Bug 587744 - error getting server settings the first time
error getting server settings the first time
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: system-config-printer (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 592343
  Show dependency treegraph
 
Reported: 2010-04-30 14:44 EDT by Bill Nottingham
Modified: 2014-03-16 23:23 EDT (History)
4 users (show)

See Also:
Fixed In Version: system-config-printer-1.1.19-3.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 592343 (view as bug list)
Environment:
Last Closed: 2010-06-04 14:53:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2010-04-30 14:44:55 EDT
Description of problem:

If I go to Server->Settings, I get the PolicyKit dialog.

I enter my password (I'm in the desktop_admin_r group.)

I then get:

CUPS Server Error

There was a HTTP error: status 1000

Traceback (most recent call last):
  File "/usr/share/system-config-printer/system-config-printer.py", line 1249, in on_server_settings_activate
    self.on_adv_server_settings_apply)
  File "/usr/share/system-config-printer/AdvancedServerSettings.py", line 65, in __init__
    self.cupsconn.getFile (self.RESOURCE, file=f)
  File "/usr/share/system-config-printer/authconn.py", line 186, in <lambda>
    return lambda *args, **kwds: self._authloop (fname, fn, *args, **kwds)
  File "/usr/share/system-config-printer/authconn.py", line 204, in _authloop
    result = fn.__call__ (*args, **kwds)
cups.HTTPError: 1000

I then select 'Server->Settings' again.

It asks me for the root password (a non-policykit dialog). If I enter it correctly, it then works.

Version-Release number of selected component (if applicable):

system-config-printer-1.2.1-1.fc13.x86_64

How reproducible:

100%

Steps to Reproduce:
1. See above.
Comment 1 Tim Waugh 2010-05-01 05:36:46 EDT
So that's "User canceled authorization".

I don't get this behaviour at all.  Can you try running "system-config-printer --debug" from a terminal and paste the full output after you've seen this failure?
Comment 2 Bill Nottingham 2010-05-03 12:14:49 EDT
[notting@nostromo: ~]$ system-config-printer --debug
Connected as user notting
refresh
Created subscription 10
<monitor.Monitor instance at 0x3730518>: printers and jobs lists provided
update_jobs
Authentication pass: 1
Authentication: password callback set
Authentication pass: 1
Authentication: password callback set
Authentication pass: 1
Authentication: password callback set
get_notifications
update_jobs
Authentication pass: 1
Authentication: password callback set
Authentication pass: 1
Authentication: password callback set
PolicyKit call to FileGet did not work: unknown-ffffffff
Authentication pass: 2
Forbidden: True
Authentication: Try as root
Connected as user root
Got password callback
Traceback (most recent call last):
  File "/usr/share/system-config-printer/system-config-printer.py", line 1249, in on_server_settings_activate
    self.on_adv_server_settings_apply)
  File "/usr/share/system-config-printer/AdvancedServerSettings.py", line 65, in __init__
    self.cupsconn.getFile (self.RESOURCE, file=f)
  File "/usr/share/system-config-printer/authconn.py", line 186, in <lambda>
    return lambda *args, **kwds: self._authloop (fname, fn, *args, **kwds)
  File "/usr/share/system-config-printer/authconn.py", line 204, in _authloop
    result = fn.__call__ (*args, **kwds)
cups.HTTPError: 1000


Authentication pass: 1
Authentication: password callback set
Got password callback
Authentication pass: 2
Forbidden: False
Authentication: Reconnect
Connected as user root
Got password callback
Authentication pass: 1
Authentication: password callback set
Canceled subscription 10
<monitor.Monitor instance at 0x3730518> exited
Comment 3 Tim Waugh 2010-05-06 12:09:36 EDT
(In reply to comment #2)
> PolicyKit call to FileGet did not work: unknown-ffffffff

That's weird.  Do you have cups-pk-helper installed?  Are you running system-config-printer from a console session?

What's happened is that the cups-pk-helper call has failed and the fallback is to use pycups directly.  The proper solution is to avoid using the old cupspk module and use asyncconn which (a) inherits the IPP authentication dialog correctly for the fallback case, and (b) works asynchronously.

But still, the root cause of this problem is that the cups-pk-helper call failed, so it would be good to know why that is.
Comment 4 Bill Nottingham 2010-05-06 12:24:15 EDT
(In reply to comment #3)
> (In reply to comment #2)
> > PolicyKit call to FileGet did not work: unknown-ffffffff
> 
> That's weird.  Do you have cups-pk-helper installed?  Are you running
> system-config-printer from a console session?

Yes to both.

> What's happened is that the cups-pk-helper call has failed and the fallback is
> to use pycups directly.  The proper solution is to avoid using the old cupspk
> module and use asyncconn which (a) inherits the IPP authentication dialog
> correctly for the fallback case, and (b) works asynchronously.
> 
> But still, the root cause of this problem is that the cups-pk-helper call
> failed, so it would be good to know why that is.    

Is the fact that I'm in desktop_admin_r (and therefore authenticating to PK as myself, not root) relevant?
Comment 5 Tim Waugh 2010-05-06 17:56:59 EDT
(In reply to comment #4)
> > That's weird.  Do you have cups-pk-helper installed?  Are you running
> > system-config-printer from a console session?
> 
> Yes to both.

What n-v-r of cups-pk-helper?

> Is the fact that I'm in desktop_admin_r (and therefore authenticating to PK as
> myself, not root) relevant?    

I have the same situation here and it all works fine. :-/
Comment 6 Tim Waugh 2010-05-07 08:03:46 EDT
This looks relevant:

commit 2d47f66d1a9c6ecfc9219909659e16fbf1dca971
Author: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date:   Thu Apr 30 22:15:05 2009 +0000

    Add new HTTP_AUTHORIZATION_CANCELED status (internal to CUPS) to indicate wh
    authentication was canceled.

Hmm, if it's meant to be internal to CUPS, I wonder why we're seeing it at all...
Comment 7 Tim Waugh 2010-05-07 10:58:37 EDT
Oh, I get it: it's internal in that it isn't the actual HTTP status code that the server sends.  So only libcups (and its clients) see this.

I've committed a fix for this upstream.
Comment 8 Fedora Update System 2010-05-07 11:54:47 EDT
system-config-printer-1.2.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/system-config-printer-1.2.2-1.fc13
Comment 9 Fedora Update System 2010-05-08 12:10:00 EDT
system-config-printer-1.2.2-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-printer-1.2.2-1.fc13
Comment 10 Bill Nottingham 2010-05-10 14:21:10 EDT
With this test update, I get the PK dialog, it fails (?), then I get asked for root's password. This works.
Comment 11 Tim Waugh 2010-05-11 06:42:05 EDT
OK, so the secondary problem (s-c-printer not handling cups-pk-helper failure well) is fixed.

What does 'rpm -q cups-pk-helper' say?

What about this?:

cd /usr/share/system-config-printer
python <<"EOF"
import cups, cupspk
c=cupspk.Connection(cups.getServer(),cups.getPort(),cups.getEncryption())
c.getFile("/admin/conf/cupsd.conf",file=file("/tmp/cupsd.conf","w"))
EOF
Comment 12 Bill Nottingham 2010-05-11 16:52:27 EDT
cups-pk-helper-0.0.4-13.fc13.x86_64

In [3]: c.getFile("/admin/conf/cupsd.conf",file=file("/tmp/cupsd.conf","w"))
---------------------------------------------------------------------------
HTTPError                                 Traceback (most recent call last)

/usr/share/system-config-printer/<ipython console> in <module>()

/usr/share/system-config-printer/cupspk.pyc in getFile(self, *args, **kwds)
    393                                             'FileGet', pk_args,
    394                                             self._connection.getFile,
--> 395                                             *args, **kwds)
    396 
    397             tmpfd = os.open (tmpfname, os.O_RDONLY)

/usr/share/system-config-printer/cupspk.pyc in _call_with_pk_and_fallback(self, use_fallback, pk_function_name, pk_args, fallback_function, *args, **kwds)
    144             debugprint ('PolicyKit call to %s did not work: %s' %
    145                         (pk_function_name, pk_retval))
--> 146             return fallback_function(*args, **kwds)
    147 
    148 

HTTPError: 403
Comment 13 Tim Waugh 2010-05-12 06:39:33 EDT
OK, we need to see what cups-pk-helper-mechanism is up to and why it's failing.  Start the Python snippet from comment #11 once so that the cups-pk-helper-mechanism process will start up and stay around for a little while.  When you know its PID, start running 'strace -s2000 -p ...' on it and then run the Python snippet again.
Comment 14 Bill Nottingham 2010-05-12 13:03:40 EDT
Oh, HAH.

----
time->Wed May 12 13:00:45 2010
type=SYSCALL msg=audit(1273683645.099:1081): arch=c000003e syscall=2 success=no exit=-13 a0=1b81180 a1=281 a2=1b81180 a3=f0 items=0 ppid=1 pid=31063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1273683645.099:1081): avc:  denied  { write } for  pid=31063 comm="cups-pk-helper-" name="tmp1y8Rjv" dev=dm-0 ino=362595 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
----
time->Wed May 12 13:00:45 2010
type=SYSCALL msg=audit(1273683645.100:1082): arch=c000003e syscall=2 success=no exit=-13 a0=1b81180 a1=40 a2=180 a3=7fff29820b74 items=0 ppid=1 pid=31063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1273683645.100:1082): avc:  denied  { read } for  pid=31063 comm="cups-pk-helper-" name="tmp1y8Rjv" dev=dm-0 ino=362595 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
----
time->Wed May 12 13:00:45 2010
type=SYSCALL msg=audit(1273683645.100:1083): arch=c000003e syscall=92 success=no exit=-13 a0=1b81180 a1=876 a2=877 a3=7fff29820b74 items=0 ppid=1 pid=31063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1273683645.100:1083): avc:  denied  { setattr } for  pid=31063 comm="cups-pk-helper-" name="tmp1y8Rjv" dev=dm-0 ino=362595 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
----
time->Wed May 12 13:00:45 2010
type=SYSCALL msg=audit(1273683645.100:1084): arch=c000003e syscall=2 success=no exit=-13 a0=1b81180 a1=281 a2=1b81180 a3=7fff29820b74 items=0 ppid=1 pid=31063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1273683645.100:1084): avc:  denied  { write } for  pid=31063 comm="cups-pk-helper-" name="tmp1y8Rjv" dev=dm-0 ino=362595 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

I have TMPDIR=~/tmp; if I unset TMPDIR, it works.
Comment 15 Tim Waugh 2010-05-13 08:13:35 EDT
Ah, OK.  So the problem is that the cups-pk-helper interface requires me to pass in a filename, but it must be a file in a path that I can read and that cups-pk-helper can write to.

Let's try hard-wiring it to "/tmp", which is about the only directory we can be sure fits the bill.

Fixed in system-config-printer-1.2.2-2.fc13.
Comment 16 Fedora Update System 2010-05-13 15:35:27 EDT
system-config-printer-1.2.2-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-printer-1.2.2-2.fc13
Comment 17 Bill Nottingham 2010-05-17 15:12:21 EDT
Works for me.
Comment 18 Fedora Update System 2010-05-18 10:51:51 EDT
system-config-printer-1.1.19-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/system-config-printer-1.1.19-1.fc11
Comment 19 Fedora Update System 2010-05-18 10:54:03 EDT
system-config-printer-1.1.19-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/system-config-printer-1.1.19-1.fc12
Comment 20 Fedora Update System 2010-05-19 15:16:51 EDT
system-config-printer-1.1.19-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-printer-1.1.19-1.fc11
Comment 21 Fedora Update System 2010-05-19 15:21:25 EDT
system-config-printer-1.1.19-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-printer-1.1.19-1.fc12
Comment 22 Kevin Kofler 2010-05-21 01:19:28 EDT
Isn't it insecure to use the hardcoded path /tmp/cupsd.conf in the world-writable /tmp?
Comment 23 Tim Waugh 2010-05-21 04:32:12 EDT
It would be -- so instead we use mkstemp() and pass that filename to cups-pk-helper.
Comment 24 Fedora Update System 2010-06-03 14:09:07 EDT
system-config-printer-1.2.2-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-printer-1.2.2-4.fc13
Comment 25 Fedora Update System 2010-06-04 14:53:16 EDT
system-config-printer-1.2.2-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2010-07-26 22:51:52 EDT
system-config-printer-1.1.19-3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.