Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 466338

Summary: net-print/cups-pk-helper doesn't honor lpadmin group
Product: Gentoo Linux Reporter: poncho <poncho>
Component: Current packagesAssignee: Gentoo Linux Gnome Desktop Team <gnome>
Status: CONFIRMED ---    
Severity: enhancement CC: jstein, poncho
Priority: Normal Keywords: Inclusion
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=669679#c23
See Also: https://bugs.freedesktop.org/show_bug.cgi?id=46943
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: polkit rule

Description poncho 2013-04-18 09:52:44 UTC 
Created attachment 345872 [details]
polkit rule

system-config-printer and gnome-control-center require the root password to modify printer settings even though my user is in the lpadmin group.

Per default cups-pk-helper uses the polkit admin user to authenticate, which is set to ["unix-user:0"].

The attached polkit rule allows users in the lpadmin group to authenticate with their user password. If I understand it correctly, this mirrors cups SystemGroup behavior.

Upstream comment on permissions:
The policies we ship upstream are restrictive by default for this (to not surprise distributors), and it's up to distributions to choose the ones they want.

Portage 2.2.0_alpha173 (default/linux/amd64/13.0/desktop/gnome, gcc-4.7.2, glibc-2.15-r3, 3.8.7-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.8.7-gentoo-x86_64-Intel-R-_Core-TM-_i7_CPU_M_620_@_2.67GHz-with-gentoo-2.1
KiB Mem:     8091256 total,   4706632 free
KiB Swap:    8912892 total,   8912812 free
Timestamp of tree: Thu, 18 Apr 2013 07:15:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r3, 3.2.3-r2
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.6.3, 4.7.2-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo poncho torbrowser infinality
Installed sets: @kernels
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-11.x googleearth Oracle-BCLA-JavaSE CAPYBARA-EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/firefox/searchplugins/google.xml /usr/share/eselect-lcdfilter/env.d/custom /usr/share/gnome-shell/theme/gnome-shell.css /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /usr/share/themes/Adwaita/backgrounds/adwaita-timed.xml /usr/share/thumbnailers/ffmpegthumbnailer.thumbnailer"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --ask --verbose --jobs=5 --load-average=6"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo 	http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo 	http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5 -l6"
PKGDIR="/var/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude=/lost+found --exclude=/metadata/cache/*"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp/portage-tmpfs"
PORTDIR="/var/portage/tree"
PORTDIR_OVERLAY="/var/portage/local/poncho-overlay /var/portage/local/torbrowser-overlay /var/portage/local/infinality-overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alac alsa amd64 bash-completion berkdb bluetooth bluray bzip2 cairo cdda cdio cdr cdrdao cli colord consolekit cracklib crypt css cue cups cxx dbus device-mapper dirac dri dts dvd dvdr emboss encode evo exif faac fam ffmpeg firefox flac fontconfig fortran g3dvl gif gnome gnome-keyring gpm gstreamer gtk gtk3 iconv id3tag ipv6 jpeg kate lame lcms libass libnotify libsecret libtiger mad matroska mmx mmxext mng modules mp3 mp4 mpeg mudflap multilib nautilus ncurses networkmanager nls nptl nss nvidia ogg opencl opengl openmp opus pam pango pcre pdf png policykit postscript ppds pulseaudio qt3support quicktime readline rtmp schroedinger sdl session sndfile speex spell sse sse2 sse3 ssl ssse3 startup-notification svg tcpd theora threads thunderbird tiff truetype udev udisks unicode upower usb v4l vaapi vdpau vim-syntax vorbis vpx wav wavpack webp x264 xcb xinerama xml xv xvid xvmc zlib zsh-completion" ABI_X86="64" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev synaptics arvo" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="nvidia vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

net-print/cups-pk-helper-0.2.4 was built with the following:
USE="(multilib)"
Comment 1 Pacho Ramos gentoo-dev 2013-04-18 19:20:32 UTC 
Thanks for the report, but will wait for other gnome team members opinions to decide what we will do :/
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2014-02-18 23:09:07 UTC 
Meh, it's been a while but yes, this is a good idea.
Comment 3 Pacho Ramos gentoo-dev 2014-02-19 06:26:53 UTC 
Sorry but I am not familiar with it and I don't know how to apply that proposed rule :(
Comment 4 poncho 2016-03-29 14:18:01 UTC 
there are more permission issues, even with above polkit rule

from https://bugzilla.gnome.org/show_bug.cgi?id=669679#c23

So, the problem here is that gnome-control-center does not cancel jobs directly as the running user (thus the owner of the jobs) but as the "root" user, because it always relies on the cups-pk-helper service instead: https://git.gnome.org/browse/gnome-control-center/tree/panels/printers/pp-utils.c#n3969.

Now, when cups-pk-helper asks CUPS for the job-originating-user-name attribute CUPS will know it's not the owner who requests it, but the root user. Thus, the only way CUPS will grant that other user access to the private attribute is, according to the value of JobPrivaveAccess (default), that the "root" user belongs to CUPS's system administration group, set by the SystemGroup directive in /etc/cups/cups-files.conf.

And here comes the difference between Fedora and Debian/Ubuntu: while Fedora defines SystemGroup as "sys root", Debian/Ubuntu defines it as "lpadmin". Therefore, that does not work in Debian/Ubuntu because cups-pk-helper is a D-Bus service run by root, while in Fedora it will work as a charm.