[HLUG] CUPS needs password

Graham Cole g at gcole.uklinux.net
Wed Jul 20 17:26:04 BST 2005 

On Tue, 2005-07-19 at 16:56 +0100, John Hedges wrote: 
> > > On Tue, Jul 19, 2005 at 08:08:10AM +0100, Graham Cole wrote:
> > > >  I think I know how this password problem started. In my OS I have a
> > > > six-letter password for root. This is not acceptable in CUPS: there must
> > > > be at least one number. Hence if CUPS has craftily taken on my normal
> > > > root password I am in an impossible position.
> > > > This raises a question of inbuilt incompatibility for some Linux users
> > > > of CUPS. If I'm right in my analysis I could go the long way round and
> > > > reset my root password then re-install CUPS. But in theory I should be
> > > > able to use the lppasswd command!
> > > 
> > > To use lppasswd you need to edit /etc/cups/cupsd.conf - at least on
> > > debian which is ubuntu related. I wouldn't recommend this and if you
> > > have I would suggest reinstalling cups making sure you purge the
> > > configuration files (--purge option to dpkg but I don't know about
> > > ubuntu)
> > > 
> > > As far as I know, cups doesn't do password authentication itself, but
> > > instead uses the pam libraries from a separate package to do it.
> > > 
> > > Are you able to log in as root at a console?
> > > 
> > > $su root
> > > Password: *****
> > > 
> > > If you cannot then you have a problem and, although you might get cups
> > > working without, sooner or later you will need to be able to log in as
> > > root. If you can log in but without a password, you should follow
> > > Julian's advice and create one.
> > > 
> > > Can you copy the section
> > > 
> > > <Location /admin>
> > > 	...
> > > </Location>
> > > 
> > > from /etc/cups/cupsd.conf and mail it to the list? And also let us know
> > > how you are getting on with the root password thing :)
> > > 
> > > Cheers
> > > 
> > > John
> > 
> > Hi John, I have copied extracts from the file and the second bit looks
> > very empty!
> > 
> > root at localhost:/home/gc1 # cat /etc/cups/cupsd.conf     
> >  gives these extracts:
> > ------------------------------------------------------------------
> > <Location /admin>
> > #
> > # You definitely will want to limit access to the administration
> > functions.
> > # The default configuration requires a local connection from a user who
> > # is a member of the system group to do any admin tasks.  You can change
> > # the group name using the SystemGroup directive.
> > #
> > 
> > AuthType Basic
> > AuthClass System
> > ------------------------------------------------------------------------
> > </Location>
> > 
> > #
> > # End of "$Id: cupsd.conf.in,v 1.17 2005/01/03 19:29:45 mike Exp $".#
> > --------------------------------------------------------------------
> > I have not tried to re-install cups but I guess that can be done mainly
> > with my Ubuntu disk and not much use of the internet. I did a quick
> > upgrade of the CUPS server just now but still found I was getting no joy
> > with my username and password. I suppose a full re-install of CUPS would
> > be best now?
> > Graham
> 
> Hi Graham
> 
> Your location section is the same as mine except for these linse after
> 'AuthClass' line
> 
> You might want to try adding them:
> 
>     ## Restrict access to local domain
>     Order Deny,Allow
>     Deny From All
>     Allow From 127.0.0.1
> 
> If you can log on as root/passwd from a console then I don't know why
> you cant with cups. Are there any interesting messages in
> /var/log/auth.log /var/log/syslog /var/log/messages or /var/log/daemon
> 
> $ls -lrt /var/log
> 
> is a good way to see which logfiles have been appended to most recently
> - try to log into cups and quickly do a ls to see if anything was
> logged.
> 
> You might also consider increasing the log output in
> /etc/cups/cupsd.conf to debug or debug2:
> 
>    LogLevel = debug
> 
> You will need to restart cups after making changes to the config with
> either:
> 
>     $/etc/init.d/cupsys reload
>     
> or
> 
>     $/etc/init.d/cupsys restart
> 
> John
> 
Hi John
I found no explanations of auth failures in the various log files.
I did the last actions and changed the LogLevel to debug.
Also your info gave me an idea. In /cupsd.conf I commented out the lines
AuthType Basic
AuthClass System

and removed the # from 
AuthType None

So now anyone can open the Wizard. Since no-one else tries to use my
computer I have no security problem!
The Wizard is simple but so am I. What should I put in the 'Location'
box? I have typed 'local'.

There is a slight snag: although I can get the wizard to appear and
apparently work it does not enable printing. At the top of the Wizard I
have a message in red letters: 'Administrative tasks have been disabled
for security reasons. Please use Menu System > Administration >
Printing.
Another level of security coming into play?

Using this:

root at localhost:/home/gc1 # cat /var/log/cups/error_log

 I got this:

I [20/Jul/2005:16:22:15 +0100] Started
"/usr/lib/cups/cgi-bin/admin.cgi" (pid=4779)
I [20/Jul/2005:16:22:15 +0100] Saving printers.conf...
I [20/Jul/2005:16:22:15 +0100] Printer 'stylus-cx' rejecting jobs ('').
I [20/Jul/2005:16:22:26 +0100] Started
"/usr/lib/cups/cgi-bin/printers.cgi" (pid=4782)
I [20/Jul/2005:16:22:33 +0100] Started
"/usr/lib/cups/cgi-bin/admin.cgi" (pid=4783)
I [20/Jul/2005:16:22:34 +0100] Saving printers.conf...
I [20/Jul/2005:16:22:34 +0100] Printer 'stylus-cx' now accepting jobs
('').
I [20/Jul/2005:16:22:38 +0100] Started
"/usr/lib/cups/cgi-bin/printers.cgi" (pid=4786)
I [20/Jul/2005:16:22:53 +0100] Started
"/usr/lib/cups/cgi-bin/admin.cgi" (pid=4790)
I [20/Jul/2005:16:22:54 +0100] Saving printers.conf...
I [20/Jul/2005:16:22:54 +0100] Saving classes.conf...
I [20/Jul/2005:16:22:54 +0100] Default destination set to 'stylus-cx' by
''.
Can you detect anything going wrong here?

I'm being very patient with this problem. At least I'm learning a lot as
I go so the time is not all wasted.

Graham

More information about the Herefordshire mailing list