CUPS is broken in Ubuntu Gutsy after update?
Hello,
I was able to add and use printer in Gutsy, but recently when i tried to print, noticed that my job was held. After trying to fix it, I removed printer, and was not able to add a new both via web console and gnome program. In logs I found: Code:
E [07/Apr/2008:22:02:21 +0000] [CGI] Unable to execute "/usr/lib/cups/backend/hal" - Permission denied Code:
d [08/Apr/2008:00:07:05 +0000] cupsdStartProcess("/usr/lib/cups/daemon/cups-driverd", 0x7fffdd2cb750, 0x7fffdd2cb390, -1, 10, 6) Code:
2008-04-03 10:38:12 upgrade cupsys 1.3.2-1ubuntu7.5 1.3.2-1ubuntu7.6 I found several "status 22" posts in forums, but nothing applied to my case. By experiment I found that if I add "User dda" (this is my username) to /etc/cups/cupsd.conf, everything works. But I guess it won't work for other local users in the system. So, what happened? I compared permissions of cupsd daemon, and the backends and CGIs - all were correct (root:root, 755). In an older system, Feisty with cups 1.2.8, some permissions are different, i.e. there is user cupsys, in my system there is no such user, I think that was changed in cups. Any help is appreciated. I posted in ubuntuforums.org (http://ubuntuforums.org/showthread.php?p=4764078), but there was no reply. Regards, Dmitry. |
I have that same update, and no issues.
my user is not in /etc/cups/cupsd.conf no sign of any "cupsys" user either my permissions are like yours I don't think we can put this on the CUPS update. Your user needs to be a member of lpadmin group to add/remove printers. |
Yes, I checked at the very beginning - my user is in lpadmin group. I also see the following in /var/log/messages at boot time:
Code:
Apr 21 12:01:29 x700 kernel: [ 51.120756] Failure registering capabilities with primary security module. |
See this bug report. Also this one. Technically should have been fixed by now.
Mentioned in the (official) Ubuntu Wiki under DebuggingPrintingProblems. The workaround is: sudo aa-complain cupsd I don't use apparmor, which is why I don't see this behavior. |
Thanks.
I have disabled cupsd in apparmor as you suggested, but still getting "PID 27178 (/usr/lib/cups/cgi-bin/admin.cgi) stopped with status 22!" error when there is no "User dda" in cupsd.conf. :( |
But can you add printers?
What happened to the other errors? syslog? Status 22 = permission denied. Increase the debug level in cupsd.conf |
No, without having "User dda" in cupsd.conf I can not do anything. I already have DEBUG2 log level, see my 1st post..
|
And the other errors? Presumably the "Failure registering capabilities" error has vanished?
This occurred after an upgrade... have you enabled backports? Did you completely disable apparmor or just for cupsd? (I'm trying to figure what I have that is different from you.) |
Hi Simon,
After running "sudo aa-complain cupsd" I still see the following in /var/log/messages when cupsd is started: Code:
Apr 24 09:55:32 x700 kernel: [107268.775908] audit(1209016532.184:7): type=1503 operation="inode_permission" requested_mask="a" denied_mask="a" name="/dev/tty" pid=29331 profile="/usr/sbin/cupsd" $ ll /dev/tty crw-rw-rw- 1 root root 5, 0 2008-04-24 09:53 /dev/tty Regards, Dmitry. |
Hmmm... just to be thorough - disable apparmor completely.
Follow the procedure in the troubleshooting link for posting a bug report. |
I found what it was -- somehow /usr, /usr/bin, /usr/share permissions were changed from 755 root:root to 700 dda:users. I fixed that, and now everything works fine. I will try to find what exactly caused that change.
Is there a way to audit the system against such changes? Thanks a lot for attention! |
Great - in the unlikely event you find out what it was, you'll have something to contribute.
Cannot think of any way to explicitly audit the system for such a thing. |
Installed tripwire - will see if it helps to monitor such changes.
|
or sxid (can also generate a report as an mail)
suid, sgid file and directory checking This program is runs as a cronjob. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes. You can also run this manually for spot checking. It tracks s[ug]id files by md5 checksums. This helps detect if your files have been tampered with, would not show under normal name and permissions checking. Directories are tracked by inodes. |
Thanks! Looks simpler than tripwire.
|
All times are GMT -5. The time now is 11:49 PM. |