CUPS authentication and airprint (see #159) problems

[PiotrC1]

CUPS 2.1.2 printing system asks sometimes for user and password. In this case in /var/log/messages pops up following error:

Sep  1 23:19:58 Tomato authpriv.err syslog: PAM _pam_init_handlers: could not open /etc/pam.conf
Sep  1 23:19:58 Tomato authpriv.err syslog: PAM pam_start: failed to initialize handlers

Indeed, /etc/pam.conf is missing.

[alllexx88]

Thanks for the report. I assume this is fixed after this commit: 3e6ec7aeeff3cb40bcbfb1fc1a846df74deb0a22 Please upgrade (libpam or simply everything) and test

[PiotrC1]

I have upgraded, but it still doesn't work. Now in /var/log/messages can be found:

root@Tomato:/tmp/home/root# cat /var/log/messages | grep pam
Sep  2 21:08:06 Tomato authpriv.err syslog: PAM _pam_init_handlers: no default config /opt/etc/pam.d/other
Sep  2 21:08:06 Tomato authpriv.err syslog: PAM pam_start: failed to initialize handlers

[alllexx88]

@PiotrC1 This is now tested to be fixed on a TomatoUSB Shibby router (ipkg update; ipkg upgrade libpam). However, /etc/shadow is bugged on TomatoUSB firmwares, so you'll still not be able to login (use root account) to the password protected part of cups webui (https://:631/admin), and get something like this in /var/log/messages:

Sep  3 12:36:29 unknown authpriv.notice syslog: pam_unix(cups:account): account root has expired (account expired)

The bug lies within root /etc/shadow entry:

root:<password cache>:0:0:99999:7:0:0:

You can fix it with a sed on every boot:

sed -i -e '/^root:/s/:0:0:99999:7:0:0:$/:17048:0:99999:7:::/' /etc/shadow

This should work for many, many years (at least, if your system time is correct: see http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html)

Please confirm fixed, and I'll be looking into fixing avahi issues

[PiotrC1]

Hi @alllexx88! Thanks for your great effort to improve optware-ng! As I have mentioned I was unable to upgrade my optware-ng, so I reinstalled it. I have added to my startup script modification of /etc/shadow. Now I can reach /admin directory and I'm able to add and remove printers.

[PiotrC1]

BTW. I propose following /opt/etc/init.d/S60cups

#!/bin/sh

ENABLED=yes
PROCS=cupsd
ARGS=""
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func 

It's taken form entware-ng project.

[alllexx88]

@PiotrC1 I'm glad to hear that we're having progress :smile: Likewise thank you for your interest in Optware-ng

I've added /opt/etc/init.d/S88cupsd startup script (but haven't tested it): it should be online soon. The one from Entware-ng isn't applicable, since there's no /opt/etc/init.d/rc.func in Optware-ng

[PiotrC1]

Well, not existence of rc.func script surprises me a little bit, because in this descripion there is a script generating both rc.func as well as rc.unslung. But nevertheless, script after starting then stopping then starting CUPS once again claims false that CUPS is running. Tomorrow I will try to find the reason.

[alllexx88]

@PiotrC1 The problem's that the referenced HOW-TO uses a script adapted from Entware, which makes use of this file. However, historically Optware didn't use it, and Optware-ng inherited it this way. Also, I see painless method to make this file available for those who bootstrapped Optware-ng a while ago (the only package that is 100% to be installed is the libc, but making it part of libc makes no sense), and I don't want to make hassle for them by breaking their setup.

But nevertheless, script after starting then stopping then starting CUPS once again claims false that CUPS is running. Tomorrow I will try to find the reason.

That's one example of stupid things you do when you're tired and want to sleep :stuck_out_tongue: Here's the fix:

diff --git a/sources/cups/rc.cups b/sources/cups/rc.cups
index 6828c07..6dd5110 100644
--- a/sources/cups/rc.cups
+++ b/sources/cups/rc.cups
@@ -19,7 +19,7 @@ test "$ENABLED" != "0" || exit 0

 start_it_up()
 {
-  if [ -z "`%OPTWARE_TARGET_PREFIX%/bin/busybox pidof $NAME`" ]; then
+  if [ -n "`%OPTWARE_TARGET_PREFIX%/bin/busybox pidof $NAME`" ]; then
     echo "$DESC already started; not starting."
   else
     echo -n "Starting $DESC: "

(for end-user packages %OPTWARE_TARGET_PREFIX% is replaced with /opt: I made effort to be able to build feeds with different prefixes in case we ever need it)

[PiotrC1]

In order to run actual CUPS version (2.1.2-8) with Avahi smoothly following changes are necessary in /opt/etc/cups/cupsd.config:

• Added RIPCache auto
• Added BrowseProtocols cups dnssd
• In sections <Location /> and <Location /admin> added Allow From @local

With such a configuration CUPS find local (USB) printers as well as network printers and prints form iOS devices and lpr command.

PS. RIPCache Auto is essential - without it ghostscrript crashes with very unclear message in tle log

[alllexx88]

@PiotrC1 OK, I'll add this together with 2.1.4 upgrade and Debian patches, thanks

[alllexx88]

@PiotrC1 I've applied those configuration changes, upgraded CUPS to 2.1.4, and added some very nice patches from Debian. Also, since one of the Debian patches makes cupsd create pid file, I also switched to using start-stop-daemon in combination with the pid file in rc script, so it should be much more robust now. Please test and report back. (You may need to manually killall the old cupsd -- if it was running before the upgrade)

PS. RIPCache Auto is essential - without it ghostscrript crashes with very unclear message in the log

True, it took me a while to figure it out in the old days

[alllexx88]

For the reference, most 'getting cups to work with airprint' effort can be tracked in #159

[alllexx88]

@PiotrC1 Seeing how important RIPCache setting is, I patched cupsd to default to auto instead of 128m when it's not set: 892052f23e3034ff49cb9f7bfc7fc236ada1aa7d

[PiotrC1]

New features being tested - within weekend I will post results. So far I see only one problem:

E [09/Sep/2016:17:40:58 +0200] Unknown browse protocol "cups" ignored.

[alllexx88]

OK, thanks. I guess it's just outdated, and we should remove it from cupsd.conf. Gotta go now

[PiotrC1]

Hmmm - I don't know. The only point I have noticed is that I see only two versions of my printer while seeking for a printer - dnsns and usb. Previously there were three. You can try to use BrowseProtocolls all

Still access rights of files problem persists:

E [09/Sep/2016:20:32:22 +0200] [CGI] File \"/opt/lib/cups/backend/cups-pdf\" has insecure permissions (0100775/uid=0/gid=0).

I suggest to change all 775 to 755 (despite what CUPS developers say).

[alllexx88]

@PiotrC1

E [09/Sep/2016:20:32:22 +0200] [CGI] File \"/opt/lib/cups/backend/cups-pdf\" has insecure permissions (0100775/uid=0/gid=0).

/opt/lib/cups/backend/cups-pdf isn't part of cups package, I don't even have it on my system, and permissions of backends look fine:

[root@unknown root]$ ls -l /opt/lib/cups/backend
-rwxr-xr-x    1 root     root          8540 Sep  8 20:22 beh
-rwx------    1 root     root         15996 Sep  9 12:49 dnssd
lrwxrwxrwx    1 root     root             3 Sep  9 14:30 http -> ipp
lrwxrwxrwx    1 root     root             3 Sep  9 14:30 https -> ipp
-rwxr-xr-x    1 root     root         10044 Sep  8 20:22 implicitclass
-rwx------    1 root     root         70080 Sep  9 12:49 ipp
-rwx------    1 root     root         52440 Sep  9 12:49 ipp14
lrwxrwxrwx    1 root     root             3 Sep  9 14:30 ipps -> ipp
-rwx------    1 root     root         48116 Sep  9 12:49 lpd
-rwxr-xr-x    1 root     root         16708 Sep  8 20:22 parallel
-rwxr-xr-x    1 root     root         12440 Sep  8 20:22 serial
-rwxr-xr-x    1 root     root         26256 Sep  9 12:49 snmp
-rwxr-xr-x    1 root     root         31848 Sep  9 12:49 socket
-rwx------    1 root     root         31304 Sep  9 12:49 usb

Looks like it's part of cups-pdf package -- and this is the one that has to be fixed

[PiotrC1]

You are right.

[PiotrC1]

Funny CUPS behaviour - as I have mentioned before, my printer is accessible four ways:

1. USB
2. LPD (port 515)
3. dnssd (port 631)
4. socket (port 9100)

If I refresh List available printer I get zero to three "printers" - USB, dnssd and socket. Somentimes it's USB only, sometimes socket, sometimes no printers are found.

After changing BrowseProtocols to all as well as adding BrowseRemoteProtocols all there are following lines in log:

E [09/Sep/2016:22:55:55 +0200] Unknown directive BrowseRemoteProtocols on line 510 of /opt/etc/cups/cupsd.conf. I [09/Sep/2016:22:55:55 +0200] Unknown LPDConfigFile scheme! I [09/Sep/2016:22:55:55 +0200] Unknown SMBConfigFile scheme!

One more remark: After changing access rights of /opt/lib/cups/backend/cups-pdf to 755 running /opt/lib/cups/daemon/cups-deviced shows among other message

cups-pdf cannot be called without root privileges!

After changing them to 775 there is an error message:

ERROR: File "/opt/lib/cups/backend/cups-pdf" has insecure permition (0100775/uid=0/gid=0).

but it changes nothing regarding number of printers found.

[PiotrC1]

To summarize my tests - iOS can print with newest CUPS + Avahi version.

[alllexx88]

@PiotrC1 cups-pdf is used for virtual pdf paperless printers. Try chmod 700 /opt/lib/cups/backend/cups-pdf

As for protocols, need to have a closer look.

Good to see it work in general :smiley:

[PiotrC1]

After changing access rights of all files in /opt/lib/cups/backend to 700 discovery works each time the same. Now, there is following error in error_log:

E [10/Sep/2016:03:00:15 +0200] [cups-deviced] PID 3255 (cups-pdf) stopped with status 5!

and in cups-pdf_log:

Sat Sep 10 03:00:15 2016 [ERROR] Grp not found (lp)

After adding group lp in printer discovery appeared one more printer:

Virtual PDF Printer (CUPS-PDF)

[alllexx88]

After changing access rights of all files in /opt/lib/cups/backend to 700 discovery works each time the same.

700 permissions force CUPS to not try to run backends in user mode -- only as root. I thought only usb backend needed this, but looks like we have to chmod them all.

Sat Sep 10 03:00:15 2016 [ERROR] Grp not found (lp)

After adding group lp in printer discovery appeared one more printer

Yeah, but we have to do it after each reboot in case of routers. As an option, this can be done in cupsd rc script, but I think we should better change cups printing group to nobody: this is more robust (what if user starts cupsd manually, bypassing the rc script?). It can be changed in the config -- but I prefer patching cups to default to "nobody" group.

[alllexx88]

Also, what BrowseProtocols value should we set?

[PiotrC1]

Patch CUPS, please. On the other side I use Raspberry PI. Please find enclosed access rights on Raspbian (it's Debian Jessie, as a matter of fact)

root@raspberrypi:/home/pi# ls -lh /usr/lib/cups/backend
razem 440K
-rwx------ 1 root root 22K lut  1  2015 cups-pdf
-rwxr--r-- 3 root root 18K cze 10  2015 dnssd
-rwxr--r-- 1 root root 81K lis  8  2014 gutenprint52+usb
lrwxrwxrwx 1 root root   3 cze 10  2015 http -> ipp
lrwxrwxrwx 1 root root   3 cze 10  2015 https -> ipp
-rwxr-xr-x 1 root root 70K cze 10  2015 ipp
-rwxr-xr-x 1 root root 46K cze 10  2015 ipp14
lrwxrwxrwx 1 root root   3 cze 10  2015 ipps -> ipp
-rwxr--r-- 2 root root 42K cze 10  2015 lpd
-rwxr--r-- 3 root root 18K cze 10  2015 mdns
-rwxr-xr-x 1 root root 18K gru 15  2015 parallel
-rwx------ 1 root root 14K gru 15  2015 serial
-r-xr-xr-x 2 root root 22K cze 10  2015 snmp
-r-xr-xr-x 2 root root 34K cze 10  2015 socket
-r-xr--r-- 2 root root 30K cze 10  2015 usb

They look totally different - but usb for instance is 544

PS. I made my own script /opt/sbin/after-mount.sh containing all this funny things like adding lp group just after mounting.

Also, what BrowseProtocols value should we set?

Just for safety, BrowseProtocols all

[alllexx88]

@PiotrC1

Patch CUPS, please

I didn't even need to patch it: just have to pass some configure switches.

On the other side I use Raspberry PI. Please find enclosed access rights on Raspbian (it's Debian Jessie, as a matter of fact)

We have much less control of or certainty about what environment/system we'll be running than Debian developers have. Setting all backends permissions to 700 should force CUPS to run them as root thus bypassing access rights issues we might encounter.

Just for safety, BrowseProtocols all

OK, thanks.

Will be pushing upgrade soon

[alllexx88]

@PiotrC1 Can you please test if it works fine for you with BrowseProtocols dnssd (or simply comment it out: it's default)?

[PiotrC1]

While commented CUPS still works OK (I mean both printing as well as CUPS printer management).

Funny thing - both Add Printer as well as Find New Printers use /opt/lib/cups/cups-deviced but Find New Printers doesn't see USB printer, while Add Printer does.

[alllexx88]

@PiotrC1 Update online. No idea about Find New Printers though

[PiotrC1]

Don't bother - it's not critical. It has something to do with Avahi advertiments. Please have a look into ConfigFiles schemes and if old issues are gone we can close the topic.

[PiotrC1]

Sorry no joy.

E [10/Sep/2016:19:48:53 +0200] [CGI] File \"/opt/lib/cups/backend/cups-pdf\" has insecure permissions (0100775/uid=0/gid=0).

After changing permissions to 750 (highest possible) in /opt/var/log/cups/cups-pdf_log pops up:

Sat Sep 10 20:00:02 2016 [ERROR] Grp not found (lp)

After adding lp group Virtual PDF Printer (CUPS-PDF) appears.

[alllexx88]

I haven't yet tended to cups-pdf, so it's OK. I'll probably have some time for this tomorrow

I also want to upgrade it to latest stable

[PiotrC1]

Take your time.

[PiotrC1]

Modifications of 2016.09.11 - everything works out of a box. After clarifying ConfigFiles schemes we can close the issue. [Edit] - Sorry, I closed the issue by mistake.

[alllexx88]

@PiotrC1 I think that does it: 279b3df3ebc0f3a18b7b453f0b1f56c426421262 LPD needs xinetd package and SMB -- properly configured samba

[PiotrC1]

Everything OK. Thanks.

[PiotrC1]

I don't know if it's done delibeartely, but now admin activities do not need loging in. It's clear, because CUPS is runnung as root, but I don't know if it is safe.

[alllexx88]

@PiotrC1 Try changing password -- and it should prompt for it again, it remembers your logins. At least, it works fine for me with default package provided config.

[PiotrC1]

After clearing browser cache everything works as supposed. Sorry for false alert.

[davygravy]

Nice catch on the /etc/shadow bug!

I'm thinking about upgrading my AirPrint from optware to optware-ng. Testing some stuff now and building a few custom packages.

Thank you all for maintaining this new fork.