Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Fri 25 Nov 2016 at 13:10:20 +0100, Didier 'OdyX' Raboud wrote: > Digging history, the 1.0.2-1 changelog entry (from 17 years ago) has: > > Created "lpadmin" group and set SystemGroup to this. This will > > fix problems with CUPS not being usable initially. As soon as > > bug #50620 gets fixed, I'll set up to add root to the group, which > > will make root able to configure CUPS immediately after installation. > > This never happened, apparently. We can either do that (put 'root' in the > 'lpadmin' group on upgrade), or add the 'root' group as SystemGroup. It did happen but some of the record is missing on snapshot, so it doesn't look possible to pin down exactly when the change was made. But cupsys_1.1.14-5woody14 adds root to the lpadmin group. Later on we have cupsys (1.1.19final-2) unstable; urgency=low * lpadmin group included root user, but I didn't understand why it needs. This may cause security problem, so I remove this process and remove root from lpadmin group. (closes: Bug#214746) -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
El 29/11/16 a les 19:16, Brian Potkin ha escrit: > On Tue 29 Nov 2016 at 08:17:32 +0100, Narcis Garcia wrote: > >> Does "gnome-control-center printers" perform calls as root without >> requiring "unlock" to user? > > g-c-c printers can do nothing in its default state without the user > having the root password (or using sudo, I suppose) to unlock the > dialogue. > As far as I know, using "gnome-control-center printers" there is no need to unlock any dialog when, at "Active jobs" window, user selects one job and presses the [stop] square symbol.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On 11/29/2016 04:25 PM, Brian Potkin wrote: Or use the CUPS API for cancelling jobs. s-c-p probably does it because there no problem with this when it uses c-p-h. This would mean that the bug report has to be moved from CUPS to GNOME as the package having to get fixed? Till
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Tue 29 Nov 2016 at 08:17:32 +0100, Didier 'OdyX' Raboud wrote: > Le lundi, 28 novembre 2016, 17.07:14 h CET Till Kamppeter a écrit : > > On 11/28/2016 03:29 PM, Brian Potkin wrote: > > > I added root to SystemGroup in cups-files and restarted cups. A queue > > > was paused with cupsdisable. From g-c-c it was possible to cancel the > > > job without unlocking the printing dialog. After unlocking I was able > > > add/delete printers, start/stop a printer set a default printer and > > > apparently change queue options. > > > > > > Sabotage of fine-grained privileges by cups might not go down well. :) > > > > Then I would suggest to actually add root to SystemGroup. > > What I understand from Brian's argument is as follows: adding 'root' to > SystemGroup allows any user to administer CUPS through cups-pk-helper as if > she were member of 'lpadmin' without a password prompt. I was also thinking the present OOTB behaviour would be broken and could lead to cups having a critical (makes unrelated software on the system break) bug filed against it. Is that too fanciful? > In other words, letting cups-pk-helper run as 'root' (but accept commands > from > any allowed users) leads to a user-to-lpadmin privilege escalation. At least, > it defers access control away from CUPS to cups-pk-helper. > > If cups-pk-helper runs as root, could it not drop privileges, and run the > CUPS > commands as the originating user? Or use the CUPS API for cancelling jobs. s-c-p probably does it because there no problem with this when it uses c-p-h. -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Tue 29 Nov 2016 at 08:17:32 +0100, Narcis Garcia wrote: > Does "gnome-control-center printers" perform calls as root without > requiring "unlock" to user? g-c-c printers can do nothing in its default state without the user having the root password (or using sudo, I suppose) to unlock the dialogue. -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Does "gnome-control-center printers" perform calls as root without requiring "unlock" to user? __ I'm using this express-made address because personal addresses aren't masked enough at lists.debian.org archives. El 28/11/16 a les 21:49, Brian Potkin ha escrit: > On Mon 28 Nov 2016 at 21:40:55 +0100, Narcis Garcia wrote: > >> How is this related to non-root users capability to cancel jobs through >> "gnome-control-center printers" ? > > Intimately. >
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Le lundi, 28 novembre 2016, 17.07:14 h CET Till Kamppeter a écrit : > On 11/28/2016 03:29 PM, Brian Potkin wrote: > > I added root to SystemGroup in cups-files and restarted cups. A queue > > was paused with cupsdisable. From g-c-c it was possible to cancel the > > job without unlocking the printing dialog. After unlocking I was able > > add/delete printers, start/stop a printer set a default printer and > > apparently change queue options. > > > > Sabotage of fine-grained privileges by cups might not go down well. :) > > Then I would suggest to actually add root to SystemGroup. What I understand from Brian's argument is as follows: adding 'root' to SystemGroup allows any user to administer CUPS through cups-pk-helper as if she were member of 'lpadmin' without a password prompt. In other words, letting cups-pk-helper run as 'root' (but accept commands from any allowed users) leads to a user-to-lpadmin privilege escalation. At least, it defers access control away from CUPS to cups-pk-helper. If cups-pk-helper runs as root, could it not drop privileges, and run the CUPS commands as the originating user? -- Cheers, OdyX
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Mon 28 Nov 2016 at 21:40:55 +0100, Narcis Garcia wrote: > How is this related to non-root users capability to cancel jobs through > "gnome-control-center printers" ? Intimately. -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
How is this related to non-root users capability to cancel jobs through "gnome-control-center printers" ? __ I'm using this express-made address because personal addresses aren't masked enough at lists.debian.org archives. El 28/11/16 a les 18:29, Brian Potkin ha escrit: > On Fri 25 Nov 2016 at 15:48:31 +, Brian Potkin wrote: > >> On Fri 25 Nov 2016 at 13:35:26 +0100, Narcis Garcia wrote: >> >>> In my opinion, desktop printers tools should trigger actions as same >>> desktop user account. >>> lpadmin group ever should be allowed on all related features. >> >> If root is added to SystemGroup what happens to the "fine-grained >> privileges" aspect of cups-pk-helper? Does it have any effect? > > To continue this train of thought and hopefully add something of > substance > > I added root to SystemGroup in cups-files and restarted cups. A queue > was paused with cupsdisable. From g-c-c it was possible to cancel the > job without unlocking the printing dialog. After unlocking I was able > add/delete printers, start/stop a printer set a default printer and > apparently change queue options. > > Sabotage of fine-grained privileges by cups might not go down well. :) >
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On 11/28/2016 03:29 PM, Brian Potkin wrote: To continue this train of thought and hopefully add something of substance I added root to SystemGroup in cups-files and restarted cups. A queue was paused with cupsdisable. From g-c-c it was possible to cancel the job without unlocking the printing dialog. After unlocking I was able add/delete printers, start/stop a printer set a default printer and apparently change queue options. Sabotage of fine-grained privileges by cups might not go down well. :) Then I would suggest to actually add root to SystemGroup. Or are there any ojections? Till
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Fri 25 Nov 2016 at 15:48:31 +, Brian Potkin wrote: > On Fri 25 Nov 2016 at 13:35:26 +0100, Narcis Garcia wrote: > > > In my opinion, desktop printers tools should trigger actions as same > > desktop user account. > > lpadmin group ever should be allowed on all related features. > > If root is added to SystemGroup what happens to the "fine-grained > privileges" aspect of cups-pk-helper? Does it have any effect? To continue this train of thought and hopefully add something of substance I added root to SystemGroup in cups-files and restarted cups. A queue was paused with cupsdisable. From g-c-c it was possible to cancel the job without unlocking the printing dialog. After unlocking I was able add/delete printers, start/stop a printer set a default printer and apparently change queue options. Sabotage of fine-grained privileges by cups might not go down well. :) -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Fri 25 Nov 2016 at 13:10:20 +0100, Didier 'OdyX' Raboud wrote: > Hi there Till, > > Le jeudi, 24 novembre 2016, 16.33:40 h CET Till Kamppeter a écrit : > > there is a long-standing bug report in Ubuntu (…) about that one cannot stop > > or delete print jobs from the "Printers" section of GNOME Control Center. > > > > The trivial-looking fix is to add root to the system groups (see comment > > #17), via a ./configure option (from patch of comment #24): > > (…) > > Is there any reason not having root in system-groups? Does Debian solve > > this problem another way? > > As you can see in https://bugs.gentoo.org/show_bug.cgi?id=466338 , upstream > points to the fact that as cups-pk-helper runs as root (really !?), it > "talks > to CUPS" as root, and not as the user doing the requests. > > https://bugs.debian.org/698504 has a partial fix for that, but it only fixes > "user in lpadmin can now talk to cups-pk-helper". I suspect Debian users have > just grown to put routinely put their users in the 'lpadmin' group. #698504 is about system-config-printer and the fix with a .pkla file works with it. system-config-printer is a good citizen regarding cups. It has cups-pk-helper as a Recommends:; removing that package causes system-config-printer to rely on a user being in the lpadmin group. cups-pk-helper is also a Recommends: of g-c-c but removing it makes any attempted administration of printers futile. Effectively it is a Depends:. > Digging history, the 1.0.2-1 changelog entry (from 17 years ago) has: > > Created "lpadmin" group and set SystemGroup to this. This will > > fix problems with CUPS not being usable initially. As soon as > > bug #50620 gets fixed, I'll set up to add root to the group, which > > will make root able to configure CUPS immediately after installation. > > This never happened, apparently. We can either do that (put 'root' in the > 'lpadmin' group on upgrade), or add the 'root' group as SystemGroup. > > I don't spot immediate flaws or possible regressions created by adding the > 'root' group as SystemGroup, and kinda-like the original plan (keeping > 'lpadmin' the only group allowed to administer CUPS). > > Opinions ? None of the above may have any bearing on the resolution of this issue or the direction g-c-c takes with printing, but writing it made me feel better. :) -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
On Fri 25 Nov 2016 at 13:35:26 +0100, Narcis Garcia wrote: > In my opinion, desktop printers tools should trigger actions as same > desktop user account. > lpadmin group ever should be allowed on all related features. If root is added to SystemGroup what happens to the "fine-grained privileges" aspect of cups-pk-helper? Does it have any effect? -- Brian.
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
In my opinion, desktop printers tools should trigger actions as same desktop user account. lpadmin group ever should be allowed on all related features. __ I'm using this express-made address because personal addresses aren't masked enough at lists.debian.org archives. El 25/11/16 a les 13:10, Didier 'OdyX' Raboud ha escrit: > Hi there Till, > > Le jeudi, 24 novembre 2016, 16.33:40 h CET Till Kamppeter a écrit : >> there is a long-standing bug report in Ubuntu (…) about that one cannot stop >> or delete print jobs from the "Printers" section of GNOME Control Center. >> >> The trivial-looking fix is to add root to the system groups (see comment >> #17), via a ./configure option (from patch of comment #24): >> (…) >> Is there any reason not having root in system-groups? Does Debian solve >> this problem another way? > > As you can see in https://bugs.gentoo.org/show_bug.cgi?id=466338 , upstream > points to the fact that as cups-pk-helper runs as root (really !?), it > "talks > to CUPS" as root, and not as the user doing the requests. > > https://bugs.debian.org/698504 has a partial fix for that, but it only fixes > "user in lpadmin can now talk to cups-pk-helper". I suspect Debian users have > just grown to put routinely put their users in the 'lpadmin' group. > > Digging history, the 1.0.2-1 changelog entry (from 17 years ago) has: >> Created "lpadmin" group and set SystemGroup to this. This will >> fix problems with CUPS not being usable initially. As soon as >> bug #50620 gets fixed, I'll set up to add root to the group, which >> will make root able to configure CUPS immediately after installation. > > This never happened, apparently. We can either do that (put 'root' in the > 'lpadmin' group on upgrade), or add the 'root' group as SystemGroup. > > I don't spot immediate flaws or possible regressions created by adding the > 'root' group as SystemGroup, and kinda-like the original plan (keeping > 'lpadmin' the only group allowed to administer CUPS). > > Opinions ? >
Re: CUPS: Add root to system-groups to make GNOME's print functionality work correctly?
Hi there Till, Le jeudi, 24 novembre 2016, 16.33:40 h CET Till Kamppeter a écrit : > there is a long-standing bug report in Ubuntu (…) about that one cannot stop > or delete print jobs from the "Printers" section of GNOME Control Center. > > The trivial-looking fix is to add root to the system groups (see comment > #17), via a ./configure option (from patch of comment #24): > (…) > Is there any reason not having root in system-groups? Does Debian solve > this problem another way? As you can see in https://bugs.gentoo.org/show_bug.cgi?id=466338 , upstream points to the fact that as cups-pk-helper runs as root (really !?), it "talks to CUPS" as root, and not as the user doing the requests. https://bugs.debian.org/698504 has a partial fix for that, but it only fixes "user in lpadmin can now talk to cups-pk-helper". I suspect Debian users have just grown to put routinely put their users in the 'lpadmin' group. Digging history, the 1.0.2-1 changelog entry (from 17 years ago) has: > Created "lpadmin" group and set SystemGroup to this. This will > fix problems with CUPS not being usable initially. As soon as > bug #50620 gets fixed, I'll set up to add root to the group, which > will make root able to configure CUPS immediately after installation. This never happened, apparently. We can either do that (put 'root' in the 'lpadmin' group on upgrade), or add the 'root' group as SystemGroup. I don't spot immediate flaws or possible regressions created by adding the 'root' group as SystemGroup, and kinda-like the original plan (keeping 'lpadmin' the only group allowed to administer CUPS). Opinions ? -- Cheers, OdyX
