Debian Bug report logs - #506181
"Print Server -> Configure Server..." breaks permissions for CUPS backends.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ken Bloom <kbloom@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cups: Can't add local printers

Date: Tue, 18 Nov 2008 21:23:01 -0600

Package: cups
Version: 1.3.8-1lenny2
Severity: grave
Justification: makes package mostly unusable on new installs

I can't add local printers in this version of cups. The localhost:631
web interface doesn't list them as an option, and the kcontrol
printing control panel has the "Local Printer" option grayed out.

Running dpkg-reconfigure cups and reselecting the backends doesn't fix
this. I have confirmed that these backedns are enabled after running
dpkg-reconfigure cups, but I still can't add a local printer.

[bloom@little-cat-a thesisproposal]$ ls /usr/lib/cups/backend
beh*    hp*     http*  lpd*       ptal*  serial*  snmp*    usb*
dnssd*  hpfax*  ipp*   parallel*  scsi*  smb@     socket*

Upgrading to 1.3.9-4 from experimental fixes this.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27.5-amd64-1ken (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cups depends on:
ii  adduser               3.110              add and remove users and groups
ii  cups-common           1.3.8-1lenny2      Common UNIX Printing System(tm) - 
ii  debconf [debconf-2.0] 1.5.24             Debian configuration management sy
ii  ghostscript           8.62.dfsg.1-3.1    The GPL Ghostscript PostScript/PDF
ii  libavahi-compat-libdn 0.6.23-2           Avahi Apple Bonjour compatibility 
ii  libc6                 2.7-16             GNU C Library: Shared libraries
ii  libcups2              1.3.8-1lenny2      Common UNIX Printing System(tm) - 
ii  libcupsimage2         1.3.8-1lenny2      Common UNIX Printing System(tm) - 
ii  libdbus-1-3           1.2.1-4            simple interprocess messaging syst
ii  libgnutls26           2.4.2-3            the GNU TLS library - runtime libr
ii  libkrb53              1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.11-1           OpenLDAP libraries
ii  libpam0g              1.0.1-4+b1         Pluggable Authentication Modules l
ii  libpaper1             1.1.23+nmu1        library for handling paper charact
ii  libslp1               1.2.1-7.5          OpenSLP libraries
ii  lsb-base              3.2-20             Linux Standard Base 3.2 init scrip
ii  perl-modules          5.10.0-17          Core Perl modules
ii  procps                1:3.2.7-9          /proc file system utilities
ii  ssl-cert              1.0.23             simple debconf wrapper for OpenSSL
ii  xpdf-utils [poppler-u 3.02-1.4           Portable Document Format (PDF) sui

Versions of packages cups recommends:
ii  avahi-utils           0.6.23-2           Avahi browsing, publishing and dis
ii  cups-client           1.3.8-1lenny2      Common UNIX Printing System(tm) - 
ii  foomatic-filters      3.0.2-20080211-3.2 OpenPrinting printer support - fil
ii  smbclient             2:3.2.4-1          a LanManager-like simple client fo

Versions of packages cups suggests:
ii  cups-bsd                1.3.8-1lenny2    Common UNIX Printing System(tm) - 
pn  cups-driver-gutenprint  <none>           (no description available)
pn  cups-pdf                <none>           (no description available)
ii  foomatic-db             20080211-2+nmu1  OpenPrinting printer support - dat
ii  foomatic-db-engine      3.0.2-20080211-1 OpenPrinting printer support - pro
ii  hplip                   2.8.6.b-3        HP Linux Printing and Imaging Syst
pn  xpdf-korean | xpdf-japa <none>           (no description available)

-- debconf information:
* cupsys/raw-print: false
* cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd

Message #10 received at 506181@bugs.debian.org (full text, mbox, reply):

From: "Chanoch (Ken) Bloom" <kbloom@gmail.com>

To: 506181@bugs.debian.org

Subject: Wrong about the version that fixes it

Date: Tue, 18 Nov 2008 21:56:32 -0600

[Message part 1 (text/plain, inline)]

I'm wrong about the version that fixes this -- it just reappeared in
1.3.9-4. This appears to be related to #503644 though. I'm upgrading to
1.3.9-5 and I'll see if this bug goes away.

--Ken

-- 
Ken (Chanoch) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu/~kbloom1/

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 506181@bugs.debian.org (full text, mbox, reply):

From: "Chanoch (Ken) Bloom" <kbloom@gmail.com>

To: 506181@bugs.debian.org

Subject: Various backends have the wrong permissions

Date: Tue, 18 Nov 2008 23:23:57 -0600

[Message part 1 (text/plain, inline)]

After spending some time learning what the
rootbackends-worldreadable.dpatch in expermental does, and learning what
the code behind it does, I understand the problem.

I neither add a USB or parallel printer nor print to one in cups
1.3.8-1lenny2. Apparently the reason for this is that the relevant
backends are apparently not running with permissions to access the
relevant devices.

crw-rw---- 1 root lp        6,  0 2008-11-18 08:10 /dev/lp0
crw-rw---- 1 root dialout   4, 64 2008-11-18 08:09 /dev/ttyS0
crw-rw---- 1 root dialout   4, 65 2008-11-18 08:09 /dev/ttyS1
crw-rw---- 1 root dialout   4, 66 2008-11-18 08:09 /dev/ttyS2
crw-rw---- 1 root dialout   4, 67 2008-11-18 08:09 /dev/ttyS3
crw-rw---- 1 root lp      180,  0 2008-11-18 08:09 /dev/usb/lp0

These permissions are set in /etc/udev/rules.d/91-permissions.rules

CUPS default permissions for running filters (including the backends) is
to run in group lpadmin.

If I change the group that filters run in (adding the line "Group lp"
in /etc/cups/cupsd.conf) then I can make the usb and parallel backends
work. (But I can't make usb and parallel work at the same time as serial
because they require different groups to run)

If I change the permissions on the parallel, usb, and serial backends
from 755 to 700, then cups will run them as root (this is the behavior
that rootbackends-worldreadable.dpatch was dealing with, but not really
fixing in this instance) and they will all work.

-- 
Ken (Chanoch) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu/~kbloom1/

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 506181@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: "Chanoch (Ken) Bloom" <kbloom@gmail.com>, 506181@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#506181: Various backends have the wrong permissions

Date: Wed, 19 Nov 2008 12:50:47 +0100

[Message part 1 (text/plain, inline)]

Hello Chanoch,

Chanoch (Ken) Bloom [2008-11-18 23:23 -0600]:
> After spending some time learning what the
> rootbackends-worldreadable.dpatch in expermental does, and learning what
> the code behind it does, I understand the problem.

Please note that this patch has never been in unstable/testing, and I
don't plan to upload it there before Lenny's release.

The patch previously broke the backends which were supposed to run as
root, such as lpd and ipp, but it never broke usb. It is fully fixed
in experimental now.

So rootbackends-worldreadable.dpatch is entirely unrelated to your
problem, especially since you reported it against the unstable/lenny
version.

> crw-rw---- 1 root lp        6,  0 2008-11-18 08:10 /dev/lp0
> crw-rw---- 1 root dialout   4, 64 2008-11-18 08:09 /dev/ttyS0
> crw-rw---- 1 root dialout   4, 65 2008-11-18 08:09 /dev/ttyS1
> crw-rw---- 1 root dialout   4, 66 2008-11-18 08:09 /dev/ttyS2
> crw-rw---- 1 root dialout   4, 67 2008-11-18 08:09 /dev/ttyS3
> crw-rw---- 1 root lp      180,  0 2008-11-18 08:09 /dev/usb/lp0

That looks normal.

> CUPS default permissions for running filters (including the backends) is
> to run in group lpadmin.

No, it's "lp", not "lpadmin". Filters are always run as lp, backends
installed with permissions 0755 are run as lp, and backends with
permissions 0700 (or 0744 in experimental) are run as root.

> If I change the group that filters run in (adding the line "Group lp"
> in /etc/cups/cupsd.conf) then I can make the usb and parallel backends
> work. (But I can't make usb and parallel work at the same time as serial
> because they require different groups to run)

I do see the issue with the serial backends. For that we probably need
to make the serial backend run as root.

Did you previously have a different "Group" statement in cupsd.conf?
On a standard Debian system, the backends *are* run as lp, thus usb
and parallel printers work. Therefore I downgrade this to important,
since it does not affect all Debian users.

Let's do a test whether backend permissions are wedged up for you.
Please do this as root:

  echo -e '!/bin/sh\nid > /tmp/cups-backend.txt' > /usr/lib/cups/backend/test
  chmod 755 /usr/lib/cups/backend/test
  lpinfo -v

Then please give me the output of "cat /tmp/cups-backend.txt". It
should say user/group lp, but maybe it is "lpadmin" for you for some
reason. Also, what does "id lp" give for you?

Afterwards, please remove the test backend again:

  rm /usr/lib/cups/backend/test

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 506181@bugs.debian.org (full text, mbox, reply):

From: "Chanoch (Ken) Bloom" <kbloom@gmail.com>

To: Martin Pitt <mpitt@debian.org>

Cc: 506181@bugs.debian.org, control@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#506181: Various backends have the wrong permissions

Date: Wed, 19 Nov 2008 08:21:31 -0600

[Message part 1 (text/plain, inline)]

package cups
reassign 506181 kdeprint
retitle 506181 "Print Server -> Configure Server..." breaks permissions for CUPS backends.
thanks

On Wed, 2008-11-19 at 12:50 +0100, Martin Pitt wrote:
> Hello Chanoch,
> 
> Chanoch (Ken) Bloom [2008-11-18 23:23 -0600]:
> > After spending some time learning what the
> > rootbackends-worldreadable.dpatch in expermental does, and learning what
> > the code behind it does, I understand the problem.
> 
> Please note that this patch has never been in unstable/testing, and I
> don't plan to upload it there before Lenny's release.
> 
> The patch previously broke the backends which were supposed to run as
> root, such as lpd and ipp, but it never broke usb. It is fully fixed
> in experimental now.
> 
> So rootbackends-worldreadable.dpatch is entirely unrelated to your
> problem, especially since you reported it against the unstable/lenny
> version.

rootbackends-worldreadable.dpatch was a completely orthagonal issue that
seemed to touch the same piece of code.

> > crw-rw---- 1 root lp        6,  0 2008-11-18 08:10 /dev/lp0
> > crw-rw---- 1 root dialout   4, 64 2008-11-18 08:09 /dev/ttyS0
> > crw-rw---- 1 root dialout   4, 65 2008-11-18 08:09 /dev/ttyS1
> > crw-rw---- 1 root dialout   4, 66 2008-11-18 08:09 /dev/ttyS2
> > crw-rw---- 1 root dialout   4, 67 2008-11-18 08:09 /dev/ttyS3
> > crw-rw---- 1 root lp      180,  0 2008-11-18 08:09 /dev/usb/lp0
> 
> That looks normal.
> 
> > CUPS default permissions for running filters (including the backends) is
> > to run in group lpadmin.
> 
> No, it's "lp", not "lpadmin". Filters are always run as lp, backends
> installed with permissions 0755 are run as lp, and backends with
> permissions 0700 (or 0744 in experimental) are run as root.

I decided to test this by purging and reinstalling cups. Cups worked out
of the box. Then I went to reconfigure things the way I had been using
CUPS (1 printer, shared with the whole subnet) by editing things in the
KDE Printing control panel. After changing things with "Print Server ->
Configure Server...", KDE wrote out a whole different cupsd.conf, hardly
resembling the original. I can't figure out how that cupsd.conf is
assigning permissions. kdeprint added the line "Group lpadmin", but the
test backend gives uid=7(lp) gid=0(root) groups=0(root).

I guess this is a kdeprint bug rather than a cups bug, so I'm
reassigning it. The two versions of cupsd.conf are attached.


While I'm at it, since it's probably relevant, I'd like to complain to
the kdeprint people that when I choose "Print Server -> Configure
Server...", I get an warning before it opens the configuration box:

Some options were not recognized by this configuration tool. They will
be left untouched and you won't be able to change them.
defaultauthtype = Basic


require = user @OWNER @SYSTEM
order = deny,allow
= 

authtype = Default
require = user @SYSTEM
order = deny,allow
= 

authtype = Default
require = user @SYSTEM
order = deny,allow
= 

require = user @OWNER @SYSTEM
order = deny,allow
= 

order = deny,allow
= 
= 


> > If I change the group that filters run in (adding the line "Group lp"
> > in /etc/cups/cupsd.conf) then I can make the usb and parallel backends
> > work. (But I can't make usb and parallel work at the same time as serial
> > because they require different groups to run)
> 
> I do see the issue with the serial backends. For that we probably need
> to make the serial backend run as root.

Perhaps making the various backends SetGID (or SetUID) to the
permissions they need would help?

> Let's do a test whether backend permissions are wedged up for you.
> Please do this as root:
> 
>   echo -e '#!/bin/sh\nid > /tmp/cups-backend.txt' > /usr/lib/cups/backend/test
>   chmod 755 /usr/lib/cups/backend/test
>   lpinfo -v
> 
> Then please give me the output of "cat /tmp/cups-backend.txt". It
> should say user/group lp, but maybe it is "lpadmin" for you for some
> reason. Also, what does "id lp" give for you?

[bloom@cat-in-the-hat ~]$ id lp
uid=7(lp) gid=7(lp) groups=7(lp)


-- 
Ken (Chanoch) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu/~kbloom1/

[cupsd.default.conf (text/plain, attachment)]

[cupsd.kprinter.conf (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 506181@bugs.debian.org (full text, mbox, reply):

From: "Chanoch (Ken) Bloom" <kbloom@gmail.com>

To: 506181@bugs.debian.org

Subject: "Print Server -> Configure Server..." breaks permissions for CUPS backends.

Date: Wed, 19 Nov 2008 17:28:24 -0600

[Message part 1 (text/plain, inline)]

Hello, kdeprint team,

I have discovered that if one starts with a clean CUPS installation,
and uses the KDE printer control panel to configure the server (by
going to "Print Server -> Configure Server...") it outputs a vastly
different CUPS configuration file, that changes some key defaults --
in this case, the group for running the cups backends changes from lp
to lpadmin, breaking local parallel and usb printers.

Please look into this.

--Ken

-- 
Chanoch (Ken) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu/~kbloom1/

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 506181@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: "Chanoch (Ken) Bloom" <kbloom@gmail.com>

Cc: 506181@bugs.debian.org

Subject: Re: [Pkg-cups-devel] Bug#506181: Various backends have the wrong permissions

Date: Thu, 20 Nov 2008 08:58:58 +0100

[Message part 1 (text/plain, inline)]

Hi Chanoch,

Chanoch (Ken) Bloom [2008-11-19  8:21 -0600]:
> I decided to test this by purging and reinstalling cups. Cups worked out
> of the box. Then I went to reconfigure things the way I had been using
> CUPS (1 printer, shared with the whole subnet) by editing things in the
> KDE Printing control panel. After changing things with "Print Server ->
> Configure Server...", KDE wrote out a whole different cupsd.conf, hardly
> resembling the original. I can't figure out how that cupsd.conf is
> assigning permissions. kdeprint added the line "Group lpadmin", but the
> test backend gives uid=7(lp) gid=0(root) groups=0(root).

Ah, Group "lpadmin" is wrong. It should be SystemGroup "lpadmin",
and it shouldn't change Group.

> I guess this is a kdeprint bug rather than a cups bug, so I'm
> reassigning it. The two versions of cupsd.conf are attached.

Right, thank you!

> > I do see the issue with the serial backends. For that we probably need
> > to make the serial backend run as root.
> 
> Perhaps making the various backends SetGID (or SetUID) to the
> permissions they need would help?

I fixed it in cups now (see attached patch), will upload to
experimental and unstable.

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

[cups.serial-backend.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 506181-close@bugs.debian.org (full text, mbox, reply):

From: Kai Wasserbäch <debian@carbon-project.org>

To: 506181-close@bugs.debian.org, 506181-submitter@bugs.debian.org

Subject: kdeprint/system-config-printer-kde: Fixed in KDE 4.2

Date: Wed, 27 May 2009 15:29:12 +0200

[Message part 1 (text/plain, inline)]

Version: 4:4.2.2-1

Dear Ken,
I've tried to reproduce your bug report with the latest KDE packages and was
unable to do so with the KDE 4.2 packages from testing/unstable. Therefore I'm
closing this bug from Version 4:4.2.2-1 on. Please note, that the package
containing the graphical configuration frontend is now named
system-config-printer-kde.

If this bug should still exist for you in version 4.2.2 of the configuration
application, please reopen this bug, assign it to
system-config-printer-kde/4:4.2.2-1 and consider filing an bug with upstream,
which you can reference by »forwarding« the Debian bug to the upstream bug report.

If you should need assistance in doing this, please feel free to ask me for help!

Kind regards,
Kai Wasserbäch



-- 

Kai Wasserbäch (Kai Wasserbaech)

E-Mail: debian@carbon-project.org
Jabber (debianforum.de): Drizzt
URL: http://wiki.debianforum.de/Drizzt_Do%27Urden
GnuPG: 0xE1DE59D2      0600 96CE F3C8 E733 E5B6 1587 A309 D76C E1DE 59D2
(http://pgpkeys.pca.dfn.de/pks/lookup?search=0xE1DE59D2&fingerprint=on&hash=on&op=vindex)

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.