re root/lp/lpadmin, brain dump from memory: * debian runs cups as root by default * cups *can* print as non-root user, but * cups wants root to write e.g. ink levels to /etc/cups/printers.conf but that's not strictly needed. I notice subscriptions.conf in there as well. I think maybe KDE users need that to printer properly? cupsd also creates backup files called foo.conf.O. These state values all belong in /var or /run, but cupsd is super dumb. * editing /etc/cups via cupsd (lpadmin or the web UI) probably also needs cupsd to run as root. I usually create printer queues &c by hand, so I didn't investigate. * cups needs root to use cups-pdf queue (because it changes euid to the job owner to write to ~owner/PDF/blah.pdf or so.) * I think cupsd wanted root for one more thing, but I can't remember what it was. * in cups-files.conf I do this: ErrorLog syslog # Use syslog for all logging AccessLog syslog PageLog syslog SystemGroup lpadmin So I guess that's why lpadmin members are special. * by default cupsd doesn't verify the username, so you can trivially do e.g. mallory$ lp -U alice porn.pdf mallory$ cancel -U alice hp4100-1 I think the default <Location> ACLs in cupsd.conf try to limit "dangerous" commands to originate from 127.0.0.1, as a crappy workaround. PS: I only ever cared about networked printers. If your printer is connected over USB or something, cupsd probably needs write access to the relevant device file.