GNU bug report logs - #63198
cups-service-type uses PAM-enabled 'cups' by default which prevents authentication

Previous Next

Full log

View this message in rfc822 format

From: muradm <mail <at> muradm.net>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 63198 <at> debbugs.gnu.org
Subject: bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
Date: Tue, 16 May 2023 08:17:56 +0300

[Message part 1 (text/plain, inline)]

Hello,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> Hi,
>
> muradm <mail <at> muradm.net> writes:
>
>> Fixes <https://issues.guix.gnu.org/63198>.
>>
>> Makes CUPS service to extend pam-root-service-type providing 
>> minimal
>> configuration to authenticate users. Since PAM authentication 
>> is
>> provided, cups package can be used as default.
>>
>> * gnu/services/cups.scm (cups-configuration) [cups]: Use cups.
>
> I'd write 'Replace cups-minimal with cups'.
>

Sure you may change this.

>> [allow-empty-password?]: PAM service configuration permitting 
>> empty passwords.
>
> I'd write 'New field', but I think we'd want to add proper PAM 
> support
> here not a 'bypass PAM authentication' hack.  It should also be 
> enabled
> out of the box, otherwise users won't be able to authenticate 
> until they
> figure out they need to set that switch to #t.
>

Who ever touches PAM configuration knows that by default PAM does 
not
allow to authenticate users with empty passwords. This flag allows 
such
users. Just grep guix for allow-empty-password?, you will see that 
it
is all over the places.

>> (opaque-cups-configuration): Likewise.
>> (cups-pam-service): cups PAM service.
>
> Not descriptive :-)  What is the change here?
>

I used simlilar strategy as in your commit 6bc3e3f9ba :-) You are 
free
to reword as you wish.

> Could you look into adding "regular" login PAM support instead 
> of a
> bypass disabled by default?  The user should still be prompted 
> for its
> password, and it should go through the PAM auth module.
>
> I'm not very PAM-aware, but I believe there are examples spread 
> in the
> code base.

This patch provides necessary configuration for proper PAM 
support.
I decided to take screen-locker-service-type's configuration as
basis, since it is was most simpliest and adequate enough for this 
case.
This patch does not disables, baypasses or cheats PAM in any way.
User may navigate to CUPS portal. In the event of administrative
actions taken by user, CUPS portal asks user to authenticate.
With this configuration, it will attempt to authenticate as local
system user. In the event of proper system user/password supplied
and positively authenticated against PAM using "cups" service 
name,
user allowed to take administrative action. In the event of 
invalid
system user/password supplied, CUPS portal will keep looping
begging for password (just as in your original case). If user 
decides
to Cancel the authentication dialog, CUPS portal is navigated to
Unauthorized access informing page.

Why would I submit something that it is not working?

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.