http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c1 Vincent Untz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@novell.com --- Comment #1 from Vincent Untz 2010-06-17 12:23:10 UTC --- Those are the dbus methods that are called: DevicesGet DevicesGet PrinterAddWithPpdFile PrinterSetEnabled PrinterSetAcceptJobs PrinterSetLocation PrinterSetInfo Each one of them bring an auth dialog right now. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c3 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lnussel@novell.com | AssignedTo|bnc-team-gnome@forge.provo. |security-team@suse.de |novell.com | Summary|Adding a printer requires |AUDIT-0: |the root password 7 times |system-config-printer --- Comment #3 from Ludwig Nussel 2010-06-17 16:03:05 CEST --- needs code review -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c5 --- Comment #5 from Vincent Untz 2010-06-17 14:14:23 UTC --- Ludwig: this is all done via cups-pk-helper, which was already audited (see bug 447444). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c7 --- Comment #7 from Johannes Meixner 2010-06-17 14:39:41 UTC --- Regarding having cupsGetDevices() authorized for everybody by default: This would circumvent the CUPS default policy, see http://www.cups.org/documentation.php/doc-1.4/policies.html A CUPS-Get-Devices request lets the cupsd launch cups-deviced, see http://www.cups.org/documentation.php/doc-1.4/man-cups-deviced.html which executes each executable file in /usr/lib/cups/backend/ In the end this is the same as what "/usr/sbin/lpinfo -v" does. This is by default forbidden by the cupsd for normal users via this default entry in /etc/cups/cupsd.conf (long lines are shown wrapped here): --------------------------------------------------------------------- # Administrator user group... SystemGroup sys root . . . <Policy default> ... # All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM Order deny,allow </Limit> --------------------------------------------------------------------- If you don't like the restrictions of theCUPS default policy, have a look at /etc/cups/cupsd.conf what I already provide: --------------------------------------------------------------------- # The policy below is added by openSUSE/Novell during build # of our cups package. # The policy 'allowallforanybody' is totally open and insecure # and therefore it can only be used within an internal network # where only trused users exist and where the cupsd is not accessible # at all from any external host. # Have in mind that any user who is allowed to do printer admin tasks # can change the print queues as he likes (e.g. send copies of confidental # print jobs from an internal network to any external destination). # For documentation regarding 'Managing Operation Policies' see # http://www.cups.org/documentation.php/doc-1.4/policies.html <Policy allowallforanybody> <Limit All> Order deny,allow Allow from all </Limit> </Policy> # Explicitely set the CUPS 'default' policy to be used by default: DefaultPolicy default # End of additions by openSUSE/Novell. --------------------------------------------------------------------- A single authenticatin as root to launch the YaST printer module and then only a few clicks to switch to the "allowallforanybody" policy and afterwards everything regarding printer setup just works as our usual desktop users like it so much... ;-) FYI: How it looks for me on openSUSE 11.3 milestone 7: ----------------------------------------------------------------------- burns:~ # /usr/sbin/lpinfo -v network http direct scsi network lpd network smb network ipp network socket direct usb://HP/LaserJet%201020 network beh direct parallel:/dev/lp0 direct hp:/usb/HP_LaserJet_1020?serial=JL50HRE direct hpfax network socket://10.10.1.83 network socket://10.10.101.245 network socket://10.10.2.255 network socket://10.10.222.4 network socket://10.10.4.4 burns:~ # su - johannes johannes@burns:~> /usr/sbin/lpinfo -v lpinfo: Forbidden johannes@burns:~> groups users video ----------------------------------------------------------------------- In contrast after I added "johannes" in /etc/group to the group "sys": ----------------------------------------------------------------------- johannes@burns:~> groups users sys video johannes@burns:~> /usr/sbin/lpinfo -v network http direct scsi network lpd network ipp network socket network smb direct usb://HP/LaserJet%201020 network beh direct parallel:/dev/lp0 direct hp:/usb/HP_LaserJet_1020?serial=JL50HRE direct hpfax network socket://10.10.1.83 network socket://10.10.2.255 network socket://10.10.222.4 ----------------------------------------------------------------------- -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c9 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |stshaw@novell.com --- Comment #9 from Ludwig Nussel 2010-06-17 16:50:01 CEST --- just curious, what kind of printer are you trying to add anyways? usb printers are supposed to be automatically configured and cups network printers are autodetected as well. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c11 Stephen Shaw changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |stshaw@novell.com InfoProvider|stshaw@novell.com | --- Comment #11 from Stephen Shaw 2010-06-17 14:56:39 UTC --- @Ludwig I haven't tried an usb printer yet. This is just trying to setup the local network printers here in provo. I did get a list of printer from the network that auto added, but I have no idea where they are located. Out of the 3 printers we have in the very close area non of them were on the list. I was manually adding them and that's where I ran into the problem. As for the password stuff, it seems insane. From an admin point of view if I authenticated with the system to add a printer I don't care to authorize it every step of the way. I proved that I was the admin and therefore expect to be uninterrupted while adding that printer. Not to mention the amount of time that is wasted putting your password in 7 times and hoping you didn't type it wrong each time. Also, the first several times I assumed that I had type my password wrong. To the average end user that install openSUSE on his local machine its worse than windows' UAC stuff. At least its only annoying a couple times, not 7 :/ -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c Johannes Meixner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|stshaw@novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c14 --- Comment #14 from Ludwig Nussel 2010-06-17 17:10:33 CEST --- (In reply to comment #11)

@Ludwig I haven't tried an usb printer yet. This is just trying to setup the local network printers here in provo. I did get a list of printer from the network that auto added, but I have no idea where they are located. Out of the 3 printers we have in the very close area non of them were on the list. I was

Time to kick the admins to fix the network setup :-)

As for the password stuff, it seems insane. From an admin point of view if I authenticated with the system to add a printer I don't care to authorize it every step of the way. I proved that I was the admin and therefore expect to be uninterrupted while adding that printer.

Well, I agree. That's up to the design of the program you are using though. Try for example yast instead to see a different approach. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c16 --- Comment #16 from Stephen Shaw 2010-06-17 15:17:38 UTC --- Although 2 is still annoying its *far* better than 7. So, huge thanks for very much improving this. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c18 --- Comment #18 from Johannes Meixner 2010-06-17 15:42:50 UTC --- FYI: What cupsd responds if file:///dev/lp0 is used: --------------------------------------------------------------------- burns:~ # lpadmin -p testy -v file:///dev/lp0 lpadmin: File device URIs have been disabled! To enable, see the FileDevice directive in "/etc/cups/cupsd.conf". --------------------------------------------------------------------- The error message is sent by the cupsd (in the CUPS sources in scheduler/ipp.c) and forwarded by lpadmin to stderr so that it should have helped Ludwig to see the actual cause of failure if the message was also shown by system-config-printer. I have no idea why authentication with user name "root" and root's password doesn't work and therefore I guess that the authentication as root did actually work but system-config-printer might just retry the authentication in case of any error? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=614779 http://bugzilla.novell.com/show_bug.cgi?id=614779#c20 --- Comment #20 from Bernhard Wiedemann --- This is an autogenerated message for OBS integration: This bug (614779) was mentioned in https://build.opensuse.org/request/show/41671 Factory / polkit-default-privs -- You are receiving this mail because: You are on the CC list for the bug.