Bug 521110 - Does not prompt for root password when fetching devices
Summary: Does not prompt for root password when fetching devices
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: cups-pk-helper
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Marek Kašík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-03 17:28 UTC by Gene Czarcinski
Modified: 2009-10-14 01:57 UTC (History)
4 users (show)

Fixed In Version: 1.1.13-3.fc10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-30 17:15:24 UTC


Attachments (Terms of Use)
screenshot of New Printer panel from "root" s-c-p (27.00 KB, image/png)
2009-09-04 12:30 UTC, Gene Czarcinski
no flags Details
screenshot of panel for s-c-p invoked from menu ("bad" panel) (19.39 KB, image/png)
2009-09-04 12:31 UTC, Gene Czarcinski
no flags Details
output from system-config-printer --debug (749 bytes, text/plain)
2009-09-04 15:41 UTC, Gene Czarcinski
no flags Details
tain end of /var/log/yum.log listing updates/installs after DVD install (2.75 KB, text/plain)
2009-09-04 19:25 UTC, Gene Czarcinski
no flags Details
New Device frame for system-config-printer-1.1.12-8.fc12.x86_64 (15.81 KB, image/png)
2009-09-14 12:34 UTC, Gene Czarcinski
no flags Details
2nd screenshot with "Newtwork" expanded (17.48 KB, image/png)
2009-09-14 12:36 UTC, Gene Czarcinski
no flags Details
3rd screenshot with "Network Printer" expanded (12.17 KB, image/png)
2009-09-21 15:18 UTC, Jiri Popelka
no flags Details

Description Gene Czarcinski 2009-09-03 17:28:29 UTC
Description of problem:
After su'ing to root, I can invoke s-c-p from the command line to bring up the gui and define new printers or delete old one.

However, if I invoke s-c-p from the menu or from a user command line, I am NOT prompted for root's password (unlike on F11) and I cannot define new printers or delete printers previously defined.

Version-Release number of selected component (if applicable):
F12 alpha + rawhide updates as of 3 Sep 09
system-config-printer-1.1.12-6.fc12

How reproducible:
everytime

Comment 1 Tim Waugh 2009-09-04 09:28:04 UTC
So when you click 'New', what happens?  This is working for me.

Comment 2 Gene Czarcinski 2009-09-04 12:29:01 UTC
When I click on "new", I get a "New Printer panel".  To hopefully minimize confustion I am attaching two screenshots of the panel ... the first from a s-c-p which I invoked after su'ing to root (what I expect to see) and the second from a s-c-p which I invoke from the menu.  Note: nothing other than "find a network printer".

Comment 3 Gene Czarcinski 2009-09-04 12:30:29 UTC
Created attachment 359799 [details]
screenshot of New Printer panel from "root" s-c-p

Comment 4 Gene Czarcinski 2009-09-04 12:31:44 UTC
Created attachment 359800 [details]
screenshot of panel for s-c-p invoked from menu ("bad" panel)

Comment 5 Tim Waugh 2009-09-04 13:39:10 UTC
Run 'system-config-printer --debug' -- what output do you get when you see that screen?

Comment 6 Gene Czarcinski 2009-09-04 15:41:45 UTC
Created attachment 359823 [details]
output from system-config-printer  --debug

I was running today's "yum update" but caught it before the updates which include updates to s-c-p*

I ran system-config-printer --debug from a user command line. The output is attached.

Comment 7 Tim Waugh 2009-09-04 16:55:36 UTC
PolicyKit has denied you access to the list of devices.

Were you logged in at the console?

Comment 8 Gene Czarcinski 2009-09-04 17:52:54 UTC
Although I have kde installed, I run mostly gnome apps under metacity.  Yes, I was logged in at the console via gdm.

BTW, all of the other system-config-<whatever> apps I have tried do prompt for root's password.

I just rebooted after updating with today's updates (s-c-p is not 1.1.12-7.fc12) ... no change ... works the same.

I am not familiar with PolicyKit ... can you point me to any configuration files?

Although F12 alpha is a fresh install, I did re-use /home from a F11 install (which still exists ... multi-boot).

I just tried creating a new user to see if there was something about "gc" but it work the same way ... it did not work.

Comment 9 Gene Czarcinski 2009-09-04 18:20:18 UTC
good new/bad news ... I also have f12alpha (no updates) installed as a guest on qemu-kvm running on a f11 host.

I just gave s-c-p a try and it works fine!!

I am also installing (again) f12alpha on "falcon" (disk space is cheap, all of my systems have the capability to have at least four different systems/versions installed ... either a single partition for root or a combo of /boot and LVM root).  This installation is only from the DVD ... no updates applied during install.

I will see how this works.  If the problem does not reappear on this new install, this report should probably be closed "WORKS4ME".

If you have an idea of where to look for the PolicyKit problem, I am willing to put some time into it.

Comment 10 Gene Czarcinski 2009-09-04 18:57:47 UTC
OK, it works on another fresh install on "falcon" ... this one was DVD only (no updates).  I tried running s-c-p as a user and everything worked (including no delays).

However, this is "missing" about 500 packages including kde.  I am going to do a bunch of updates and then installs and see if that changes anything.

At this point, I have to believe that this problem was the result of interaction with some other package.  I want to leave this open for a while as I will continue testing for this problem as I do the updates and installs.  The "problem" may be with a package which has been updated and no longer is a problem ... or the problem could still exist.

This is going to be painful doing all of the updates and installs.

Comment 11 Gene Czarcinski 2009-09-04 19:25:50 UTC
Created attachment 359841 [details]
tain end of /var/log/yum.log listing updates/installs after DVD install

BAd news ... this problem is back.  After the DVD install, I updated/installed the packages listed in the attached yum.log.  I first updated rpm and yum, then mkinitrd, nash, and the kernel, then rebooted.  After the reboot, I installed the remaining updates shown.  I then tried running s-c-p as a user and got the old problem back ... this problem stays open but at least the number of variables is reduced.

I still have my "virgin" F12alpha DVD-only install as a qemu-kvm guest.  I can clone this guest and then try the updates.  Assuming I can reproduce the problem, this guest should be a lot easier to try testing.

Comment 12 Gene Czarcinski 2009-09-04 21:08:42 UTC
The problem appears to be in the s-c-p package in rawhide/development.

I brought up by f12alpha clone, yum updated rpm*, yum*, mkinitrd, nash, kernel-* and then rebooted.  After the reboot, I ran s-c-p as a user and it worked fine.

I then yum updated s-c-p, s-c-p-udev, and s-c-p-libs.  Tried running s-c-p as a user ... oops .. it has the problem.

OK, use rpm -Uvh --oldpackage to reinstall s-c-p, s-c-p-udev, and s-c-p-libs from the DVD.  Tried running s-c-p as a user and it works fine!

On DVD, the s-c-p is 1.1.10-8.fc12

From rawhide, it is 1.1.12-7.fc12

Since I can cause the problem at will, give a yell if you want me to run more tests.

BTW, qemu-kvm is really nice for testing (especially when it is running on a AMD Phenom 940).

Comment 13 Tim Waugh 2009-09-14 10:40:24 UTC
Do you have the cups-pk-helper package installed?  What does 'rpm -q cups-pk-helper' say?

The way it is meant to work in 1.1.12-7.fc12 is this:

1. Click New

2. A dialog appears showing only 'Other' and 'Network Printer', with a 'spinner' in the bottom left corner

3. An authentication dialog appears

4. A second or two after authenticating, entries are added for locally connected printers, e.g.:

LPT #1
Serial Port #1

5. After about ten seconds, the spinner disappears and the 'Network Printer' tree is populated with e.g. 'Internet Printing Protocol', 'LPD/LPR Host or Printer', 'Windows Printer via SAMBA'.

This is all working for me with an up-to-date rawhide installation:

cups-pk-helper-0.0.4-7.fc12.x86_64
system-config-printer-1.1.12-8.fc12.x86_64
polkit-0.94-4.fc12.x86_64
polkit-gnome-0.94-4.fc12.x86_64

Incidentally, I am using polkit-gnome as my authentication agent (i.e. the program that displays the PolicyKit authentication dialog), as I am using GNOME.  This is the default when installing from the DVD.  Perhaps you are using a different authentication agent?

Comment 14 Gene Czarcinski 2009-09-14 12:33:05 UTC
I have been "keeping current" and have:
cups-pk-helper-0.0.4-7.fc12.x86_64
system-config-printer-1.1.12-8.fc12.x86_64
polkit-0.94-4.fc12.x86_64
polkit-gnome-0.94-4.fc12.x86_64

I am running metacity/gnome (not kde).

IIRC, the f12alpha original system-config-printer-1.1.12-6.fc12

 and f11's system-config-printer looked/worked about the same when I invoked them after su'ing to root.  This has changed with 1.1.12-8.fc12.

For wither root or regular user ... whe I press "new", I get a frame whose picture I have attached.  If invoked as root, there is a "spinner" for a few seconds then nothing.  If invoked as a regular user, there is no spinner but I do get the following in the terminal window:
-------------------------------
[genec@falcon ~]$ system-config-printer
Caught non-fatal exception.  Traceback:
File "/usr/share/system-config-printer/system-config-printer.py", line 5022, in got_devices
    raise exception
IPPError: (0, 'Operation canceled')
Continuing anyway..
----------------------------------

If invoked as root and I select from the "New Device" frame to find a printer and specify the IP for a printer on that same LAN, I get "lots of text messages" on the invoking terminal and do finally locate the printer ... I assume that you have changed the dialog/interface a bit and this is working as designed.  I can get it to use a jetdirect interface but it is more work to do that.

Comment 15 Gene Czarcinski 2009-09-14 12:34:47 UTC
Created attachment 360930 [details]
New Device frame for system-config-printer-1.1.12-8.fc12.x86_64

Comment 16 Gene Czarcinski 2009-09-14 12:36:29 UTC
Created attachment 360931 [details]
2nd screenshot with "Newtwork" expanded

Comment 17 Tim Waugh 2009-09-14 14:06:54 UTC
So is your terminal window at the console of the machine, or are you logged in via ssh?

What's happening is that PolicyKit is denying the operation.

Comment 18 Gene Czarcinski 2009-09-14 14:57:27 UTC
keeping it simple ... no ssh ... everything done from terminal windows at the console of the machine.

Installed Packages
PolicyKit.x86_64    0.9-6.fc11    @anaconda-InstallationRepo-200908171855.x86_64
PolicyKit-gnome.x86_64                   0.9.2-5.fc12             @local-rawhide
PolicyKit-gnome-libs.x86_64              0.9.2-5.fc12             @local-rawhide
polkit.x86_64                            0.94-4.fc12              @local-rawhide
polkit-desktop-policy.noarch             0.94-4.fc12              @local-rawhide
polkit-gnome.x86_64                      0.94-4.fc12              @local-rawhide
polkit-qt.x86_64  0.9.2-2.fc12    @anaconda-InstallationRepo-200908171855.x86_64

This is on a pure test system so is there anything you would like me to try?

Comment 19 Tim Waugh 2009-09-14 15:18:47 UTC
Changing component to cups-pk-helper as there is no system-config-printer bug here.

Comment 20 Jiri Popelka 2009-09-21 15:18:28 UTC
Created attachment 361960 [details]
3rd screenshot with "Network Printer" expanded

I see the same problem as it Gene described on rawhide and also on F-11.

On rawhide
system-config-printer-1.1.13-2.fc12.i686
polkit-gnome-0.95-0.git20090913.5.fc12.i686
cups-pk-helper-0.0.4-7.fc12.i686
>system-config-printer
Caught non-fatal exception.  Traceback:
File "/usr/share/system-config-printer/system-config-printer.py", line 5038, in
got_devices
    raise exception
IPPError: (0, 'Operation canceled')
Continuing anyway..

On F-11
system-config-printer-1.1.13-1.fc11.x86_64
PolicyKit-gnome-0.9.2-3.fc11.x86_64
cups-pk-helper-0.0.4-3.fc11.x86_64
I run system-config-printer from console
1) Click New
2) A dialog appears showing only 'Other' and 'Network Printer', with a
'spinner' in the bottom left corner
3) An authentication dialog appears
4) After authenticating and waiting a minute or so there are no additional entries added. There's no warning in console.

Comment 21 Fedora Update System 2009-09-24 05:08:48 UTC
system-config-printer-1.1.13-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8108

Comment 22 Fedora Update System 2009-09-24 05:20:03 UTC
system-config-printer-1.1.13-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-9087

Comment 23 Gene Czarcinski 2009-09-24 12:31:22 UTC
Updated on my f12alpha (rawhide) system with:
cups-pk-helper-0.0.4-7.fc12.x86_64
polkit-gnome-0.95-0.git20090913.5.fc12.x86_64
system-config-printer-1.1.13-3.fc12.x86_64

The problem persists!!!

As the original reporter, I reported this against rawhide.  I never had a problem on F11 (and still do not after updating to 1.1.13-3

The problem is on rawhide and I am changing this back to rawhide where I originally reported the problem.  I am not sure what was fixed but it had no effect on my original problem.

Comment 24 Jiri Popelka 2009-09-24 12:59:05 UTC
On F11 there was problem with system-config-printer-1.1.13-1.
With system-config-printer-1.1.13-2 the problem is solved on F11.

But I agree with Gene that on rawhide it persists even
with system-config-printer-1.1.13-3.

Comment 25 Gene Czarcinski 2009-09-24 13:19:35 UTC
For rawhide, I believe that this problem needs to be fixed (if at all possible) before F12 GA.  Yes, you can get around the problem by running s-c-p as root but this is not going to be "friendly" for regular users.

Tim ... can you reproduce this problem on f12/rawhide?  

On F11, when I currently run s-c-p as a regular user, I am prompted twice for root's password.  A first time when I begin defining a new printer and a second time (different popup asking for authentication) when I apply/save the new printer.  Is this really by design?

Comment 26 Tim Waugh 2009-09-24 16:34:07 UTC
* F-11:

The two different authorization dialogs is not ideal, and not part of the design.  However, the design hinges on being able to fetch devices in a background thread in order to present them quickly to the user without any unnecessary perceived delay.  In order to do this correctly, either polkit-1 must be used (with its much simplified client calling convention), or else PolicyKit must not be used for that call at all.  The pre-polkit-1 PolicyKit code is just not very good when it comes to trying to make it work asynchronously.

Fedora 11 is in the unfortunate situation of shipping PolicyKit, and having lots of applications use it, but not yet shipping polkit-1.

Making the pre-polkit-1 PolicyKit code any better is simply a waste of effort that could be spent on fixing other bugs: that code is already no longer in use in Fedora 12 Alpha.

When polkit-1 is in use, it all works correctly (for me at least -- now, on to that problem).

* rawhide: it's all working for me, running on the console, with:
system-config-printer-1.1.13-3
cups-pk-helper-0.0.4-7.fc12.x86_64
polkit-0.95-0.git20090913.2.fc12.x86_64
polkit-gnome-0.95-0.git20090913.5.fc12.x86_64

This is with the default policy for cups-pk-helper, as seen below:

$ pkaction --action-id org.opensuse.cupspkhelper.mechanism.devices-get --verbose
org.opensuse.cupspkhelper.mechanism.devices-get:
  description:       Get devices
  message:           Privileges are required to get devices.
  vendor:            The openSUSE Project
  vendor_url:        http://www.opensuse.org/
  icon:              printer
  implicit any:      no
  implicit inactive: no
  implicit active:   auth_admin_keep

When checking whether I have authorization to fetch devices, an authentication dialog is displayed:

$ pkcheck --action-id org.opensuse.cupspkhelper.mechanism.devices-get --process $$ --allow-user-interaction

So: what do the pkaction and pkcheck commands show for you?

Comment 27 Gene Czarcinski 2009-09-24 17:46:08 UTC
I just did a fresh install of rawhide as a qemu-kvm guest using:
Fedora-20090923-x86_64-DVD.iso obtained this morning from:
http://kojipkgs.fedoraproject.org/mash/F12-Beta-TC/x86_64/iso/

1. s-c-p still does not work for me.

2.  All of the packages you list are the same for me.

3.The output of the "pkaction ..." command is exactly the same as you show.

4. The output of the "pkcheck ..." command gets me a display of the pkcheck man page.  I blieve that pid is not specified after "--process".

5.  I ran s-c-p --debug as a regular user and got:
--------------------
[genec@f12beta0 ~]$ system-config-printer --debug
Connected as user genec
refresh
Created subscription 3
<monitor.Monitor instance at 0x3263e18>: printers and jobs lists provided
update_jobs
Authentication pass: 1
Authentication: password callback set
Authentication pass: 1
Authentication: password callback set
Authentication pass: 1
Authentication: password callback set
get_notifications
update_jobs
Calling <bound method NewPrinterGUI.fetchDevices of <__main__.NewPrinterGUI inst
ance at 0x324edd0>>
fetchDevices
Connected as user genec
in get_devices: connected
Fetching local devices
Authentication pass: 1
Authentication: password callback set
Caught exception (0, 'Operation canceled')
Caught non-fatal exception.  Traceback:
File "/usr/share/system-config-printer/system-config-printer.py", line 5038, in 
got_devices
    raise exception
IPPError: (0, 'Operation canceled')
Continuing anyway..
-----------------

I have f12/alpha/rawhide installed on a couple of baremetal systems also and it does not work there either.  It is very consistent.

Comment 28 Jiri Popelka 2009-09-25 09:31:31 UTC
For Tim:
pkaction shows the same output
pkcheck displays authentication dialog and when I type root password,
there appears "polkit\56temporary_authorization_id=tmpauthz0" on command line

but when i run s-c-p --debug as a regular user I get the same output as Gene.

For Gene:
the pid is specified by $$ (you need to type that $$ between --process and --allow-user-interaction)

Comment 29 Tim Waugh 2009-09-25 16:04:32 UTC
OK, the reason it was working for me was that SELinux was running in permissive mode (for some reason...!).  Changing it to enforcing, I also see this problem.

So it is a problem with the cups-pk-helper SELinux policy I think.

selinux-policy-3.6.32-8.fc12

I'll see if I can figure out which selinux-policy package broke it.

Comment 30 Gene Czarcinski 2009-09-25 16:17:52 UTC
Trying:  pkcheck ... --process $$ --allow-user-interaction

I get nothing in response ... for both enforcing on or off.

After doing "setenforce 0", I get no change in how s-c-p runs as a regular user.

Running setroubleshoot, I get no indication of an selinux problem.

Comment 31 Tim Waugh 2009-09-25 16:29:27 UTC
Run strace on cups-pk-helper-mechanism and you can see the D-Bus error message mentioning SELinux.

I'm just trying an SELinux build with policykit_dbus_chat enabled for cupsd_config_t (which was missing) -- hopefully that was the problem Jiri and I are seeing.

I would expect setroubleshoot not to show any problems as it seems to be a dontaudit rule we're hitting.

Not sure why the pkcheck command doesn't give you an auth dialog even with SELinux in permissive mode, but at that stage it's definitely a cups-pk-helper problem of some kind or else a local configuration difference.  But you said that pkaction showed the same policy as me?

Comment 32 Tim Waugh 2009-09-25 16:51:08 UTC
I've filed bug #525773 with the patch I mentioned in the previous comment.  It works for me.

Comment 33 Gene Czarcinski 2009-09-25 16:59:43 UTC
Yes, I get the same policy:
------------------------
[root@f12beta0 ~]# pkaction --action-id
org.opensuse.cupspkhelper.mechanism.devices-get --verbose
org.opensuse.cupspkhelper.mechanism.devices-get:
  description:       Get devices
  message:           Privileges are required to get devices.
  vendor:            The openSUSE Project
  vendor_url:        http://www.opensuse.org/
  icon:              printer
  implicit any:      no
  implicit inactive: no
  implicit active:   auth_admin_keep

[root@f12beta0 ~]#
-------------------------

I get the above when the command is the same run either as root or a regular
user.

I will start monitoring https://bugzilla.redhat.com/show_bug.cgi?id=525773

Comment 34 Daniel Walsh 2009-09-28 13:51:22 UTC
 
selinux-policy-3.6.32-12.fc12.noarch will allow cupsd_config_t to communicate with policykit.

Comment 35 Gene Czarcinski 2009-09-28 13:56:14 UTC
I will close this as soon as I can test.

Comment 36 Gene Czarcinski 2009-09-30 17:15:24 UTC
OK, I tested s-c-p and with selinux-policy-3.6.32-12.fc12.noarch I can not define printers when s-c-p is invoked as a regular user.  Thus, I am closing this bug.

HOWEVER, I am tempted to open another bug report against ??? ... root authentication now overachieves ... prompted for root's password at least three times .. first time to grate the list of printer interface types and the rest when I finish/apply the created definition.  Two I can understand.  Three or more, no!

Comment 37 Tim Waugh 2009-10-01 10:47:41 UTC
(In reply to comment #36)
> HOWEVER, I am tempted to open another bug report against ??? ... root
> authentication now overachieves ... prompted for root's password at least three
> times ..

cups-pk-helper

Comment 38 Fedora Update System 2009-10-09 03:33:02 UTC
system-config-printer-1.1.13-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 39 Fedora Update System 2009-10-14 01:57:09 UTC
system-config-printer-1.1.13-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.