CUPS is broken in Ubuntu Gutsy after update?

dda · 04-22-2008, 08:17 AM

Hello,

I was able to add and use printer in Gutsy, but recently when i tried to print, noticed that my job was held. After trying to fix it, I removed printer, and was not able to add a new both via web console and gnome program. In logs I found:

Code:

E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/hal" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/cups-pdf" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/beh" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/canon" - Permission denied
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/bluetooth" - Permission denied
E [07/Apr/2008:22:12:01 +0000] PID 2502 (/usr/lib/cups/cgi-bin/printers.cgi) stopped with status 22!
E [07/Apr/2008:22:12:04 +0000] PID 2506 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!
E [07/Apr/2008:22:13:09 +0000] PID 2511 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!

And then with DEBUG2 level:

Code:

d [08/Apr/2008:00:07:05 +0000] cupsdStartProcess("/usr/lib/cups/daemon/cups-driverd", 0x7fffdd2cb750, 0x7fffdd2cb390, -1, 10, 6)
D [08/Apr/2008:00:07:05 +0000] [CGI] /usr/lib/cups/daemon/cups-driverd started - PID = 6574
I [08/Apr/2008:00:07:05 +0000] Started "/usr/lib/cups/daemon/cups-driverd" (pid=6574)
D [08/Apr/2008:00:07:05 +0000] cupsdSendCommand: 7 file=8
d [08/Apr/2008:00:07:05 +0000] cupsdAddSelect: fd=8, read_cb=0x40f200, write_cb=(nil), data=0x6aac60
d [08/Apr/2008:00:07:05 +0000] process_children()
E [08/Apr/2008:00:07:05 +0000] PID 6574 (/usr/lib/cups/daemon/cups-driverd) stopped with status 22!
d [08/Apr/2008:00:07:05 +0000] cupsdDoSelect: polling 5 fds for 1 seconds...
d [08/Apr/2008:00:07:05 +0000] cupsdDoSelect: epoll() returned 2...
d [08/Apr/2008:00:07:05 +0000] cupsdDoSelect: Read on fd 5...
D [08/Apr/2008:00:07:05 +0000] [CGI] /usr/lib/cups/daemon/cups-driverd: Permission denied

I think I did not manually change anything. In dpkg.log I found:

Code:

2008-04-03 10:38:12 upgrade cupsys 1.3.2-1ubuntu7.5 1.3.2-1ubuntu7.6
2008-04-03 10:38:10 upgrade cupsys-common 1.3.2-1ubuntu7.5 1.3.2-1ubuntu7.6

.. and other cups-related packages.

I found several "status 22" posts in forums, but nothing applied to my case. By experiment I found that if I add "User dda" (this is my username) to /etc/cups/cupsd.conf, everything works. But I guess it won't work for other local users in the system.

So, what happened? I compared permissions of cupsd daemon, and the backends and CGIs - all were correct (root:root, 755). In an older system, Feisty with cups 1.2.8, some permissions are different, i.e. there is user cupsys, in my system there is no such user, I think that was changed in cups.

Any help is appreciated. I posted in ubuntuforums.org (http://ubuntuforums.org/showthread.php?p=4764078), but there was no reply.

Regards,
Dmitry.

Simon Bridge · 04-22-2008, 09:29 AM

I have that same update, and no issues.
my user is not in /etc/cups/cupsd.conf
no sign of any "cupsys" user either
my permissions are like yours

I don't think we can put this on the CUPS update.

Your user needs to be a member of lpadmin group to add/remove printers.

dda · 04-22-2008, 12:11 PM

Yes, I checked at the very beginning - my user is in lpadmin group. I also see the following in /var/log/messages at boot time:

Code:

Apr 21 12:01:29 x700 kernel: [   51.120756] Failure registering capabilities with primary security module.
Apr 21 12:01:29 x700 kernel: [   51.649367] audit(1208764889.568:3):  type=1502 operation="inode_permission" requested_mask="a" denied_mask="a" name="/dev/tt
y" pid=6681 profile="/usr/sbin/cupsd"

Maybe it is related?

Simon Bridge · 04-22-2008, 07:25 PM

See this bug report. Also this one. Technically should have been fixed by now.

Mentioned in the (official) Ubuntu Wiki under DebuggingPrintingProblems.

The workaround is: sudo aa-complain cupsd

I don't use apparmor, which is why I don't see this behavior.

dda · 04-23-2008, 08:05 AM

Thanks.

I have disabled cupsd in apparmor as you suggested, but still getting "PID 27178 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!" error when there is no "User dda" in cupsd.conf.

Simon Bridge · 04-23-2008, 09:44 AM

But can you add printers?
What happened to the other errors? syslog?

Status 22 = permission denied.
Increase the debug level in cupsd.conf

dda · 04-23-2008, 09:57 AM

No, without having "User dda" in cupsd.conf I can not do anything. I already have DEBUG2 log level, see my 1st post..

Simon Bridge · 04-23-2008, 09:51 PM

And the other errors? Presumably the "Failure registering capabilities" error has vanished?

This occurred after an upgrade... have you enabled backports?
Did you completely disable apparmor or just for cupsd?
(I'm trying to figure what I have that is different from you.)

dda · 04-24-2008, 01:01 AM

Hi Simon,

After running "sudo aa-complain cupsd" I still see the following in /var/log/messages when cupsd is started:

Code:

Apr 24 09:55:32 x700 kernel: [107268.775908] audit(1209016532.184:7):  type=1503 operation="inode_permission" requested_mask="a" denied_mask="a" name="/dev/tty" pid=29331 profile="/usr/sbin/cupsd"

I think that the "Failure registering capabilities" message appears only during boot, I will let you know on the next reboot. But I noticed that in the message above requested_mask="a", while in the links you gave me they mention another masks for /dev/tty, "rw". Here is my /dev/tty:

$ ll /dev/tty
crw-rw-rw- 1 root root 5, 0 2008-04-24 09:53 /dev/tty

Regards,
Dmitry.

Simon Bridge · 04-24-2008, 03:19 AM

Hmmm... just to be thorough - disable apparmor completely.
Follow the procedure in the troubleshooting link for posting a bug report.

dda · 04-25-2008, 05:53 PM

I found what it was -- somehow /usr, /usr/bin, /usr/share permissions were changed from 755 root:root to 700 dda:users. I fixed that, and now everything works fine. I will try to find what exactly caused that change.

Is there a way to audit the system against such changes?

Thanks a lot for attention!

Simon Bridge · 04-26-2008, 12:41 AM

Great - in the unlikely event you find out what it was, you'll have something to contribute.
Cannot think of any way to explicitly audit the system for such a thing.

dda · 04-26-2008, 09:13 AM

Installed tripwire - will see if it helps to monitor such changes.

mylo · 08-08-2008, 08:12 AM

or sxid (can also generate a report as an mail)

suid, sgid file and directory checking
This program is runs as a cronjob. Basically it tracks any changes in
your s[ug]id files and folders. If there are any new ones, ones that
aren't set any more, or they have changed bits or other modes then it
reports the changes. You can also run this manually for spot checking.

It tracks s[ug]id files by md5 checksums. This helps detect if your files
have been tampered with, would not show under normal name and permissions
checking. Directories are tracked by inodes.

dda · 08-08-2008, 08:58 AM

Thanks! Looks simpler than tripwire.