Bug#539156: Bug#614713: Re-open: cups-pdf: installation asks for a password
Hi *, How about now? :) thanks for your patience :) I can confirm Didier's steps to work under jessie and sid, however it takes ages for lpstat, lpadmin, cupsenable et al to timeout (the overal postinst run took several minutes). I didn't dig very deep into this this time, but at least the password queries are gone and unattended builds would work again with this. However, before I go ahead and implement this, I'd like to hear the opinion of CUPS maintainers about whether your analysis is correct and abotu what solutions they offer. Guessing it's a tad late for this to make it into the upcoming point release... How do you want to proceed? Get it fixed in wheezy in the first place? If so I could come up with a patch some time in January. Cheers Daniel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539156: Bug#614713: Re-open: cups-pdf: installation asks for a password
Martin-Eric, thanks for bumping this. I'll try to get on this between the holidays. Daniel On 12/20/2014 11:56 PM, Martin-Éric Racine wrote: 2014-10-27 18:16 GMT+02:00 Daniel Reichelt deb...@nachtgeist.net: Have you had time to reproduce this by following Didier's steps? Not so far. For personal reasons I'll be busy for at least the next 2 to 3 weeks :/ How about now? :) Martin-Éric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539156: Bug#614713: Re-open: cups-pdf: installation asks for a password
2014-10-27 18:16 GMT+02:00 Daniel Reichelt deb...@nachtgeist.net: Have you had time to reproduce this by following Didier's steps? Not so far. For personal reasons I'll be busy for at least the next 2 to 3 weeks :/ How about now? :) Martin-Éric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/debian-bugs-dist
Bug#614713: Re-open: cups-pdf: installation asks for a password
2014-10-27 18:16 GMT+02:00 Daniel Reichelt deb...@nachtgeist.net: Have you had time to reproduce this by following Didier's steps? Not so far. For personal reasons I'll be busy for at least the next 2 to 3 weeks :/ How about now? :) Martin-Éric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/debian-bugs-dist
Bug#614713: Re-open: cups-pdf: installation asks for a password
2014-10-23 0:41 GMT+03:00 Daniel Reichelt deb...@nachtgeist.net: Thanks Didier. I'll try to work in this on the weekend (not sure though). One more question: which debian version were you running on the chroot host while you were trying to reproduce this? Daniel, Have you had time to reproduce this by following Didier's steps? -- Martin-Éric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/debian-bugs-dist
Bug#539156: Bug#614713: Re-open: cups-pdf: installation asks for a password
2014-10-23 0:41 GMT+03:00 Daniel Reichelt deb...@nachtgeist.net: Thanks Didier. I'll try to work in this on the weekend (not sure though). One more question: which debian version were you running on the chroot host while you were trying to reproduce this? Daniel, Have you had time to reproduce this by following Didier's steps? -- Martin-Éric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/debian-bugs-dist
Bug#614713: Re-open: cups-pdf: installation asks for a password
Have you had time to reproduce this by following Didier's steps? Not so far. For personal reasons I'll be busy for at least the next 2 to 3 weeks :/ Daniel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614713: Re-open: cups-pdf: installation asks for a password
Le mercredi, 22 octobre 2014, 23.41:54 Daniel Reichelt a écrit : Hi guys, Thanks Didier. I'll try to work in this on the weekend (not sure though). One more question: which debian version were you running on the chroot host while you were trying to reproduce this? Debian Sid on Linux with systemd as init. Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614713: Re-open: cups-pdf: installation asks for a password
Hi guys, Thanks Didier. I'll try to work in this on the weekend (not sure though). One more question: which debian version were you running on the chroot host while you were trying to reproduce this? Cheers, Daniel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614713: Re-open: cups-pdf: installation asks for a password
Le lundi, 20 octobre 2014, 22.38:17 Daniel Reichelt a écrit : I cannot confirm this: CUPS 1.7 is installable and working inside a chroot, as long as the 631 port is available. Is this a bug with CUPS 1.4 only? Has it been reproduced with later versions ? Which steps exactly did you take in trying to reproduce this? $ mkdir sid-chroot $ sudo debootstrap sid ./sid-chroot/ http://http.debian.net/debian/ $ sudo mount proc sid-chroot/proc/ -t proc $ sudo mount proc sid-chroot/sys/ -t sysfs $ sudo chroot sid-chroot # apt install cups-pdf (… which end in …) Processing triggers for dbus (1.8.8-2) ... Setting up libcupsimage2:amd64 (1.7.5-5) ... Setting up libcupsfilters1:amd64 (1.0.61-2) ... Setting up cups-filters-core-drivers (1.0.61-2) ... Setting up cups-core-drivers (1.7.5-5) ... Setting up libgs9 (9.06~dfsg-1.1+b1) ... Setting up ghostscript (9.06~dfsg-1.1+b1) ... Setting up cups-client (1.7.5-5) ... Setting up cups-filters (1.0.61-2) ... [ ok ] Reloading Common Unix Printing System: cupsd. Setting up cups (1.7.5-5) ... locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory Updating PPD files for cups ... Updating PPD files for cups-filters ... Updating PPD files for cups-pdf ... Updating PPD files for gutenprint ... Setting up printer-driver-cups-pdf (2.6.1-14) ... [ ok ] Reloading Common Unix Printing System: cupsd. Setting up cups-pdf (2.6.1-14) ... Setting up printer-driver-gutenprint (5.2.10-3) ... Processing triggers for libc-bin (2.19-11) ... Processing triggers for sgml-base (1.26+nmu4) ... # So I don't see cups-pdf asking for a password in a chroot setup, for the sid versions. Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614713: Re-open: cups-pdf: installation asks for a password
ti, 2012-10-09 kello 04:05 +0200, Daniel Reichelt kirjoitti: unarchive 614713 reopen 614713 ! severity serious thanks -- Hi Martin-Eric, Seems that this re-opening went under my radar as it was sent directly to the BTS' control interface, which doesn't CC the maintainer or add the message body to the bug. just wanted to tell 2.5.1-3 works fine here and thanks for the quick action. I'm sorry, I wrote bull. My live-* build-system from back then somehow got messed-up and the installation of cups-pdf worked, although it shouldn't have. This came up again here [1]. So I dug in again and sadly I have to revise the explanation about encryption: the superfluous -E parameter to the lpadmin call in postinst was just that: superfluous but not responsible for the password query when run within a chroot. lpadmin has several ways of gaining authentication against a cups daemon. The ones involved are 1) certificates issued by the cups daemon (NOT to be confused with SSL certificates, more to the point they should have been named s.th. like authentication tokens) [2], [3]. Whenever a client tries to talk to cupsd on localhost, it tries to use the certificate data read from /var/run/cups/certs/PID or ...certs/0 (certs directory owned by lp:lpadmin, mode 511) and passes them to cupsd for authentication. 2) interactive authentication, asking the user for a password if 1) didn't succeed or the certs directory wasn't readable by the user invoking lpadmin. In case of installing cups-pdf within a chroot, said certs directory just doesn't exist, so lpadmin has to resort to asking the user for a password. Thanks for this in-depth analysis. As far as I can tell, this essentially makes CUPS itself non-installable inside a chroot. Makes one wonder what got into upstream CUPS authors to migrate to an architecture that requires a running daemon to work. Doing user-interaction during postinst other than by the use of debconf is a violation of the Debian Policy, thus severity=serious. It indeed is. The simplest solution to this would be a) - Check the availability of /var/run/cups/certs/0 -- yes: run as before -- no: skip invocation of lpadmin Of course, that's not very elegant. Sadly, lpadmin has no way of specifying a password on the command-line. If one wouldn't mind a dependency on expect, we could b) - Check the availability of /var/run/cups/certs/0 -- yes: run as before -- no: via debconf ask the user for the root password (or user/pw tuple of s.o. being a member of lpadmin group) -- invoke lpadmin from an expect script, interactively entering the password provided during the debconf stage Personally, I'd vote for a). I would tend to agree. However, before I go ahead and implement this, I'd like to hear the opinion of CUPS maintainers about whether your analysis is correct and abotu what solutions they offer. IF a correct run of lpadmin within the chroot was necessary, that case could be handled by copying .../certs/0 into the chroot prior to the installation of cups-pdf and removing it afterwards. However, most of the times I expect cups-pdf to already have been installed outside the chroot, so the printer queue should already exist and an invocation of lpadmin within the chroot would be superfluous anyway. Opinions? Daniel [1] http://lists.debian.org/debian-live/2012/08/msg00078.html [2] http://www.cups.org/documentation.php/doc-1.4/security.html Section Authentication Issues, #3 [3] cups source package, cups/auth.c, line 655 (in v1.4.4) ff. Martin-Éric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/debian-bugs-dist
Bug#614713: Re-open: cups-pdf: installation asks for a password
Control: tags -1 +unreproducible Le lundi, 20 octobre 2014, 15.15:36 Martin-Éric Racine a écrit : lpadmin has several ways of gaining authentication against a cups daemon. The ones involved are 1) certificates issued by the cups daemon (NOT to be confused with SSL certificates, more to the point they should have been named s.th. like authentication tokens) [2], [3]. Whenever a client tries to talk to cupsd on localhost, it tries to use the certificate data read from /var/run/cups/certs/PID or ...certs/0 (certs directory owned by lp:lpadmin, mode 511) and passes them to cupsd for authentication. In case of installing cups-pdf within a chroot, said certs directory just doesn't exist, so lpadmin has to resort to asking the user for a password. Thanks for this in-depth analysis. As far as I can tell, this essentially makes CUPS itself non-installable inside a chroot. Makes one wonder what got into upstream CUPS authors to migrate to an architecture that requires a running daemon to work. I cannot confirm this: CUPS 1.7 is installable and working inside a chroot, as long as the 631 port is available. Is this a bug with CUPS 1.4 only? Has it been reproduced with later versions ? Also, the cups-pdf logs in piuparts are fine: https://piuparts.debian.org/sid/source/c/cups-pdf.html Cheers, OdyX P.S. The current CUPS maintainers' mailing list is debian-printing@l.d.o -- OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#614713: Re-open: cups-pdf: installation asks for a password
I cannot confirm this: CUPS 1.7 is installable and working inside a chroot, as long as the 631 port is available. Is this a bug with CUPS 1.4 only? Has it been reproduced with later versions ? Thanks, Didier. Which steps exactly did you take in trying to reproduce this? Thanks Daniel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
