This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 449753 - test page auth dialog assumes root user
test page auth dialog assumes root user
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-printer (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F10Target
  Show dependency treegraph
 
Reported: 2008-06-03 08:25 EDT by Jóhann B. Guðmundsson
Modified: 2008-06-03 12:40 EDT (History)
0 users

See Also:
Fixed In Version: 1.0.0-2.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-03 12:40:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
IPP Print test page (231.17 KB, image/png)
2008-06-03 08:25 EDT, Jóhann B. Guðmundsson
no flags Details

  None (edit)
Description Jóhann B. Guðmundsson 2008-06-03 08:25:45 EDT
Description of problem:

See attached file for explanation... 

Version-Release number of selected component (if applicable):

system-config-printer-1.0.0-1.fc10.i386
system-config-printer-libs-1.0.0-1.fc10.i386

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Picture is worth more than a thousand words....
Comment 1 Jóhann B. Guðmundsson 2008-06-03 08:25:45 EDT
Created attachment 308221 [details]
IPP Print test page
Comment 2 Tim Waugh 2008-06-03 08:45:43 EDT
I don't really know what the problem you're trying to describe is.  I *think*
what you're trying to say is that you have a print server that requires 'Basic'
scheme authentication for submitting print jobs, and the administration tool's
default password prompt when printing a test page tries to authenticate as root
which may be incorrect.

Is that what you're trying to describe?

The reason we try to authenticate as root if a password is required when
authenticating as the current non-root user is that, as the administration tool
normally performs administrative tasks, it is usual for root to be the user that
is allowed to do them.

Perhaps for the special case of submitting a test page we should just display
the prompt when we initially are asked for a password, instead of reconnecting
as root.

The prompt text comes from libcups, not system-config-printer, and will not be
changed.
Comment 3 Jóhann B. Guðmundsson 2008-06-03 09:48:25 EDT
"I don't really know what the problem you're trying to describe is.  I *think*
what you're trying to say is that you have a print server that requires 'Basic'
scheme authentication for submitting print jobs, and the administration tool's
default password prompt when printing a test page tries to authenticate as root
which may be incorrect. "

Right on the spot :) 

"The reason we try to authenticate as root if a password is required when
authenticating as the current non-root user is that, as the administration tool
normally performs administrative tasks, it is usual for root to be the user that
is allowed to do them."

From a desktop point of view is that all users should be able to add
an printer that's connect to his or her computer without the need to be "root"
or the "Administrator" just plug and pray the printer gets detected then the 
user is asked if he wants to add it as an local printer at least he should be
able to print an test page tweak it's setting and so fourth, without having to
be the "root" user.

Not quite seeing the security issues involved, that should prevent an local user
to add local and/or network connected printer(s) to his computer. 

While using root to do it might be consider security risk.. 

From an administrative point of view if the users sees the Authentication
box that asks him to provide the "Password for root on $server" and the
"Username:" field already contains the username root, he will first try his own
which of course wont work, then if that fails try to guess the root password on
the server or starts calling help desk or bother the printer admin. 
That is if $server is not localhost.

Actually it could be looked ad as an security issue for him sending his root
password over the wired ( might be sniffed and used to ssh to his machines since
we deliver fedora with sshd port wide open ) or him to be able to guess the root
password ( depends if the admin has been smart enough to restrict the access to
the admin section in cups ).

If I understanding you right here..

"Perhaps for the special case of submitting a test page we should just display
the prompt when we initially are asked for a password, instead of reconnecting
as root."

and your referring to "Authentication required for printing document" box. then
that is indeed an much better solution.

Since the prompt text comes from libcups and cannot be altered then the best
way is to restrict as much possible the use of that text to
localhost.localdomain and or locally connected printer to prevent any
misunderstanding that the user might have.

Comment 4 Tim Waugh 2008-06-03 10:44:36 EDT
(In reply to comment #3)
> From a desktop point of view is that all users should be able to add
> an printer that's connect to his or her computer without the need to be "root"
> or the "Administrator"

Indeed -- however, that policy is stored in /etc/cups/cupsd.conf.  See my
upstream submitted patches for 'Require user @CONSOLE' etc.

Different sites will have different policies for this.
Comment 5 Tim Waugh 2008-06-03 11:26:49 EDT
Fixed upstream.

Note You need to log in before you can comment on or make changes to this bug.