GNU bug report logs - #63198
cups-service-type uses PAM-enabled 'cups' by default which prevents authentication

Previous Next

Package: guix;

Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Date: Mon, 1 May 2023 03:09:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: muradm <mail <at> muradm.net>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 63198-done <at> debbugs.gnu.org
Subject: bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
Date: Wed, 24 May 2023 14:37:47 +0300

[Message part 1 (text/plain, inline)]
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> Hi muradm,
>
> muradm <mail <at> muradm.net> writes:
>
> [...]
>
>>> Could you look into adding "regular" login PAM support instead 
>>> of a
>>> bypass disabled by default?  The user should still be prompted 
>>> for
>>> its
>>> password, and it should go through the PAM auth module.
>>>
>>> I'm not very PAM-aware, but I believe there are examples 
>>> spread in
>>> the
>>> code base.
>>
>> This patch provides necessary configuration for proper PAM 
>> support.
>> I decided to take screen-locker-service-type's configuration as
>> basis, since it is was most simpliest and adequate enough for 
>> this
>> case.
>> This patch does not disables, baypasses or cheats PAM in any 
>> way.
>> User may navigate to CUPS portal. In the event of 
>> administrative
>> actions taken by user, CUPS portal asks user to authenticate.
>> With this configuration, it will attempt to authenticate as 
>> local
>> system user. In the event of proper system user/password 
>> supplied
>> and positively authenticated against PAM using "cups" service 
>> name,
>> user allowed to take administrative action. In the event of 
>> invalid
>> system user/password supplied, CUPS portal will keep looping
>> begging for password (just as in your original case). If user 
>> decides
>> to Cancel the authentication dialog, CUPS portal is navigated 
>> to
>> Unauthorized access informing page.
>>
>> Why would I submit something that it is not working?
>
> I didn't mean to imply that it didn't work; I just thought that 
> it was
> somehow bypassing PAM (and the original problem it caused in the 
> first
> place).  As I wrote earlier, I know next to nothing about PAM, 
> and
> misread your patch.
>
> I've now installed the change.  Thanks for the fix, and thanks 
> to
> Ricardo for the reminder.

Cool, thanks!

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.