FS#40937 - [cups] cups-files.conf - Group and SystemGroup directives collision causes printing to fail silently
Attached to Project:
Arch Linux
Opened by James (thx1138) - Sunday, 22 June 2014, 22:11 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 16 February 2015, 16:03 GMT
Opened by James (thx1138) - Sunday, 22 June 2014, 22:11 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 16 February 2015, 16:03 GMT
|
Details
As of: cups 1.7.3-3
Reference, from around 2012 January - https://bugs.archlinux.org/task/26030 Rephrasing - In the file "/etc/cups/cups-files.conf", if a named group in the "Group" directive is also a named group in the "SystemGroup" directive, then cupsd will run as group "nobody" instead of the group named in the "Group" directive, supposedly for security reasons. I cannot say where this is otherwise documented. The printer devices in "/dev/", such as "/dev/parport0", are created with user "root" and group "lp". When cupsd runs as group "nobody", then cupsd will not have permission to access the printer devices, with EPERM on a 0660 root:lp dev node, AND ALL PRINTING WILL FAIL, WITH "USELESS" STATUS MESSAGES! The Arch cups package does not install an "/etc/cups/cups-files.conf" with "colliding" Group and SystemGroup directive group names, but it also does not install any "lpadmin" group in "/etc/groups". The cups source package file "config-scripts/cups-defaults.m4" seems to check for the group names from 'GROUP_LIST="lpadmin sys system root"', including, or not including, the "lpadmin" group in the generated template file at "conf/cups-files.conf", depending whether the "lpadmin" group already exists in "/etc/group". The existence of this "lpadmin" group, though, is just a convenience for assigning authority to users, and is of no consequence otherwise. The problem is, when re-installing the cups package, an existing file "/etc/cups/cups-files.conf" does not get over-written, nor is there any ".pacnew" file created. So, if there is an existing "cups-files.conf" file with "colliding" groups, printing is going to fail silently, and re-installing cups is not going to fix the problem. But then, how could this "/etc/cups/cups-files.conf" ever become corrupt in the first place? Unfortunately, because this "broken" configuration is recommended at https://wiki.archlinux.org/index.php/CUPS, which has: Change: SystemGroup sys root to: SystemGroup lp root _and_ at https://wiki.archlinux.org/index.php/KDE, which has: Adding lp to SystemGroup allows anyone who can print to configure printers. You can, of course, add another group instead of lp. /etc/cups/cups-files.conf # Administrator user group... SystemGroup sys root lp And, why would anyone actually _read_ the CUPS wiki or the KDE wiki? Well, anyone who might initially be having a printing problem for some other reason. And then - God help them! - because printing is _never_ going to work again, even if their original problem gets fixed. And, arguably, the CUPS error logging itself is "broken", having cupsd running as group "nobody" instead of refusing to start, and then producing a "useless" error log and "useless" printer status messages, such as "Rendering completed". Surprisingly, there is no check for device permissions in cupsd! What to do? For starters, perhaps a big long warning message with the Arch "cups" package install. Or better, the creation of an "/etc/cups/cups-files.conf.pacnew" file. Or even better, an explicit sed -i.pacsave -e'/SystemGroup/ {s/lp //g;s/lp$//}' /etc/cups/cups-files.conf in a post_install script, or in the package_cups() {...} function of the cups PKGBUILD. Perhaps this "sed" should also be applied to "/etc/cups/cupsd.conf, since the CUPS wiki recommends that the "SystemGroup" directive be added to "/etc/cups/cupsd.conf", though the "cupsd.conf" man page suggests that this directive is not allowed there. Or instead, there should be a sed -i -e'/SystemGroup/ d' /etc/cups/cupsd.conf also. And I may remove that section from the CUPS wiki. Also, as a matter of course, I suggest that Arch should create an "lpadmin" group, with GID "107", as this is somewhat conventional, and may help to discourage the temptation to add the group "lp" to the "SystemGroup" directive. This issue has been left "hanging" for at least 2 1/2 years, and who knows how many people have just "given up" with Arch because of failed printing. Please make sure that it never happens to anyone again. James |
This task depends upon
But yes, I'll fix the wiki.
James
But then, an install note and warning might be appropriate, rather than an automatic edit - and better than nothing at all.
Or we might instead demand that CUPS be "fixed" upstream, to refuse to start, rather than silently revert to group "nobody". That would seem to be the "proper" fix. You know Apple Inc will make a robust and reliable Linux user experience a top priority.
James
soon to be find in testing repo.
The problem has to do with whether or not an already existing file "/etc/cups/cups-files.conf" will be overwritten. If, by whatever circumstance, the group "lp" has been added to the "SystemGroup" key in the file "/etc/cups/cups-files.conf", then printing will fail silently, and the cause is very difficult to discover. An existing configuration file, "/etc/cups/cups-files.conf", will not be overwritten by installing the Arch "cups" package. So, if there is an existing problem, then re-installing the Arch "cups" package will not fix the problem. The configure option "--with-system-groups" does NOT check the system on which the "cups" package is being installed.
I see that the new 2.0.0 package in testing will install an "/etc/cups/cups-files.conf.pacnew", but doing this will not disclose the cause of a printing failure due to the group collision.
The group "lp" is one of the default groups created by the Arch "filesystem" package, and is not added to "/etc/group" by installing the "cups" package. There is no way that the cupsd "filters/backends/helper programs" will run with User and Group settings - or that cups will run with a different "SystemGroup" setting - different from the defaults, unless these settings are manually changed in "/etc/cups/cups-files.conf" by user "root". And how would that happen? Well, in the past, that had been suggested in the Arch Wiki, as described above. The wiki has been corrected, but the damage may have already been done, nonetheless.
People who install Arch packages are more likely to have read the Arch Wiki. It is the way things happen. Now, simply, there is no proper reason to have the "lp" group in the SystemGroup in cups-files.conf on a standard Arch cups install. On the other hand, someone may have customized their installation, and have chosen some different group name for running cupsd "filters/backends/helper programs", and then have chosen to use group "lp" as the administrative group name. That would be a reason to not just blindly remove "lp" from the SystemGroup list.
But still, I think it would be polite to provide some kind of note about the past "bad advice" in the Arch CUPS and KDE Wiki entries. Certainly it would be polite to add a check for a "collision", between the "Group" and "SystemGroup" configurations in cups-files.conf, to the Arch cups package install. I also think it would be polite to create an "lpadmin" group in the Arch system, distinct from any of the "sys", "system", or "root" groups, to allow for a printer administration group in Arch.
I have submitted a bug report upstream at cups.org, suggesting that cupsd should refuse to start and say why, rather than falling back to running "filters/backends/helper programs" as group "nobody". That behavior has not changed in the new version 2.0.0 package.
James
I think you've run into a bad situation where cups didn't give you a useful error msg and it was caused by a bad advise in our wiki.
You've asked upstream to give a better error message and have fixed our wiki pages(?).
I won't add a note to the cups .install scriptlet. I think it's not worth. Not many users will run in your bad configuration.
Can we close this one as I see no packaging issue?
Yes.
> Can we close this one as I see no packaging issue?
One other suggestion - modify the default source "conf/cups-files.conf.in" with a comment above the "SystemGroup" directive:
# This list cannot include the filters/backends/helper programs Group, for security reasons.
I have passed the suggestion upstream, to cups.org. The added comment would not disclose the catastrophic printing failure that would result otherwise, but at least it would provide some guidance.
James
Either the upstream patch offered should be modified to provide logging at the default log level, or the default cupsd.conf should be modified to include the directive "LogLevel notice".
https://www.cups.org/str.php?L4582
Since there was clearly a confusion about which log levels were the more verbose in the patch applied, perhaps this will be corrected. Leaving this Arch bug open probably isn't going to change anything upstream though.