* Run CUPS' external programs in the "lp" group so that they can

access printer devices in /dev.  Also use a "cups" user instead of
  "nobody".

svn path=/nixos/trunk/; revision=23003

modules/misc/ids.nix

@@ -55,6 +55,7 @@ in
     osgi = 34;
     sabnzbd = 33;
     tor = 35;
+    cups = 36;
     # When adding a uid, make sure it doesn't match an existing gid.
 
     nixbld = 30000; # start of range of uids

modules/services/printing/cupsd.nix

@@ -102,11 +102,18 @@ in
 
   config = mkIf config.services.printing.enable {
 
+    users.extraUsers = singleton
+      { name = "cups";
+        uid = config.ids.uids.cups;
+        group = "lp";
+        description = "CUPS printing services";
+      };
+
     environment.systemPackages = [ cups ];
 
     services.dbus.packages = [ cups ];
 
-    # cups uses libusb to talk to printers, and does not use the
+    # Cups uses libusb to talk to printers, and does not use the
     # linux kernel driver. If the driver is not in a black list, it
     # gets loaded, and then cups cannot access the printers.
     boot.blacklistedKernelModules = [ "usblp" ];
@@ -167,6 +174,13 @@ in
 
         TempDir ${cfg.tempDir}
 
+        # User and group used to run external programs, including
+        # those that actually send the job to the printer.  Note that
+        # Udev sets the group of printer devices to `lp', so we want
+        # these programs to run as `lp' as well.
+        User cups
+        Group lp
+
         Browsing On
         BrowseOrder allow,deny
         BrowseAllow @LOCAL