How to downgrade the execution privilege of the Print Deploy server on Linux and macOS

In Linux and Mac environments, the Print Deploy server runs under a root user by default. In order to improve the security of the Print Deploy server, it is recommended to downgrade the execution privilege of the Print Deploy server to a non-root user. From PaperCut NG/MF 23.0.5 and later, fresh installations of Print Deploy will run under the papercut user by default. However, existing installations (even if upgraded) will continue to run under the root user until the steps mentioned below are implemented. If you have upgraded to 23.0.5 or later, you will need to perform the steps below to downgrade the execution privileges of Print Deploy. If you have installed 23.0.5 or later from scratch, the Print Deploy server will already be running under the papercut user, so you do not need to perform the below steps. Pre-requisites PaperCut NG/MF 23.0.5 or later is required* Papercut NG/MF has to be installed on a Linux server according to the guide here . Papercut NG/MF has to be installed on a Mac server according to the guide here . It is highly recommended to back up the Print Deploy server folder and pc-print-deploy.service file before making any changes. In high availability environments and clustered environments, Make sure all the Print Deploy servers are stopped before making any changes. Also, in shared file systems, ownership changes should be visible to all the Print Deploy servers. Run instructions on all the Print Deploy servers. * While you can execute the below steps on PaperCut 23.0.4 or earlier, it will break the Print Deploy server auto-update process, so our recommendation is to upgrade to 23.0.5 or later before manually running the steps below. Linux steps Log in to the Linux server as root. Stop pc-print-deploy service. systemctl stop pc-print-deploy Open the systemd service file of pc-print-deploy. vi /etc/systemd/system/pc-print-deploy.service Add User=papercut to the file as below. [Unit] Description=Automatically deploys printers through a server configuration ConditionFileIsExecutable=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy [Service] StartLimitInterval=5 StartLimitBurst=10 ExecStart=/home/papercut/providers/print-deploy/linux-x64/pc-print-deploy User=papercut Restart=always RestartSec=120 [Install] WantedBy=multi-user.target Change the ownership of the Print Deploy folder to papercut. chown -R papercut:papercut <PAPERCUT_HOME>/providers/print-deploy Reload the systemd daemon and start pc-print-deploy service. systemctl daemon-reload systemctl start pc-print-deploy Make sure the service is running under papercut user. ps -ef | grep pc-print The output should be like below. papercut 1234 1 0 12:00 ? 00:00:00 /home/papercut/providers/print-deploy/linux-x64/pc-print-deploy macOS steps Stop pc-print-deploy service. sudo launchctl unload /Library/LaunchDaemons/papercut-print-deploy.plist Open the systemd service file of pc-print-deploy (this example uses ‘vi’ to edit - or you can use your preferred editor) sudo vi /Library/LaunchDaemons/papercut-print-deploy.plist Edit the .plist file to include the UserName key: (Add in the two lines below) ​​​<key>UserName</key> <string>papercut</string> Under the line <string>PaperCut MF Print Deploy server</string> as below:​ <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>papercut.print-deploy</string> <key>OnDemand</key> <false/> <key>RunAtLoad</key> <true/> <key>ProgramArguments</key> <array> <string>/Applications/PaperCut MF/providers/print-deploy/mac/pc-print-deploy</string> </array> <key>ServiceDescription</key> <string>PaperCut MF Print Deploy server</string> <key>UserName</key> <string>papercut</string> </dict> </plist> Change the ownership of the Print Deploy folder to papercut. sudo chown -R papercut:papercut "/Applications/PaperCut MF/providers/print-deploy/" Start pc-print-deploy service. sudo launchctl load /Library/LaunchDaemons/papercut-print-deploy.plist Make sure the service is running under papercut user. (you should see the pc-print-deploy process running under the user papercut) ps aux | grep pc-print