https://bugzilla.novell.com/show_bug.cgi?id=349084 User chrubis@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c1 Cyril Hrubis <chrubis@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |ilfirin@centrum.cz --- Comment #1 from Cyril Hrubis <chrubis@novell.com> 2007-12-17 12:29:00 MST --- Please attach y2logs. If you are in doubt follow: http://en.opensuse.org/Bugs/YaST Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User sebastien.rohaut@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c3 --- Comment #3 from Sebastien ROHAUT <sebastien.rohaut@free.fr> 2007-12-18 08:02:03 MST --- An additional comment: the problem doesn't occurs when printing because cupsd is launched by root. When scanning, the hpaio backend is launched by the user with their rights. You can see your usb device with lsusb, then go to /dev/bus/usb/xxx/yyy to see rights... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User mzugec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c5 michal zugec <mzugec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |jsmeix@novell.com --- Comment #5 from michal zugec <mzugec@novell.com> 2008-01-23 07:38:53 MST --- Johannes, how we can solve that? The worst scenario is new dialog with users to add into "lp" group ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User jsmeix@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c7 --- Comment #7 from Johannes Meixner <jsmeix@novell.com> 2008-01-23 23:39:08 MST --- By the way: When a normal user is created by YaST, it is by default member of the following groups: users dialout video What do you think about to add the group "lp" to those default groups so that normal users have by default sufficient permissions for local printer and local scanner access? The biggest advantage from my point of view would be that via traditional group-permissions it just works as it worked all the time in the past with Linux. In particular it just works even without the complicated udev/HAL/hal-resmgr machinery which never ever worked really reliably in the past. This machinery works for 90% but on the other hand this means that it still fails for thousands of cases and when it fails, a normal user has no chance to fix this complicated machinery. Reasoning regarding scanners: Since openSUSE 10.2 all known USB scanner device files get also the group "lp" via /etc/udev/rules.d/55-libsane.rules see "rpm -q --changelog sane-backends": ------------------------------------------------------------------ The automatically created tools/udev/libsane.rules is changed for openSUSE as follows: All GROUP="scanner" are replaced by GROUP="lp" .. The reasons are: There is no group "scanner" in /etc/group for openSUSE. For all-in-one devices (i.e. printer + scanner) the group must be "lp" so that the CUPS usb backend which runs as "lp" can send printing data to the printer unit. It is sufficiently secure and reasonable easy to use by default the same group "lp" for printers and scanners because both kind of devices usually require physical user access (to get the printed paper or to place a paper on the scanner) so that both kind of devices should usually require the same kind of security. ------------------------------------------------------------------ Reasoning regarding CUPS: Up to openSUSE 10.1/SLE10 we had CUPS 1.1 where we used by default "RunAsUser" to let the cupsd run as user "lp". Here it would be insecure to grant "lp"-permissions to normal users because then normal users might influence the core of the printing system and do somehow something like http://www.cups.org/str.php?L790 Since openSUSE 10.2 we have CUPS 1.2. Since CUPS 1.2 "RunAsUser" is no longer supported so that we are back to the CUPS upstream default where the cupsd runs as root but it runs all its filters and by default also the backend as user "lp". On the one hand this is less secure because there is a root process which can be made accessible from the network (since CUPS 1.2 cupsd listens by default only at "localhost"), see "Configuration of the CUPS network servers" - "Details" at http://en.opensuse.org/SDB:CUPS_in_a_Nutshell On the other hand this is more secure because filters and backends (and whatever else runs as user "lp") cannot influence the core of the printing system so that since CUPS 1.2 it might be possible to grant "lp"-permissions to normal users by default without causing real security problems. Of course any normal user could then send data directly to a locally connected printer (USB and parallel port) and circumvent a user-based restriction in the printing system (see "-u deny:..." at "man lpadmin") but this is perhaps no real severe security problem because all the admin has to do is to remove this user from the "lp" group - just like it is with our other default groups (dialout, video). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c9 Thorsten Kukuk <kukuk@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|kukuk@novell.com | --- Comment #9 from Thorsten Kukuk <kukuk@novell.com> 2008-01-24 02:40:36 MST --- (In reply to comment #8 from michal zugec)

I fully agree with idea add "lp" into default groups (/etc/default/useradd). It means that all new created user will be added into "lp" group. Thorsten, do you agree with that?

I disagree. The group "lp" is there for security reasons. So that not everybody can write/read to such files/directories used by the print spooling system. It maybe that, on a first glance, no security problem in your default installation may be visible, but to make sure, this would mean a whole audit of all code using the group "lp". And this solution only works for local accounts, which is not necessary identical to users who are logged in local. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User ilfirin@centrum.cz added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c11 --- Comment #11 from Michal Smrž <ilfirin@centrum.cz> 2008-02-07 06:19:07 MST --- 10: Good idea. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User jsmeix@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c13 --- Comment #13 from Johannes Meixner <jsmeix@novell.com> 2008-03-06 07:00:15 MST --- Updated HPLIP to version 2.8.2 and submitted to STABLE which provides an appropriate HAL fdi file /etc/hal/fdi/policy/10osvendor/70-hpmud.fdi so that it should work out-of-the-box at least for those USB devices where the UDB IDs are known. HPLIP 2.8.2 is also available for openSUSE 10.3 (and others) via http://download.opensuse.org/repositories/home:/jsmeix/ See https://bugzilla.novell.com/show_bug.cgi?id=336658#c5 and subsequent comments. A note regarding my packages for openSUSE 10.3 and others: The packages are * only for testing * without any guarantee or warranty * without any support As an extreme example, this means that if your complete computer center crashes because of these packages, it is only your problem. Nevertheless, I am very interested in your feedback. Please make it obvious which package, which package version, which hardware architecture and which openSUSE version you are talking about, e.g.: "Feedback regarding the hplip[-hpijs]-2.8.2-11.2.i586 RPMs from http://software.opensuse.org/download/home:/jsmeix/ for openSUSE 10.3 used on 64-bit AMD hardware." Ideally provide also the "rpm -q --changelog sane-backends | head" output to make it unambiguous which exact package release you have. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=349084 User mzugec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349084#c15 Michal Zugec <mzugec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #15 from Michal Zugec <mzugec@novell.com> 2008-07-06 09:52:40 MDT --- According comment #13 marked as FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.