Closed PiotrC1 closed 7 years ago
Thanks for the report. I assume this is fixed after this commit: 3e6ec7aeeff3cb40bcbfb1fc1a846df74deb0a22
Please upgrade (libpam
or simply everything) and test
I have upgraded, but it still doesn't work. Now in /var/log/messages can be found:
root@Tomato:/tmp/home/root# cat /var/log/messages | grep pam
Sep 2 21:08:06 Tomato authpriv.err syslog: PAM _pam_init_handlers: no default config /opt/etc/pam.d/other
Sep 2 21:08:06 Tomato authpriv.err syslog: PAM pam_start: failed to initialize handlers
@PiotrC1 This is now tested to be fixed on a TomatoUSB Shibby router (ipkg update; ipkg upgrade libpam
). However, /etc/shadow
is bugged on TomatoUSB firmwares, so you'll still not be able to login (use root
account) to the password protected part of cups webui (https:///var/log/messages
:
Sep 3 12:36:29 unknown authpriv.notice syslog: pam_unix(cups:account): account root has expired (account expired)
The bug lies within root
/etc/shadow
entry:
root:<password cache>:0:0:99999:7:0:0:
You can fix it with a sed
on every boot:
sed -i -e '/^root:/s/:0:0:99999:7:0:0:$/:17048:0:99999:7:::/' /etc/shadow
This should work for many, many years (at least, if your system time is correct: see http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html)
Please confirm fixed, and I'll be looking into fixing avahi
issues
Hi @alllexx88! Thanks for your great effort to improve optware-ng! As I have mentioned I was unable to upgrade my optware-ng, so I reinstalled it. I have added to my startup script modification of /etc/shadow. Now I can reach /admin directory and I'm able to add and remove printers.
BTW. I propose following /opt/etc/init.d/S60cups
#!/bin/sh
ENABLED=yes
PROCS=cupsd
ARGS=""
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
It's taken form entware-ng project.
@PiotrC1 I'm glad to hear that we're having progress :smile: Likewise thank you for your interest in Optware-ng
I've added /opt/etc/init.d/S88cupsd
startup script (but haven't tested it): it should be online soon. The one from Entware-ng isn't applicable, since there's no /opt/etc/init.d/rc.func
in Optware-ng
Well, not existence of rc.func script surprises me a little bit, because in this descripion there is a script generating both rc.func as well as rc.unslung. But nevertheless, script after starting then stopping then starting CUPS once again claims false that CUPS is running. Tomorrow I will try to find the reason.
@PiotrC1 The problem's that the referenced HOW-TO uses a script adapted from Entware, which makes use of this file. However, historically Optware didn't use it, and Optware-ng inherited it this way. Also, I see painless method to make this file available for those who bootstrapped Optware-ng a while ago (the only package that is 100% to be installed is the libc, but making it part of libc makes no sense), and I don't want to make hassle for them by breaking their setup.
But nevertheless, script after starting then stopping then starting CUPS once again claims false that CUPS is running. Tomorrow I will try to find the reason.
That's one example of stupid things you do when you're tired and want to sleep :stuck_out_tongue: Here's the fix:
diff --git a/sources/cups/rc.cups b/sources/cups/rc.cups
index 6828c07..6dd5110 100644
--- a/sources/cups/rc.cups
+++ b/sources/cups/rc.cups
@@ -19,7 +19,7 @@ test "$ENABLED" != "0" || exit 0
start_it_up()
{
- if [ -z "`%OPTWARE_TARGET_PREFIX%/bin/busybox pidof $NAME`" ]; then
+ if [ -n "`%OPTWARE_TARGET_PREFIX%/bin/busybox pidof $NAME`" ]; then
echo "$DESC already started; not starting."
else
echo -n "Starting $DESC: "
(for end-user packages %OPTWARE_TARGET_PREFIX% is replaced with /opt
: I made effort to be able to build feeds with different prefixes in case we ever need it)
In order to run actual CUPS version (2.1.2-8) with Avahi smoothly following changes are necessary in /opt/etc/cups/cupsd.config:
RIPCache auto
BrowseProtocols cups dnssd
<Location />
and <Location /admin>
added Allow From @local
With such a configuration CUPS find local (USB) printers as well as network printers and prints form iOS devices and lpr command.
PS. RIPCache Auto
is essential - without it ghostscrript crashes with very unclear message in tle log
@PiotrC1 OK, I'll add this together with 2.1.4 upgrade and Debian patches, thanks
@PiotrC1
I've applied those configuration changes, upgraded CUPS to 2.1.4, and added some very nice patches from Debian. Also, since one of the Debian patches makes cupsd create pid file, I also switched to using start-stop-daemon
in combination with the pid file in rc script, so it should be much more robust now. Please test and report back. (You may need to manually killall
the old cupsd -- if it was running before the upgrade)
PS.
RIPCache Auto
is essential - without it ghostscrript crashes with very unclear message in the log
True, it took me a while to figure it out in the old days
For the reference, most 'getting cups to work with airprint' effort can be tracked in #159
@PiotrC1
Seeing how important RIPCache
setting is, I patched cupsd to default to auto
instead of 128m
when it's not set: 892052f23e3034ff49cb9f7bfc7fc236ada1aa7d
New features being tested - within weekend I will post results. So far I see only one problem:
E [09/Sep/2016:17:40:58 +0200] Unknown browse protocol "cups" ignored.
OK, thanks. I guess it's just outdated, and we should remove it from cupsd.conf. Gotta go now
Hmmm - I don't know. The only point I have noticed is that I see only two versions of my printer while seeking for a printer - dnsns and usb. Previously there were three.
You can try to use
BrowseProtocolls all
Still access rights of files problem persists:
E [09/Sep/2016:20:32:22 +0200] [CGI] File \"/opt/lib/cups/backend/cups-pdf\" has insecure permissions (0100775/uid=0/gid=0).
I suggest to change all 775 to 755 (despite what CUPS developers say).
@PiotrC1
E [09/Sep/2016:20:32:22 +0200] [CGI] File \"/opt/lib/cups/backend/cups-pdf\" has insecure permissions (0100775/uid=0/gid=0).
/opt/lib/cups/backend/cups-pdf
isn't part of cups
package, I don't even have it on my system, and permissions of backends look fine:
[root@unknown root]$ ls -l /opt/lib/cups/backend
-rwxr-xr-x 1 root root 8540 Sep 8 20:22 beh
-rwx------ 1 root root 15996 Sep 9 12:49 dnssd
lrwxrwxrwx 1 root root 3 Sep 9 14:30 http -> ipp
lrwxrwxrwx 1 root root 3 Sep 9 14:30 https -> ipp
-rwxr-xr-x 1 root root 10044 Sep 8 20:22 implicitclass
-rwx------ 1 root root 70080 Sep 9 12:49 ipp
-rwx------ 1 root root 52440 Sep 9 12:49 ipp14
lrwxrwxrwx 1 root root 3 Sep 9 14:30 ipps -> ipp
-rwx------ 1 root root 48116 Sep 9 12:49 lpd
-rwxr-xr-x 1 root root 16708 Sep 8 20:22 parallel
-rwxr-xr-x 1 root root 12440 Sep 8 20:22 serial
-rwxr-xr-x 1 root root 26256 Sep 9 12:49 snmp
-rwxr-xr-x 1 root root 31848 Sep 9 12:49 socket
-rwx------ 1 root root 31304 Sep 9 12:49 usb
Looks like it's part of cups-pdf
package -- and this is the one that has to be fixed
You are right.
Funny CUPS behaviour - as I have mentioned before, my printer is accessible four ways:
If I refresh List available printer I get zero to three "printers" - USB, dnssd and socket. Somentimes it's USB only, sometimes socket, sometimes no printers are found.
After changing BrowseProtocols
to all
as well as adding BrowseRemoteProtocols all
there are following lines in log:
E [09/Sep/2016:22:55:55 +0200] Unknown directive BrowseRemoteProtocols on line 510 of /opt/etc/cups/cupsd.conf. I [09/Sep/2016:22:55:55 +0200] Unknown LPDConfigFile scheme! I [09/Sep/2016:22:55:55 +0200] Unknown SMBConfigFile scheme!
One more remark:
After changing access rights of /opt/lib/cups/backend/cups-pdf
to 755 running /opt/lib/cups/daemon/cups-deviced
shows among other message
cups-pdf cannot be called without root privileges!
After changing them to 775 there is an error message:
ERROR: File "/opt/lib/cups/backend/cups-pdf" has insecure permition (0100775/uid=0/gid=0).
but it changes nothing regarding number of printers found.
To summarize my tests - iOS can print with newest CUPS + Avahi version.
@PiotrC1 cups-pdf
is used for virtual pdf paperless printers. Try chmod 700 /opt/lib/cups/backend/cups-pdf
As for protocols, need to have a closer look.
Good to see it work in general :smiley:
After changing access rights of all files in /opt/lib/cups/backend
to 700 discovery works each time the same.
Now, there is following error in error_log:
E [10/Sep/2016:03:00:15 +0200] [cups-deviced] PID 3255 (cups-pdf) stopped with status 5!
and in cups-pdf_log:
Sat Sep 10 03:00:15 2016 [ERROR] Grp not found (lp)
After adding group lp
in printer discovery appeared one more printer:
Virtual PDF Printer (CUPS-PDF)
After changing access rights of all files in /opt/lib/cups/backend to 700 discovery works each time the same.
700 permissions force CUPS to not try to run backends in user mode -- only as root. I thought only usb
backend needed this, but looks like we have to chmod them all.
Sat Sep 10 03:00:15 2016 [ERROR] Grp not found (lp)
After adding group lp in printer discovery appeared one more printer
Yeah, but we have to do it after each reboot in case of routers. As an option, this can be done in cupsd rc script, but I think we should better change cups printing group to nobody
: this is more robust (what if user starts cupsd
manually, bypassing the rc script?). It can be changed in the config -- but I prefer patching cups to default to "nobody" group.
Also, what BrowseProtocols
value should we set?
Patch CUPS, please. On the other side I use Raspberry PI. Please find enclosed access rights on Raspbian (it's Debian Jessie, as a matter of fact)
root@raspberrypi:/home/pi# ls -lh /usr/lib/cups/backend
razem 440K
-rwx------ 1 root root 22K lut 1 2015 cups-pdf
-rwxr--r-- 3 root root 18K cze 10 2015 dnssd
-rwxr--r-- 1 root root 81K lis 8 2014 gutenprint52+usb
lrwxrwxrwx 1 root root 3 cze 10 2015 http -> ipp
lrwxrwxrwx 1 root root 3 cze 10 2015 https -> ipp
-rwxr-xr-x 1 root root 70K cze 10 2015 ipp
-rwxr-xr-x 1 root root 46K cze 10 2015 ipp14
lrwxrwxrwx 1 root root 3 cze 10 2015 ipps -> ipp
-rwxr--r-- 2 root root 42K cze 10 2015 lpd
-rwxr--r-- 3 root root 18K cze 10 2015 mdns
-rwxr-xr-x 1 root root 18K gru 15 2015 parallel
-rwx------ 1 root root 14K gru 15 2015 serial
-r-xr-xr-x 2 root root 22K cze 10 2015 snmp
-r-xr-xr-x 2 root root 34K cze 10 2015 socket
-r-xr--r-- 2 root root 30K cze 10 2015 usb
They look totally different - but usb for instance is 544
PS. I made my own script /opt/sbin/after-mount.sh
containing all this funny things like adding lp
group just after mounting.
Also, what
BrowseProtocols
value should we set?
Just for safety, BrowseProtocols all
@PiotrC1
Patch CUPS, please
I didn't even need to patch it: just have to pass some configure switches.
On the other side I use Raspberry PI. Please find enclosed access rights on Raspbian (it's Debian Jessie, as a matter of fact)
We have much less control of or certainty about what environment/system we'll be running than Debian developers have. Setting all backends permissions to 700
should force CUPS to run them as root
thus bypassing access rights issues we might encounter.
Just for safety, BrowseProtocols all
OK, thanks.
Will be pushing upgrade soon
@PiotrC1
Can you please test if it works fine for you with BrowseProtocols dnssd
(or simply comment it out: it's default)?
While commented CUPS still works OK (I mean both printing as well as CUPS printer management).
Funny thing - both Add Printer
as well as Find New Printers
use /opt/lib/cups/cups-deviced
but Find New Printers
doesn't see USB printer, while Add Printer
does.
@PiotrC1 Update online. No idea about Find New Printers
though
Don't bother - it's not critical. It has something to do with Avahi advertiments. Please have a look into ConfigFiles schemes and if old issues are gone we can close the topic.
Sorry no joy.
E [10/Sep/2016:19:48:53 +0200] [CGI] File \"/opt/lib/cups/backend/cups-pdf\" has insecure permissions (0100775/uid=0/gid=0).
After changing permissions to 750 (highest possible) in /opt/var/log/cups/cups-pdf_log pops up:
Sat Sep 10 20:00:02 2016 [ERROR] Grp not found (lp)
After adding lp
group Virtual PDF Printer (CUPS-PDF)
appears.
I haven't yet tended to cups-pdf
, so it's OK. I'll probably have some time for this tomorrow
I also want to upgrade it to latest stable
Take your time.
Modifications of 2016.09.11 - everything works out of a box. After clarifying ConfigFiles schemes we can close the issue. [Edit] - Sorry, I closed the issue by mistake.
@PiotrC1
I think that does it: 279b3df3ebc0f3a18b7b453f0b1f56c426421262
LPD needs xinetd
package and SMB -- properly configured samba
Everything OK. Thanks.
I don't know if it's done delibeartely, but now admin activities do not need loging in. It's clear, because CUPS is runnung as root, but I don't know if it is safe.
@PiotrC1 Try changing password -- and it should prompt for it again, it remembers your logins. At least, it works fine for me with default package provided config.
After clearing browser cache everything works as supposed. Sorry for false alert.
Nice catch on the /etc/shadow bug!
I'm thinking about upgrading my AirPrint from optware to optware-ng. Testing some stuff now and building a few custom packages.
Thank you all for maintaining this new fork.
CUPS 2.1.2 printing system asks sometimes for user and password. In this case in /var/log/messages pops up following error:
Indeed, /etc/pam.conf is missing.