CUPS problem

[Bob Tennent]

I can't print as an ordinary user to either a network
printer or to a shared USB printer connected to another host
on the local network. The Printer State message I get is

Idle - Unable to open print file: Permission denied

What's baffling is that I can print to both printers as the
superuser. Here's what I get after a failed attempt to print
by doing ls -l /var/spool/cups/*:

-r-------- 1 root root 331 Oct 14 18:51 a00711
-rw------- 1 root lp 1539 Oct 14 19:02 c00711
-rw-r----- 1 root lp 50966 Oct 14 18:51 d00711-001

and exactly the same after a successful print as root.

What is going on?

[Carlos E. R.]

Check the cups logs.

--
Cheers,
Carlos E.R.

[Bob Tennent]

No help there:

Unable to open print file: Permission denied

Backend returned status 1 (failed)

[vallor]

On Sun, 15 Oct 2023 01:16:04 -0000 (UTC), Bob Tennent
<rdte...@tennent.ca> wrote in <ugfegk$549e$1...@dont-email.me>:

You didn't mention your distribution.

I'm using Linux Mint 21.2, fresh install, and
my CUPS spool has these directories and permissions:

drwx--x--- 3 root lp 4096 Jul 11 12:20 /var/spool/cups
drwxrwx--T 2 root lp 4096 Jun 13 05:17 /var/spool/cups/tmp

And here is the version I'm running:
_ _ _ _ _ _ _
$ dpkg -l cups
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-
pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===================-============-
===================================================================
ii cups 2.4.1op1-1ubuntu4.7 amd64 Common UNIX Printing
System(tm) - PPD/driver support, web interface
_ _ _ _ _ _ _

--
-v

[The Natural Philosopher]

at a *guess* some directory used by CUPS is only permitted to do so by root.
propbaly in the /var/lib or /var/spool hierarchy.

$ ls -l /var/spool
total 24
drwxr-xr-x 2 root root 4096 Oct 8 2021 anacron
drwxr-xr-x 3 root root 4096 Jul 3 2021 cron
drwx--x--- 3 root lp 4096 Oct 11 23:59 cups
drwxr-xr-x 3 root root 4096 Jul 3 2021 libreoffice
lrwxrwxrwx 1 root root 7 Oct 8 2021 mail -> ../mail
drwxr-xr-x 20 root root 4096 Jan 6 2023 postfix
drwx------ 2 syslog adm 4096 Feb 11 2020 rsyslog

Note the perms on 'cups'

# ps -eadf | grep cups
root 241245 1 0 00:00 ? 00:00:00 /usr/sbin/cupsd -l
root 241246 1 0 00:00 ? 00:00:00 /usr/sbin/cups-browsed

check that cupsd is running with the right root perms..


--
“People believe certain stories because everyone important tells them,
and people tell those stories because everyone important believes them.
Indeed, when a conventional wisdom is at its fullest strength, one’s
agreement with that conventional wisdom becomes almost a litmus test of
one’s suitability to be taken seriously.”

Paul Krugman

[Bob Tennent]

On Sat, 14 Oct 2023 22:15:02 -0400, Andreas Kohlbach wrote:

> How does it look like between
>
><Location />
>
></Location>
>
> in the /etc/cups/cupsd.conf ?

<Location />
Order allow,deny
Allow @LOCAL
</Location>
<Location /admin>
Order allow,deny
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
<Location /admin/log>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>

[Bob Tennent]

On Sun, 15 Oct 2023 11:02:24 +0100, The Natural Philosopher wrote:
> On 15/10/2023 00:10, Bob Tennent wrote:
>> I can't print as an ordinary user to either a network
>> printer or to a shared USB printer connected to another host
>> on the local network. The Printer State message I get is
>>
>> Idle - Unable to open print file: Permission denied
>>
>> What's baffling is that I can print to both printers as the
>> superuser. Here's what I get after a failed attempt to print
>> by doing ls -l /var/spool/cups/*:
>>
>> -r-------- 1 root root 331 Oct 14 18:51 a00711
>> -rw------- 1 root lp 1539 Oct 14 19:02 c00711
>> -rw-r----- 1 root lp 50966 Oct 14 18:51 d00711-001
>>
>> and exactly the same after a successful print as root.
>>
>> What is going on?
>>
>>
> at a *guess* some directory used by CUPS is only permitted to do so by root.
> propbaly in the /var/lib or /var/spool hierarchy.
>

% ls -ld /var/spool/cups
drwx--x--- 3 root lp 4096 Oct 15 00:00 /var/spool/cups

# ps -eadf | grep cups

root 254733 1 0 00:00 ? 00:00:00 /usr/sbin/cupsd -l
lp 254735 254733 0 00:00 ? 00:00:00 /usr/lib/cups/notifier/dbus dbus://
root 254736 1 0 00:00 ? 00:00:00 /usr/sbin/cups-browsed
lp 254825 254733 0 00:00 ? 00:00:00 /usr/lib/cups/notifier/dbus dbus://

[Jim Jackson]

You should be in the lp group
What is the result of (as user not root) ...

$ groups

[Bob Tennent]

rdt adm lp cdrom sudo dip plugdev lpadmin sambashare

[The Natural Philosopher]

similar to me and I *can* print

adm dialout cdrom sudo dip plugdev input lpadmin scanner sambashare


--
"First, find out who are the people you can not criticise. They are your
oppressors."
- George Orwell

[Bob Tennent]

There's more information in the Printer Report job attributes:

job-printer-state-reasons
['cups-ipp-conformance-failure-report',
'cups-ipp-missing-send-document']

Is that relevant?

[Jim Jackson]

On 2023-10-15, Bob Tennent <rdte...@tennent.ca> wrote:
> On Sun, 15 Oct 2023 13:15:16 -0000 (UTC), Jim Jackson wrote:
> > On 2023-10-15, Bob Tennent <rdte...@tennent.ca> wrote:
> >> On Sun, 15 Oct 2023 11:02:24 +0100, The Natural Philosopher wrote:
> >> > On 15/10/2023 00:10, Bob Tennent wrote:
> >> >> I can't print as an ordinary user to either a network
> >> >> printer or to a shared USB printer connected to another host
> >> >> on the local network. The Printer State message I get is
> >> >>
> >> >> Idle - Unable to open print file: Permission denied
> >> >>
> >> >> What's baffling is that I can print to both printers as the
> >> >> superuser. Here's what I get after a failed attempt to print
> >> >> by doing ls -l /var/spool/cups/*:
> >> >>
> >> >> -r-------- 1 root root 331 Oct 14 18:51 a00711
> >> >> -rw------- 1 root lp 1539 Oct 14 19:02 c00711
> >> >> -rw-r----- 1 root lp 50966 Oct 14 18:51 d00711-001
> >> >>
> >> >> and exactly the same after a successful print as root.
> >> >>
> >> >> What is going on?
> >> >>
> >> >>
> >> > at a *guess* some directory used by CUPS is only permitted
> >> > to do so by root.
> >> > propbaly in the /var/lib or /var/spool hierarchy.
> >> >
> >>
> >> % ls -ld /var/spool/cups
> >> drwx--x--- 3 root lp 4096 Oct 15 00:00 /var/spool/cups

and what's the output of

ls -ld /var/spool/cups/tmp

sorry if that's already been asked? Should be something like

drwxrwx--T 2 root lp 4096 Oct 15 13:06 /var/spool/cups/tmp/

[Bob Tennent]

drwxrwx--T 2 root lp 4096 Oct 15 15:46 tmp/

[Bob Tennent]

It seems the problem was the permissions on

/usr/lib/cups/backend/ipp

which should be rwxr--r--.

[The Natural Philosopher]

And who knows how or why THAT happened

--
Canada is all right really, though not for the whole weekend.

"Saki"

[Bob Tennent]

Actually has to be rwxr-xr-x.

[David W. Hodgins]

$ ll /usr/lib/cups/backend/|grep -v ^l
total 1112
-rwx------ 1 root root 15616 May 22 04:45 beh*
-rwx------ 1 root root 37016 Apr 4 2021 boomaga*
-rwxr-xr-x 1 root root 4152 Feb 12 2020 cups2pegg*
-rwx------ 1 root root 15488 May 22 04:45 cups-brf*
-rwx------ 1 root root 142244 Feb 15 2020 cups-pdf*
-rwxr--r-- 1 root root 23640 Sep 26 03:26 dnssd*
-rwxr--r-- 1 root root 27664 Sep 26 03:26 failover*
-rwxr-xr-x 1 root root 468472 Feb 26 2021 gutenprint53+usb*
-rwxr-xr-x 1 root root 24088 Jul 1 2022 hp*
-rwxr-xr-x 1 root root 9221 Jul 1 2022 hpfax*
-rwx------ 1 root root 24008 May 22 04:45 implicitclass*
-rwxr--r-- 1 root root 85416 Sep 26 03:26 ipp*
-rwxr--r-- 1 root root 52520 Sep 26 03:26 lpd*
-rwxr-xr-x 1 root root 3144 Jan 19 2021 mga_backend*
-rwxr-xr-x 1 root root 4730 Dec 31 2020 mtink*
-rwxr-xr-x 1 root root 1077 Jun 13 2013 ncp*
-rwxr-xr-x 1 root root 4598 Sep 26 03:26 nprint*
-rwx------ 1 root root 23992 May 22 04:45 parallel*
-rwx------ 1 root root 19736 May 22 04:45 serial*
-rwxr-xr-x 1 root root 31912 Sep 26 03:26 snmp*
-rwxr-xr-x 1 root root 44280 Sep 26 03:26 socket*
-rwxr-xr-x 1 root root 40104 Sep 26 03:26 usb*


As none of the files have a group different than the owner, and the owner
has rwx, the group permissions are redundant.

The cupsd process runs as root.

Regards, Dave Hodgins

[Bob Tennent]

> The cupsd process runs as root.

On my system, execute permission for users on ipp seems to
be necessary.

[Bob Tennent]

> The cupsd process runs as root.

[David W. Hodgins]

On Thu, 19 Oct 2023 12:28:37 -0400, Bob Tennent <rdte...@tennent.ca> wrote:
> On my system, execute permission for users on ipp seems to
> be necessary.

The user doesn't run /usr/lib/cups/backend/ipp. That's run by cupsd.

For example, boomaga and ipp backends have the permissions ...
-rwx------ 1 root root 37016 Apr 4 2021 /usr/lib/cups/backend/boomaga*
-rwxr--r-- 1 root root 85416 Sep 26 03:26 /usr/lib/cups/backend/ipp*

Yet, as a regular user ...
[dave@x3 ~]$ ipptool ipp://localhost/printers/boomaga get-completed-jobs.test
job-id job-state job-name job-originating-user-name job-media-sheets-completed
------ --------- -------- ------------------------- --------------------------
26 completed 0
21 completed 0

Regards, Dave Hodgins

[Bob Tennent]

On Thu, 19 Oct 2023 20:00:00 -0400, David W. Hodgins wrote:
> On Thu, 19 Oct 2023 12:28:37 -0400, Bob Tennent <rdte...@tennent.ca> wrote:
>> On my system, execute permission for users on ipp seems to
>> be necessary.
>
> The user doesn't run /usr/lib/cups/backend/ipp. That's run by cupsd.
>
> For example, boomaga and ipp backends have the permissions ...
> -rwx------ 1 root root 37016 Apr 4 2021 /usr/lib/cups/backend/boomaga*
> -rwxr--r-- 1 root root 85416 Sep 26 03:26 /usr/lib/cups/backend/ipp*

Then why with those permissions on ipp do I get

"Could not start IPP Backend (/usr/lib/cups/backend/ipp): 13 Permission denied"

which I don't get if I chmod +x /usr/lib/cups/backend/ipp

[Bob Tennent]

Furthermore, I've just checked two other Linux Mint systems
and ipp has permissions rwxr-xr-x in both.

Are you a cups developer? Why are you so sure of this?

[vallor]

On Fri, 20 Oct 2023 02:05:40 -0000 (UTC), Bob Tennent
<rdte...@tennent.ca> wrote in <ugsn9k$qjct$1...@dont-email.me>:

I'm not a cups developer, but I had an idea:

System processes running as "root" on Linux often drop permissions
for security. It's possible cups forks a process for the backend,
and calls setgid()/setuid() to run the backend process
with limited permissions. (ipp/ipp).

But that's just a guess. Too burned-out right now to dig
into the source and look, or dig through strace output...

HTH

--
-v

[Carlos E. R.]

I checked my laptop with openSUSE Leap:

Laicolasse:~ # l /usr/lib/cups/backend/ipp
-rwx------ 1 root root 80016 Sep 12 14:19 /usr/lib/cups/backend/ipp*
Laicolasse:~ #

--
Cheers,
Carlos E.R.

[The Natural Philosopher]

Juliet$ ls -l /usr/lib/cups/backend/ipp
-rwxr-xr-x 1 root root 84368 Sep 15 12:20 /usr/lib/cups/backend/ipp

Cymbeline:~$ ls -l /usr/lib/cups/backend/ipp
-rwxr-xr-x 1 root root 84368 Sep 15 12:20 /usr/lib/cups/backend/ipp

....


--
It’s easier to fool people than to convince them that they have been fooled.
Mark Twain

[David W. Hodgins]

I'm not a cups developer. I'm a former leader of the qa team for Mageia linux,
and just reporting how my current Mageia 8 installation is set up in terms of
ownership and permissions, where ipp works.

In Mageia 8, cupsd runs as root. Does it not run as root on your installs?
If so, that would explain the different results.

ll is an alias in Mageia installs.
$ alias|grep ll=
alias ll='ls -lA'

Regards, Dave Hodgins

[Bob Tennent]

I believe that on Mint cupsd runs as root but for security
reasons spawns a user process (perhaps nologin user
cups-pk-helper?) to run ipp.

[David W. Hodgins]

It doesn't appear to be spawning to run ipp on Mageia 8.

One thing I just noticed. In /etc/cups/cups-files.conf, I have
SystemGroup sys root wheel
I'm using the same computer where I have cupsd running and my id is a member of
the wheel group.

That may explain the permission difference.

Regards, Dave Hodgins.