LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 04-22-2008, 09:17 AM   #1
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Rep: Reputation: 0
CUPS is broken in Ubuntu Gutsy after update?


Hello,

I was able to add and use printer in Gutsy, but recently when i tried to print, noticed that my job was held. After trying to fix it, I removed printer, and was not able to add a new both via web console and gnome program. In logs I found:

Code:
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/hal" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/cups-pdf" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/beh" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/canon" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/bluetooth" - Permission denied
E [07/Apr/2008:22:12:01 +0000] PID 2502 (/usr/lib/cups/cgi-bin/printers.cgi) stopped with status 22!
E [07/Apr/2008:22:12:04 +0000] PID 2506 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!
E [07/Apr/2008:22:13:09 +0000] PID 2511 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!
And then with DEBUG2 level:

Code:
d [08/Apr/2008:00:07:05 +0000] cupsdStartProcess("/usr/lib/cups/daemon/cups-driverd", 0x7fffdd2cb750, 0x7fffdd2cb390, -1, 10, 6)
D [08/Apr/2008:00:07:05 +0000] [CGI] /usr/lib/cups/daemon/cups-driverd started - PID = 6574
I [08/Apr/2008:00:07:05 +0000] Started "/usr/lib/cups/daemon/cups-driverd" (pid=6574)
D [08/Apr/2008:00:07:05 +0000] cupsdSendCommand: 7 file=8
d [08/Apr/2008:00:07:05 +0000] cupsdAddSelect: fd=8, read_cb=0x40f200, write_cb=(nil), data=0x6aac60
d [08/Apr/2008:00:07:05 +0000] process_children()
E [08/Apr/2008:00:07:05 +0000] PID 6574 (/usr/lib/cups/daemon/cups-driverd) stopped with status 22!
d [08/Apr/2008:00:07:05 +0000] cupsdDoSelect: polling 5 fds for 1 seconds...
d [08/Apr/2008:00:07:05 +0000] cupsdDoSelect: epoll() returned 2...
d [08/Apr/2008:00:07:05 +0000] cupsdDoSelect: Read on fd 5...
D [08/Apr/2008:00:07:05 +0000] [CGI] /usr/lib/cups/daemon/cups-driverd: Permission denied
I think I did not manually change anything. In dpkg.log I found:

Code:
2008-04-03 10:38:12 upgrade cupsys 1.3.2-1ubuntu7.5 1.3.2-1ubuntu7.6
2008-04-03 10:38:10 upgrade cupsys-common 1.3.2-1ubuntu7.5 1.3.2-1ubuntu7.6
.. and other cups-related packages.

I found several "status 22" posts in forums, but nothing applied to my case. By experiment I found that if I add "User dda" (this is my username) to /etc/cups/cupsd.conf, everything works. But I guess it won't work for other local users in the system.

So, what happened? I compared permissions of cupsd daemon, and the backends and CGIs - all were correct (root:root, 755). In an older system, Feisty with cups 1.2.8, some permissions are different, i.e. there is user cupsys, in my system there is no such user, I think that was changed in cups.

Any help is appreciated. I posted in ubuntuforums.org (http://ubuntuforums.org/showthread.php?p=4764078), but there was no reply.


Regards,
Dmitry.
 
Old 04-22-2008, 10:29 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
I have that same update, and no issues.
my user is not in /etc/cups/cupsd.conf
no sign of any "cupsys" user either
my permissions are like yours

I don't think we can put this on the CUPS update.

Your user needs to be a member of lpadmin group to add/remove printers.
 
Old 04-22-2008, 01:11 PM   #3
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
Yes, I checked at the very beginning - my user is in lpadmin group. I also see the following in /var/log/messages at boot time:
Code:
Apr 21 12:01:29 x700 kernel: [   51.120756] Failure registering capabilities with primary security module.
Apr 21 12:01:29 x700 kernel: [   51.649367] audit(1208764889.568:3):  type=1502 operation="inode_permission" requested_mask="a" denied_mask="a" name="/dev/tt
y" pid=6681 profile="/usr/sbin/cupsd"
Maybe it is related?
 
Old 04-22-2008, 08:25 PM   #4
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
See this bug report. Also this one. Technically should have been fixed by now.

Mentioned in the (official) Ubuntu Wiki under DebuggingPrintingProblems.

The workaround is: sudo aa-complain cupsd

I don't use apparmor, which is why I don't see this behavior.
 
Old 04-23-2008, 09:05 AM   #5
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks.

I have disabled cupsd in apparmor as you suggested, but still getting "PID 27178 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!" error when there is no "User dda" in cupsd.conf.
 
Old 04-23-2008, 10:44 AM   #6
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
But can you add printers?
What happened to the other errors? syslog?

Status 22 = permission denied.
Increase the debug level in cupsd.conf
 
Old 04-23-2008, 10:57 AM   #7
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
No, without having "User dda" in cupsd.conf I can not do anything. I already have DEBUG2 log level, see my 1st post..
 
Old 04-23-2008, 10:51 PM   #8
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
And the other errors? Presumably the "Failure registering capabilities" error has vanished?

This occurred after an upgrade... have you enabled backports?
Did you completely disable apparmor or just for cupsd?
(I'm trying to figure what I have that is different from you.)
 
Old 04-24-2008, 02:01 AM   #9
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
Hi Simon,

After running "sudo aa-complain cupsd" I still see the following in /var/log/messages when cupsd is started:
Code:
Apr 24 09:55:32 x700 kernel: [107268.775908] audit(1209016532.184:7):  type=1503 operation="inode_permission" requested_mask="a" denied_mask="a" name="/dev/tty" pid=29331 profile="/usr/sbin/cupsd"
I think that the "Failure registering capabilities" message appears only during boot, I will let you know on the next reboot. But I noticed that in the message above requested_mask="a", while in the links you gave me they mention another masks for /dev/tty, "rw". Here is my /dev/tty:

$ ll /dev/tty
crw-rw-rw- 1 root root 5, 0 2008-04-24 09:53 /dev/tty

Regards,
Dmitry.
 
Old 04-24-2008, 04:19 AM   #10
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Hmmm... just to be thorough - disable apparmor completely.
Follow the procedure in the troubleshooting link for posting a bug report.
 
Old 04-25-2008, 06:53 PM   #11
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
I found what it was -- somehow /usr, /usr/bin, /usr/share permissions were changed from 755 root:root to 700 dda:users. I fixed that, and now everything works fine. I will try to find what exactly caused that change.

Is there a way to audit the system against such changes?

Thanks a lot for attention!
 
Old 04-26-2008, 01:41 AM   #12
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Great - in the unlikely event you find out what it was, you'll have something to contribute.
Cannot think of any way to explicitly audit the system for such a thing.
 
Old 04-26-2008, 10:13 AM   #13
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
Installed tripwire - will see if it helps to monitor such changes.
 
Old 08-08-2008, 09:12 AM   #14
mylo
LQ Newbie
 
Registered: Aug 2008
Posts: 1

Rep: Reputation: 0
or sxid (can also generate a report as an mail)

suid, sgid file and directory checking
This program is runs as a cronjob. Basically it tracks any changes in
your s[ug]id files and folders. If there are any new ones, ones that
aren't set any more, or they have changed bits or other modes then it
reports the changes. You can also run this manually for spot checking.

It tracks s[ug]id files by md5 checksums. This helps detect if your files
have been tampered with, would not show under normal name and permissions
checking. Directories are tracked by inodes.
 
Old 08-08-2008, 09:58 AM   #15
dda
LQ Newbie
 
Registered: May 2004
Location: Rostov-on-Don, Russia
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks! Looks simpler than tripwire.
 
  


Reply

Tags
cups, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Upgrade Ubuntu 7.04 (Feisty Fawn) to Ubuntu 7.10 (Gutsy Gibbon) LXer Syndicated Linux News 1 03-28-2009 02:17 PM
LXer: Upgrade Ubuntu 7.10 (Gutsy Gibbon) to Ubuntu 8.04 LTS (Hardy Heron) Beta LXer Syndicated Linux News 0 03-26-2008 08:30 PM
LXer: Installing Xen On An Ubuntu 7.10 (Gutsy Gibbon) Server From The Ubuntu Reposito LXer Syndicated Linux News 0 11-06-2007 09:50 PM
LXer: The Perfect Server - Ubuntu Gutsy Gibbon (Ubuntu 7.10) LXer Syndicated Linux News 0 10-21-2007 12:20 PM
LXer: Ubuntu 7.10 (Gutsy Gibbon) Release Dates and Mark Shuttleworth About Gutsy LXer Syndicated Linux News 0 04-12-2007 05:31 PM


All times are GMT -5. The time now is 10:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration