down so only the CUPS user can access would seem to be the way to go.

$ sudo chown cupsuser:cupsgroup /etc/cups/ppd/Xerox.ppd
$ chmod 600 /etc/cups/ppd/Xerox.ppd

However this has caveats. Users will not be able to access this .ppd file to use this printer.

Remote printers

One way to get what you want would be to hide the printer behind a Samba server which should expose the options to users without exposing the permissions. Since I don't have this printer I can't fully test this out but I described a method that should be usable for you in thie Super User Q&A titled: How to set account and password in Linux for using a network printer.