cups-service-type uses PAM-enabled 'cups' by default which prevents authentication

  • Done
  • quality assurance status badge
Details
4 participants
  • muradm
  • Maxim Cournoyer
  • Csepp
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 1 May 2023 05:08
(name . bug-guix)(address . bug-guix@gnu.org)
87wn1s695u.fsf@gmail.com
Hi,

Today I encountered an issue where after re-installing a Guix System, I
couldn't add a new printer anymore. Any CUPS client (including the
trusty localhost:631 HTTP page) would loop on authenticating my user.

After consulting the logs and finding this kind of line:

Toggle snippet (3 lines)
pam_authenticate() returned 7 (Authentication failure)

I started looking at our PAM configuration for CUPS, but we currently
have none, which is probably the issue. Using 'cups-minimal' instead of
cups (which is built with linux-pam) solves the issue, as the 'cups'
value provided to the <cups-configuration> record.

We should probably make cups-minimal the default, or extend our
pam-service-type with the relevant PAM entries.

Thoughts/takers?

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 3 May 2023 14:46
(address . 63198-done@debbugs.gnu.org)
87o7n1zip5.fsf@gmail.com
Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (15 lines)
> Hi,
>
> Today I encountered an issue where after re-installing a Guix System, I
> couldn't add a new printer anymore. Any CUPS client (including the
> trusty localhost:631 HTTP page) would loop on authenticating my user.
>
> After consulting the logs and finding this kind of line:
>
> pam_authenticate() returned 7 (Authentication failure)
>
> I started looking at our PAM configuration for CUPS, but we currently
> have none, which is probably the issue. Using 'cups-minimal' instead of
> cups (which is built with linux-pam) solves the issue, as the 'cups'
> value provided to the <cups-configuration> record.

Fixed using the above strategy in 6bc3e3f ("services: cups: Use
cups-minimal to avoid PAM authentication.")

--
Thanks,
Maxim
Closed
M
M
muradm wrote on 13 May 2023 15:43
cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
(address . 63198@debbugs.gnu.org)
87jzxcjqcx.fsf@muradm.net
Could you please elaborate more on "loop on authenticating my
user"
from above and "prevents users from authenticating" from commit
message? Does it mean that you could not authenticate as your user
at all, or does it relates to authentication at
for managing printers?
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmRflM4ACgkQ6M7O0mLO
BeKo0hAAxnSTKDlare2nq5OKQwYe+X5jFwHPc5Rw1MnrfkY3bK+CmT1OMu8kMgxe
G95OdNh9Bsr4HogP3Ufp6KZtxYheQc6MZQnToNv02fJapnVwiPIHrp0Q8im6BQSi
T8haZgdH2XrNkQ4N1Dtk7I55JSYb50G6yn/65jFnSxXpdNImrEtpGXuMEBPhhmv2
k6dcjOdMLMWvJQOqodcrU7u/qWm052jDQXuztdamNJ7Cm6F+oUwSWWJabRU203Ac
U/aNHfapOy5oX/XUndl8g9VrElMVD9NEv6xH4bYpbHd4EvZdhEJRaeYHsSMx9Uhy
YFqE9Rn/wvgACqSlgBOEvusmnI4UuxfCtqAqp9ZwiTqN9QYjYov5zlEwR2MWzIAb
2HMvf30kP+xbZPSnN5H1JmNUkdKfQe22NO3dwDKBEs52SjhUQ7tVy1TyJ0t6g3Pv
yIadlUFklH4COjiBrpCt4vPYHZH/cpAqeT4D0Bpv35YLRNZP0LpbYi8jfqmf3ts2
8gNqCpMhl4YvYSEdz1NEcuRAtolsrQMHhPmgDkxrecl2lJci7vr9KTeEp5QIb2S6
Kr1XRDU9vNpqsTVIK0/SJziF6VxOMpaU0FnJoe2jFz1ZXO76fUIovTVzJPict9gs
UvJabDPx72GNcSm5Kj6xj5ajpNtqrKosV2Sl9koY3lzu2wZxA/E=
=1UTz
-----END PGP SIGNATURE-----

M
M
muradm wrote on 13 May 2023 15:48
(address . 63198@debbugs.gnu.org)
87fs80jq07.fsf@muradm.net
This change broke cups for me like this:

Toggle snippet (13 lines)
I [13/May/2023:16:14:27 +0300] [Client 16] Started
"/gnu/store/9kdm8k84j2xqlax4zaarchw00cfs62zz-cups-server-bin/lib/cups/daemon/cups-deviced"
(pid=21409, file=14)
E [13/May/2023:16:14:27 +0300] [CGI] cups-brf must be called as
root
E [13/May/2023:16:14:27 +0300] [cups-deviced] PID 21419 (cups-brf)
stopped with status 1!
E [13/May/2023:16:14:27 +0300] [CGI] Unable to execute ippfind
utility: No such file or directory
E [13/May/2023:16:14:27 +0300] [cups-deviced] PID 21421
(driverless-fax) stopped with status 127!

cups-minimal does not include ippfind utility.

Normally, user whishing to use cups, should be in lp group, isn't
it?
Maybe that was your original issue?

muradm <mail@muradm.net> writes:

Toggle quote (12 lines)
> [[PGP Signed Part:Undecided]]
>
> Could you please elaborate more on "loop on authenticating my
> user"
> from above and "prevents users from authenticating" from commit
> message? Does it mean that you could not authenticate as your
> user
> at all, or does it relates to authentication at
> http://localhost:631
> for managing printers?
>
> [[End of PGP Signed Part]]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmRflpgACgkQ6M7O0mLO
BeJDCA//cnLO5EBNh+a+0yhDEgC44x5LMiPwSNWsEfkRaoprElhFIb3nRHS9joqS
eAozILMrGO74hL+28V4UApEw3IKJ6ks3I3PZ+Ej/jugDovdSP7V6Ka/33r4HLaev
i6paw+61eIkKQyj6L5CO6VPkGxx614x+gE44XR8v0sVM5hYTSSEiKSnIxuC2Rbe2
CReX0Msw2SWhqc9xhwrYXbdRgD9JyynjfPW4Ti8DTBokIK5MkF3y6tdbxepVKCBx
rI8DKG2himnbuEZODPrpXoR0G+/nsTEbkn37Xphh95bwIiH8A4Ffh34Ny2elHrbm
r0PAenJh11hDT8O2HRkPcizluh2BOUu77dZQyRlNHtP3Bgaf0n5UXN9FChUKL09U
h0l9rkmA30M0h1VZcd1lix+Z74WiZWgbW/3F94W6cgVT8KrYIxX7hhe+wy7+z0ps
djIhgOld7SeSYVs2rVjarPKhi6ONQ/RpgOFhcbzNlxCsMgydGNi7+lJtaECbF6F7
WthAJFieHS4+38SAXJ0KEDwqg0eqfh0s6roIeUCnIYL1W3EsMNGq9/LWeymMMCuj
jsXt75SQ50BQUKbYvrepj81NR1sAjehaSO68U/YJnqfYC8+C4X+wIXfKX5fA+MGl
vAKL+J1Z2WfsyHfoT1KMWjMv779BDRPztrFNdd412R3hSFSuNtY=
=8vf2
-----END PGP SIGNATURE-----

M
M
muradm wrote on 13 May 2023 20:38
[PATCH] services: cups: Add cups PAM service.
0c6858607cfd59a8da92f0a0780d8b45dc4b3afd.1684003079.git.mail@muradm.net

Makes CUPS service to extend pam-root-service-type providing minimal
configuration to authenticate users. Since PAM authentication is
provided, cups package can be used as default.

* gnu/services/cups.scm (cups-configuration) [cups]: Use cups.
[allow-empty-password?]: PAM service configuration permitting empty passwords.
(opaque-cups-configuration): Likewise.
(cups-pam-service): cups PAM service.
(cups-service-type): Extend pam-root-service-type with cups-pam-service.
---
gnu/services/cups.scm | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)

Toggle diff (74 lines)
diff --git a/gnu/services/cups.scm b/gnu/services/cups.scm
index c6099d77e7..d95c38b4d9 100644
--- a/gnu/services/cups.scm
+++ b/gnu/services/cups.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
+;;; Copyright © 2023 muradm <mail@muradm.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -25,6 +26,7 @@ (define-module (gnu services cups)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu services configuration)
+ #:use-module (gnu system pam)
#:use-module (gnu system shadow)
#:use-module (gnu packages admin)
#:use-module (gnu packages cups)
@@ -500,8 +502,11 @@ (define (serialize-package-list field-name val)
(define-configuration cups-configuration
(cups
- (file-like cups-minimal)
+ (file-like cups)
"The CUPS package.")
+ (allow-empty-password?
+ (boolean #f)
+ "Specifies whether empty passwords will be allowed when authenticating via PAM.")
(extensions
(package-list (list brlaser cups-filters epson-inkjet-printer-escpr
foomatic-filters hplip-minimal splix))
@@ -841,8 +846,11 @@ (define-configuration cups-configuration
(define-configuration opaque-cups-configuration
(cups
- (package cups-minimal)
+ (package cups)
"The CUPS package.")
+ (allow-empty-password?
+ (boolean #f)
+ "Specifies whether empty passwords will be allowed when authenticating via PAM.")
(extensions
(package-list '())
"Drivers and other extensions to the CUPS package.")
@@ -1006,6 +1014,14 @@ (define (cups-shepherd-service config)
"-f" "-c" #$cupsd.conf "-s" #$cups-files.conf)))
(stop #~(make-kill-destructor))))))
+(define (cups-pam-service config)
+ (let ((allow-empty-password?
+ (if (opaque-cups-configuration? config)
+ (opaque-cups-configuration-allow-empty-password? config)
+ (cups-configuration-allow-empty-password? config))))
+ (list (unix-pam-service "cups"
+ #:allow-empty-passwords? allow-empty-password?))))
+
(define cups-service-type
(service-type (name 'cups)
(extensions
@@ -1013,6 +1029,8 @@ (define cups-service-type
cups-shepherd-service)
(service-extension activation-service-type
(const %cups-activation))
+ (service-extension pam-root-service-type
+ cups-pam-service)
(service-extension account-service-type
(const %cups-accounts))))

base-commit: ed1e7920393c9ae5b2ae31fc46bae88136239b13
--
2.40.1
M
M
Maxim Cournoyer wrote on 15 May 2023 17:12
Re: bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
(name . muradm)(address . mail@muradm.net)(address . 63198@debbugs.gnu.org)
87fs7xvday.fsf@gmail.com
Hi,

muradm <mail@muradm.net> writes:

Toggle quote (6 lines)
> Could you please elaborate more on "loop on authenticating my user"
> from above and "prevents users from authenticating" from commit
> message? Does it mean that you could not authenticate as your user
> at all, or does it relates to authentication at http://localhost:631
> for managing printers?

The later (could not authenticate with CUPS for say, adding a printer).

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 15 May 2023 17:13
(name . muradm)(address . mail@muradm.net)(address . 63198@debbugs.gnu.org)
87bkilvd9t.fsf@gmail.com
Hi,

muradm <mail@muradm.net> writes:

Toggle quote (20 lines)
> This change broke cups for me like this:
>
> I [13/May/2023:16:14:27 +0300] [Client 16] Started
> "/gnu/store/9kdm8k84j2xqlax4zaarchw00cfs62zz-cups-server-bin/lib/cups/daemon/cups-deviced"
> (pid=21409, file=14)
> E [13/May/2023:16:14:27 +0300] [CGI] cups-brf must be called as
> root
> E [13/May/2023:16:14:27 +0300] [cups-deviced] PID 21419 (cups-brf)
> stopped with status 1!
> E [13/May/2023:16:14:27 +0300] [CGI] Unable to execute ippfind
> utility: No such file or directory
> E [13/May/2023:16:14:27 +0300] [cups-deviced] PID 21421
> (driverless-fax) stopped with status 127!
>
> cups-minimal does not include ippfind utility.
>
> Normally, user whishing to use cups, should be in lp group, isn't
> it?
> Maybe that was your original issue?

No, as I tested adding my user to the lpr group without success.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 15 May 2023 17:24
(name . muradm)(address . mail@muradm.net)(address . 63198@debbugs.gnu.org)
877ct9vcrg.fsf_-_@gmail.com
Hi,

muradm <mail@muradm.net> writes:

Toggle quote (8 lines)
>
> Makes CUPS service to extend pam-root-service-type providing minimal
> configuration to authenticate users. Since PAM authentication is
> provided, cups package can be used as default.
>
> * gnu/services/cups.scm (cups-configuration) [cups]: Use cups.

I'd write 'Replace cups-minimal with cups'.

Toggle quote (2 lines)
> [allow-empty-password?]: PAM service configuration permitting empty passwords.

I'd write 'New field', but I think we'd want to add proper PAM support
here not a 'bypass PAM authentication' hack. It should also be enabled
out of the box, otherwise users won't be able to authenticate until they
figure out they need to set that switch to #t.

Toggle quote (3 lines)
> (opaque-cups-configuration): Likewise.
> (cups-pam-service): cups PAM service.

Not descriptive :-) What is the change here?

Could you look into adding "regular" login PAM support instead of a
bypass disabled by default? The user should still be prompted for its
password, and it should go through the PAM auth module.

I'm not very PAM-aware, but I believe there are examples spread in the
code base.

--
Thanks,
Maxim
M
M
muradm wrote on 16 May 2023 07:17
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 63198@debbugs.gnu.org)
87edngon5j.fsf@muradm.net
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (17 lines)
> Hi,
>
> muradm <mail@muradm.net> writes:
>
>> Fixes <https://issues.guix.gnu.org/63198>.
>>
>> Makes CUPS service to extend pam-root-service-type providing
>> minimal
>> configuration to authenticate users. Since PAM authentication
>> is
>> provided, cups package can be used as default.
>>
>> * gnu/services/cups.scm (cups-configuration) [cups]: Use cups.
>
> I'd write 'Replace cups-minimal with cups'.
>

Sure you may change this.

Toggle quote (12 lines)
>> [allow-empty-password?]: PAM service configuration permitting
>> empty passwords.
>
> I'd write 'New field', but I think we'd want to add proper PAM
> support
> here not a 'bypass PAM authentication' hack. It should also be
> enabled
> out of the box, otherwise users won't be able to authenticate
> until they
> figure out they need to set that switch to #t.
>

Who ever touches PAM configuration knows that by default PAM does
not
allow to authenticate users with empty passwords. This flag allows
such
users. Just grep guix for allow-empty-password?, you will see that
it
is all over the places.

Toggle quote (6 lines)
>> (opaque-cups-configuration): Likewise.
>> (cups-pam-service): cups PAM service.
>
> Not descriptive :-) What is the change here?
>

I used simlilar strategy as in your commit 6bc3e3f9ba :-) You are
free
to reword as you wish.

Toggle quote (10 lines)
> Could you look into adding "regular" login PAM support instead
> of a
> bypass disabled by default? The user should still be prompted
> for its
> password, and it should go through the PAM auth module.
>
> I'm not very PAM-aware, but I believe there are examples spread
> in the
> code base.

This patch provides necessary configuration for proper PAM
support.
I decided to take screen-locker-service-type's configuration as
basis, since it is was most simpliest and adequate enough for this
case.
This patch does not disables, baypasses or cheats PAM in any way.
User may navigate to CUPS portal. In the event of administrative
actions taken by user, CUPS portal asks user to authenticate.
With this configuration, it will attempt to authenticate as local
system user. In the event of proper system user/password supplied
and positively authenticated against PAM using "cups" service
name,
user allowed to take administrative action. In the event of
invalid
system user/password supplied, CUPS portal will keep looping
begging for password (just as in your original case). If user
decides
to Cancel the authentication dialog, CUPS portal is navigated to
Unauthorized access informing page.

Why would I submit something that it is not working?
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmRjFcgACgkQ6M7O0mLO
BeKWRxAAiih7ujGaYvEDUB3Ulif+8nXHvirkoZXhZ/+7nGOj67Wpjt7fkSF1AY52
3DVxSFk4ec8UWPuOk38Z9wqnnQC6QdqoLvKeX7Ohc/SkdiUBlQkCPWe+KO3v7Ip/
WBGKEKcjG14pGWCScVueu6cFTQDjj4zlhvNpJWGu9mawFYBrxL+FQg2KOHpuGyaA
gZyq0bFgnZPzXCfOB/kjpfjkfrEiYFX6Gw3sMhOekFWgwMQLZH34HL9cy6PUzEOx
rMVxYx9Fq+jFFbOpqlBv2y+GoXIrk736LVYGOMif8Gnz4Ve5262TMxwHXOfyNJzy
L19Gr2cEneVMUnLIp2Kxz3OlW+Kga1NoarsegWXkd4ZoxBlrri2NHdTggrq9hbhN
40j04q9rpLrSnrz2mt0sIR4KMW0YEApJrN5Bs0HbO05korqRqe+BSEwz7Mb/6H0O
WmVN0RFpmcEGSQY22tvvJh5cd9YRy2xuDMqldgAVdHmfGlq2q9YB0ugHjwKd/xnY
R3jXDTdJEbfXIAef5PeRLowdAOqX6lfHzDX8ojhJ5NpUlmOL02Wip0DlTrrfI7uv
jMR7MPVvgbwgS1Dg2RVzbQ1BLq/uhhTzqkKW2GWyX9n273JsnfORGdxU/3xjvcr1
df3As2LTgIYeAOBwK/4qWxdb9BckYYCA0f6gLYCME+JrSvvK6+c=
=4sgf
-----END PGP SIGNATURE-----

R
R
Ricardo Wurmus wrote on 24 May 2023 00:14
cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
87v8giitdp.fsf@elephly.net
I’ll second muradm: these changes broke my printing setup:

* my printer is no longer found because cups-minimal has minimal
features and does not include dnssd
* I cannot add a new printer with ipp://192.168.x.x manually because of
authentication problems. The logs tell me that cups-brf needs to run
as root.

As a bonus problem I cannot restart Cups with the “cups” package because
it cannot be killed. I disabled the “cups” service and stopped it, but
cups still runs; killing it is of no use because it’s respawned
immediately. Shepherd says it didn’t do it. I also tried deleting the
cups socket file, but that also didn’t help.

--
Ricardo
M
M
Maxim Cournoyer wrote on 24 May 2023 02:46
(name . muradm)(address . mail@muradm.net)
87353mimir.fsf@gmail.com
Hi muradm,

muradm <mail@muradm.net> writes:

[...]

Toggle quote (27 lines)
>> Could you look into adding "regular" login PAM support instead of a
>> bypass disabled by default? The user should still be prompted for
>> its
>> password, and it should go through the PAM auth module.
>>
>> I'm not very PAM-aware, but I believe there are examples spread in
>> the
>> code base.
>
> This patch provides necessary configuration for proper PAM support.
> I decided to take screen-locker-service-type's configuration as
> basis, since it is was most simpliest and adequate enough for this
> case.
> This patch does not disables, baypasses or cheats PAM in any way.
> User may navigate to CUPS portal. In the event of administrative
> actions taken by user, CUPS portal asks user to authenticate.
> With this configuration, it will attempt to authenticate as local
> system user. In the event of proper system user/password supplied
> and positively authenticated against PAM using "cups" service name,
> user allowed to take administrative action. In the event of invalid
> system user/password supplied, CUPS portal will keep looping
> begging for password (just as in your original case). If user decides
> to Cancel the authentication dialog, CUPS portal is navigated to
> Unauthorized access informing page.
>
> Why would I submit something that it is not working?

I didn't mean to imply that it didn't work; I just thought that it was
somehow bypassing PAM (and the original problem it caused in the first
place). As I wrote earlier, I know next to nothing about PAM, and
misread your patch.

I've now installed the change. Thanks for the fix, and thanks to
Ricardo for the reminder.

--
Maxim
Closed
C
C
Csepp wrote on 24 May 2023 13:07
End-to-end tests Was: bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87wn0youe0.fsf@riseup.net
Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (14 lines)
> I’ll second muradm: these changes broke my printing setup:
>
> * my printer is no longer found because cups-minimal has minimal
> features and does not include dnssd
> * I cannot add a new printer with ipp://192.168.x.x manually because of
> authentication problems. The logs tell me that cups-brf needs to run
> as root.
>
> As a bonus problem I cannot restart Cups with the “cups” package because
> it cannot be killed. I disabled the “cups” service and stopped it, but
> cups still runs; killing it is of no use because it’s respawned
> immediately. Shepherd says it didn’t do it. I also tried deleting the
> cups socket file, but that also didn’t help.

It might be a good idea to have more end-to-end tests in Guix that would
check if common operations like "finding a printer" work. It's quite a
bit of up-front effort, but it's better than relying on manual testing
and could make things smoother in the long run.
SUSE has a cool testing framework based on screen captures, maybe it
could be adapted to Guix?
M
M
muradm wrote on 24 May 2023 13:28
(name . Csepp)(address . raingloom@riseup.net)
87edn67yfo.fsf@muradm.net
Csepp <raingloom@riseup.net> writes:

Toggle quote (13 lines)
> Ricardo Wurmus <rekado@elephly.net> writes:
>
> It might be a good idea to have more end-to-end tests in Guix
> that would
> check if common operations like "finding a printer" work. It's
> quite a
> bit of up-front effort, but it's better than relying on manual
> testing
> and could make things smoother in the long run.
> SUSE has a cool testing framework based on screen captures,
> maybe it
> could be adapted to Guix?

There is already test framework within Guix. You may find
information at:

In short, there are unit tests and system tests which can be found
at
gnu/tests/*.scm for inspiration. It is just a matter of
time/resource
availability to write tests.

For cups specifically, you may not need screen capture processing
or
similar. It should be enough to use CLI tools available out of the
box.

muradm
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmRt9usACgkQ6M7O0mLO
BeKndhAAhZG9N0uvImwQSfSak5TGeuwQLLy7sKX/VpK18RoP/rCk3AwYv+69WSyE
fBvDaIqAYMmVy+hYl3S3JEtzTjOkUIfo0cIMN7NfhlLzYbRhVwHMY+HEnEGdR9qx
0sP6CDE8VFuvdhE2iDub0nEIxy3tmX0DK2E+MRjXPFAsUPlifli0t3dLnAsroJ5x
C4dW4YzvDFfb5RRNVN9gZxSFlJfIRHgoixxJTCCrvadOkLUSuzTRn47TPw+IAIJP
0hhteVLl4e2YYtYuA5hGciTBmx5Kwp32BYKjVJezmmNs2SIBVRD06RZkkwvAfhES
3QEjMqu6U0iWsgu3cYrHDmyz69V11yE0ugA71dUvg34qDUMeKkTsXDFVxI2vS8i+
I7ExcJHLZrpq8pMs89USaPaz8n4+p8AKWxRd4CTF8g93d0AnjRkUsCc0vBzHYCRr
7BXZE7e2TJF1yOFw5iZgatZU7RxvdW4tAUp9QYnNa4yJgaZaWkJlQQmQlOPODTNS
rPpjaoezCyF+ydSDcrCNTfV28OrbvT55jcdB12p3/DwxY/F6UXbZOVZWO8nwppwi
9FhLz1MV15BQrforNmRB0Jx7peJJRIbX7F5Zv+mmYWTKTZ2qOZQE42fDrNskMwZK
KivYsHrMFD4QQR0yyIZ3/NgAYU/RXDG0kojg877lvjgpOH4QPVw=
=s29/
-----END PGP SIGNATURE-----

M
M
muradm wrote on 24 May 2023 13:37
Re: bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
87a5xu7ydt.fsf@muradm.net
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (58 lines)
> Hi muradm,
>
> muradm <mail@muradm.net> writes:
>
> [...]
>
>>> Could you look into adding "regular" login PAM support instead
>>> of a
>>> bypass disabled by default? The user should still be prompted
>>> for
>>> its
>>> password, and it should go through the PAM auth module.
>>>
>>> I'm not very PAM-aware, but I believe there are examples
>>> spread in
>>> the
>>> code base.
>>
>> This patch provides necessary configuration for proper PAM
>> support.
>> I decided to take screen-locker-service-type's configuration as
>> basis, since it is was most simpliest and adequate enough for
>> this
>> case.
>> This patch does not disables, baypasses or cheats PAM in any
>> way.
>> User may navigate to CUPS portal. In the event of
>> administrative
>> actions taken by user, CUPS portal asks user to authenticate.
>> With this configuration, it will attempt to authenticate as
>> local
>> system user. In the event of proper system user/password
>> supplied
>> and positively authenticated against PAM using "cups" service
>> name,
>> user allowed to take administrative action. In the event of
>> invalid
>> system user/password supplied, CUPS portal will keep looping
>> begging for password (just as in your original case). If user
>> decides
>> to Cancel the authentication dialog, CUPS portal is navigated
>> to
>> Unauthorized access informing page.
>>
>> Why would I submit something that it is not working?
>
> I didn't mean to imply that it didn't work; I just thought that
> it was
> somehow bypassing PAM (and the original problem it caused in the
> first
> place). As I wrote earlier, I know next to nothing about PAM,
> and
> misread your patch.
>
> I've now installed the change. Thanks for the fix, and thanks
> to
> Ricardo for the reminder.

Cool, thanks!
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmRt9y4ACgkQ6M7O0mLO
BeJz/A//Xjl0ZARaYu/1jVIIKuyMu0F2oYoOaG7gO43NlNNnV8seCn8+SJ0zoE+0
ZRQZLIoHz3Af3v7eGsS8wOXrh95thMjJyRUh+FKf9F7LrZPG1sMakga9Y1h0/bRD
+kImsZKXYHVVtbT2mG1ejJjpztx63Ixpq37GiiEx3tPvZ34WGwar66TutUfJoNjy
84gw6o85tn7JzTmMZEoapHezoDwJXeccIuBQfOmLNULi1SBL/uOUqKTEyAmAUCen
Sj+2uuc7viyt9eHBp9/87lkqOw8Nu4jDnsZUiW1+WCcuGtBlYLxl9MeYvTfpV1UT
T6BwAcZ1Rtuh6wXKBMh5H3zu002GuUUFc6YN7HGmUHTbzN4U7TwVFJLq4ofvFi1k
LKJLuU6YpIopm25w3EP+RZqdSVdZddxx1ZPBp+hrimAosdoQ0FQomGNPNfibQLPQ
VPm2EzUzNcyhGASYxoMEpSZc6uVJUCHr2G8ghw7by000pIYHV4gQXLuQ/rcOd1+9
pzBAEuA0FinOZ+oFgSBC9jAU0dF6Ywd9bpNvNCb3C7ie1m8j8eAhu/XN0OJhD9Un
5121mRZ4w/Nlv3fC2N5w6fi+q03TnHydmBvJbSAaaVkT6ptVci1PAXsb13J8BVvW
Lq9ejmH0fkR6fDOvdV0gVqwmgs+G4haVXUYRL5zhYF+ew7BwnGI=
=tbdX
-----END PGP SIGNATURE-----

Closed
?