Bug 449753
Summary: | test page auth dialog assumes root user | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jóhann B. Guðmundsson <johannbg> | ||||
Component: | system-config-printer | Assignee: | Tim Waugh <twaugh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 1.0.0-2.fc10 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-06-03 16:40:44 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 438944 | ||||||
Attachments: |
|
Description
Jóhann B. Guðmundsson
2008-06-03 12:25:45 UTC
Created attachment 308221 [details]
IPP Print test page
I don't really know what the problem you're trying to describe is. I *think* what you're trying to say is that you have a print server that requires 'Basic' scheme authentication for submitting print jobs, and the administration tool's default password prompt when printing a test page tries to authenticate as root which may be incorrect. Is that what you're trying to describe? The reason we try to authenticate as root if a password is required when authenticating as the current non-root user is that, as the administration tool normally performs administrative tasks, it is usual for root to be the user that is allowed to do them. Perhaps for the special case of submitting a test page we should just display the prompt when we initially are asked for a password, instead of reconnecting as root. The prompt text comes from libcups, not system-config-printer, and will not be changed. "I don't really know what the problem you're trying to describe is. I *think* what you're trying to say is that you have a print server that requires 'Basic' scheme authentication for submitting print jobs, and the administration tool's default password prompt when printing a test page tries to authenticate as root which may be incorrect. " Right on the spot :) "The reason we try to authenticate as root if a password is required when authenticating as the current non-root user is that, as the administration tool normally performs administrative tasks, it is usual for root to be the user that is allowed to do them." From a desktop point of view is that all users should be able to add an printer that's connect to his or her computer without the need to be "root" or the "Administrator" just plug and pray the printer gets detected then the user is asked if he wants to add it as an local printer at least he should be able to print an test page tweak it's setting and so fourth, without having to be the "root" user. Not quite seeing the security issues involved, that should prevent an local user to add local and/or network connected printer(s) to his computer. While using root to do it might be consider security risk.. From an administrative point of view if the users sees the Authentication box that asks him to provide the "Password for root on $server" and the "Username:" field already contains the username root, he will first try his own which of course wont work, then if that fails try to guess the root password on the server or starts calling help desk or bother the printer admin. That is if $server is not localhost. Actually it could be looked ad as an security issue for him sending his root password over the wired ( might be sniffed and used to ssh to his machines since we deliver fedora with sshd port wide open ) or him to be able to guess the root password ( depends if the admin has been smart enough to restrict the access to the admin section in cups ). If I understanding you right here.. "Perhaps for the special case of submitting a test page we should just display the prompt when we initially are asked for a password, instead of reconnecting as root." and your referring to "Authentication required for printing document" box. then that is indeed an much better solution. Since the prompt text comes from libcups and cannot be altered then the best way is to restrict as much possible the use of that text to localhost.localdomain and or locally connected printer to prevent any misunderstanding that the user might have. (In reply to comment #3) > From a desktop point of view is that all users should be able to add > an printer that's connect to his or her computer without the need to be "root" > or the "Administrator" Indeed -- however, that policy is stored in /etc/cups/cupsd.conf. See my upstream submitted patches for 'Require user @CONSOLE' etc. Different sites will have different policies for this. Fixed upstream. |