Bug 596711
| Summary: | Local printer policy too strict | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim Waugh <twaugh> | ||||
| Component: | cups-pk-helper | Assignee: | Marek Kašík <mkasik> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 17 | CC: | awilliam, fedora, johannbg, mclasen, mishu, mkasik, netwiz, samuel-rhbugs, smooge, twillber, valent.turkovic, ykopkova | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-04-23 15:03:04 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 595007 | ||||||
| Attachments: |
|
||||||
|
Description
Tim Waugh
2010-05-27 11:05:14 UTC
This also seems to be an issue in F14 with: polkit-0.98-4.fc14.i686 I am required to enter the root password 3 times to add a printer. How does one add themselves as desktop_admin_r group? With the Users and Groups tool. Select user, click Properties, select Group tab, tick desktop_admin_r group, click OK. Ah. Nice tip Tim. Should save me quite a few password entries ;) Oh, and for what its worth, these are still missing in F14. SLAM. That is my hand against my head. I thought these were capability/Selinux items from their name and not /etc/group. groupadd -a -G desktop_admin_r <username> works also in that case. (In reply to comment #6) > SLAM. That is my hand against my head. I thought these were capability/Selinux > items from their name and not /etc/group. > > groupadd -a -G desktop_admin_r <username> works also in that case. Yeah - to be honest, I thought they were for selinux stuff too - but didn't quite understand what was going on. Tims comment above turned on the lightbulb for me too :) *** Bug 658555 has been marked as a duplicate of this bug. *** *ping* Would be great to get this fixed. This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Yes, still applies to Fedora 15. However there is now this: /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf which specifies 'wheel' as an administrative group. Should I also modify our default /etc/cups/cupsd.conf so that it recognises 'wheel' as a system group? It'd be nice for wheel to have authorization for org.freedesktop.UPower.* as well. let's bump the version a bit. David, anything? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers No, it doesn't make any sense to have some kind of "desktop admin" group so you can skip password dialogs - we tried it and it doesn't work [1]. The answer is really that the mechanism we ship should work out of the box, not that users should add themselves to some "admin" group to make their OS actually work. Hence, if you see useless password dialogs, just complain to the author of the mechanism that makes the password dialog appear. The place to discuss this in upstream polkit is here https://bugs.freedesktop.org/show_bug.cgi?id=41008#c1 so I'm closing this as UPSTREAM. If you disagree, the place to discuss is in that upstream bug, not some downstream bugzilla. [1] : we do have a 'wheel' group that is used to specify what "administrator authentication" means but that is different... Re-opening as this still affects Fedora. The policy in cups-pk-helper was designed by following the Fedora rules (AFAIR drafted by adamw, I can't find them now) on what the default polkit policies for mechanisms should be. If those rules are no longer correct, let's just change the cups-pk-helper policy and fix this bug. Tim: that policy proposal never made it out of draft, so you don't have to consider yourself to be bound by it. I certainly wouldn't; I'm no kind of security expert, I only ever drafted the policy as a starting point. It did get some discussion and refinement at the time, but I would still not invest any kind of confidence in it as a guideline, to be honest. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Created attachment 591796 [details]
Screenshot from "gnome-control-center printers" asking for password
Screenshot from "gnome-control-center printers" asking for password
This is still an issue on Fedora 16 and 17, is has been 2 years and this issue has still not been resolved, why? Why are Administrator users being asked for root pasword when editing printer options? I have been asked during the install and I choose to put my user in Administrator group (wheel) but I still get asked all the time to provide password. if I'm not mistaken this is the same issue that Linus Torvalds vented regarding same issue on OpenSuse - https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5 There is an simple fix on Fedora wiki: http://fedoraproject.org/wiki/Printing/ConfigurationTool Create a pklocalauthority file called /etc/polkit-1/localauthority/50-local.d/10-printer-config.pkla with this content: [Desktop Administrator Permissions] Identity=unix-group:wheel Action=org.opensuse.cupspkhelper.mechanism.* ResultAny=no ResultInactive=no ResultActive=yes So why isn't this being done? I'm using Fedora 17 with all latest patches and this is still an open bug. Is anybody working on this? It is trivial to fix. Hi Valent, I've just tested this and polkit asks me for my (non-root) password when I'm in "wheel" group on Fedora 17 and Fedora 18. Marek /usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy does seem to require auth_admin for most CUPS actions, so it _looks_ like it ought to work. i'll take a look at it myself if I can find a minute. valent, exactly what reproduction procedure are you using here? Looks like it works now. I'll try a few different things and report back. Seems to work OK in Fedora 18. A user with account type 'Administrator' (I think this means 'in the wheel group'?) can add/modify/remove printers by providing their own password -- this is the same as is required for e.g. modifying the system time. (In reply to comment #22) > Looks like it works now. I'll try a few different things and report back. I'm closing this then. |