Public bug reported: [Summary] My domain user can not access the local CUPS web interface due to apparmor denials.
Adding the following two lines to /etc/apparmor.d/local/usr.sbin.cupsd fixes it: /var/lib/sss/pipes/private/pam rw, unix (bind) type=dgram addr=@userdb-*, [Details] I have a (relatively) clean install of Ubuntu 20.04 (no upgrade), which is joined to a Windows AD-domain via sssd, but currently used off site with cached credentials. When I try to log in with my domain user (who is in the lpadmingroup) at the local cups web interface (localhost:631 ...> Add Printer) with the default apparmor config for cupsd I get a: AVC apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" name="/var/lib/sss/pipes/private/pam" pid=189759 comm="cupsd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 This already existed in Bionic and my workaround was to add '/var/lib/sss/pipes/private/pam rw,' to /etc/apparmor.d/local/usr.sbin.cupsd and reload the profile: # echo '/var/lib/sss/pipes/private/pam rw,' > /etc/apparmor.d/local/usr.sbin.cupsd # apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.cupsd This worked in Bionic, but leads to a crash of cupsd in Focal when I try to log in as domain user with a the following log message nearby: AVC apparmor="DENIED" operation="bind" profile="/usr/sbin/cupsd" pid=189759 comm="cupsd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7625b1ef65396344ef05f0a8aeda870e" This looks very similar to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858 , so I applied the same fix and added 'unix (bind) type=dgram addr=@userdb-*,' to /etc/apparmor.d/local/usr.sbin.cupsd: # echo 'unix (bind) type=dgram addr=@userdb-*,' >> /etc/apparmor.d/local/usr.sbin.cupsd # apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.cupsd Which fixed my problem. I am not an expert on apparmor, so I have no idea, if the first line gives too broad permissions. I think that there are two unrelated issues: 1) Cupsd cannot access sssd at all. This already existed in Bionic (but I failed to report the issue -- sorry for that). 2) Once the login succeeds, cups tries to resolve a uid/gid as it isn't known locally. To resolve it it needs to bind a unix socket. See: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/comments/37 I will attach a full log with added comments on what I did. [Infos] 1) lsb_release -rd Description: Ubuntu 20.04.2 LTS Release: 20.04 2) apt-cache policy cups-daemon cups-daemon: Installiert: 2.3.1-9ubuntu1.1 Installationskandidat: 2.3.1-9ubuntu1.1 Versionstabelle: *** 2.3.1-9ubuntu1.1 500 500 http://ftp.uni-hannover.de/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 2.3.1-9ubuntu1 500 500 http://ftp.uni-hannover.de/ubuntu focal/main amd64 Packages 3) What you expected to happen: Be able to log in at the local cups web interface with my domain user, which is in the lpadmin group 4) What happened instead: Access was denied (asked again for my credentials) ** Affects: cups (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor sssd ** Attachment added: "Syslog of denial, crash and successful login with added comments" https://bugs.launchpad.net/bugs/1932537/+attachment/5505509/+files/journalctl-cleaned-with-comments.log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1932537 Title: CUPS + SSSD: cannot access local CUPS web interface with domain user (apparmor problem) Status in cups package in Ubuntu: New Bug description: [Summary] My domain user can not access the local CUPS web interface due to apparmor denials. Adding the following two lines to /etc/apparmor.d/local/usr.sbin.cupsd fixes it: /var/lib/sss/pipes/private/pam rw, unix (bind) type=dgram addr=@userdb-*, [Details] I have a (relatively) clean install of Ubuntu 20.04 (no upgrade), which is joined to a Windows AD-domain via sssd, but currently used off site with cached credentials. When I try to log in with my domain user (who is in the lpadmingroup) at the local cups web interface (localhost:631 ...> Add Printer) with the default apparmor config for cupsd I get a: AVC apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" name="/var/lib/sss/pipes/private/pam" pid=189759 comm="cupsd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 This already existed in Bionic and my workaround was to add '/var/lib/sss/pipes/private/pam rw,' to /etc/apparmor.d/local/usr.sbin.cupsd and reload the profile: # echo '/var/lib/sss/pipes/private/pam rw,' > /etc/apparmor.d/local/usr.sbin.cupsd # apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.cupsd This worked in Bionic, but leads to a crash of cupsd in Focal when I try to log in as domain user with a the following log message nearby: AVC apparmor="DENIED" operation="bind" profile="/usr/sbin/cupsd" pid=189759 comm="cupsd" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@userdb-7625b1ef65396344ef05f0a8aeda870e" This looks very similar to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858 , so I applied the same fix and added 'unix (bind) type=dgram addr=@userdb-*,' to /etc/apparmor.d/local/usr.sbin.cupsd: # echo 'unix (bind) type=dgram addr=@userdb-*,' >> /etc/apparmor.d/local/usr.sbin.cupsd # apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.cupsd Which fixed my problem. I am not an expert on apparmor, so I have no idea, if the first line gives too broad permissions. I think that there are two unrelated issues: 1) Cupsd cannot access sssd at all. This already existed in Bionic (but I failed to report the issue -- sorry for that). 2) Once the login succeeds, cups tries to resolve a uid/gid as it isn't known locally. To resolve it it needs to bind a unix socket. See: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858/comments/37 I will attach a full log with added comments on what I did. [Infos] 1) lsb_release -rd Description: Ubuntu 20.04.2 LTS Release: 20.04 2) apt-cache policy cups-daemon cups-daemon: Installiert: 2.3.1-9ubuntu1.1 Installationskandidat: 2.3.1-9ubuntu1.1 Versionstabelle: *** 2.3.1-9ubuntu1.1 500 500 http://ftp.uni-hannover.de/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 2.3.1-9ubuntu1 500 500 http://ftp.uni-hannover.de/ubuntu focal/main amd64 Packages 3) What you expected to happen: Be able to log in at the local cups web interface with my domain user, which is in the lpadmin group 4) What happened instead: Access was denied (asked again for my credentials) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1932537/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
