Bug 596711 - Local printer policy too strict
Local printer policy too strict
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: cups-pk-helper (Show other bugs)
17
All Linux
low Severity medium
: ---
: ---
Assigned To: Marek Kašík
Fedora Extras Quality Assurance
: Reopened
: 658555 (view as bug list)
Depends On:
Blocks: 595007
  Show dependency treegraph
 
Reported: 2010-05-27 07:05 EDT by Tim Waugh
Modified: 2013-04-23 11:03 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-23 11:03:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Screenshot from "gnome-control-center printers" asking for password (35.83 KB, image/png)
2012-06-14 05:50 EDT, Valent Turkovic
no flags Details

  None (edit)
Description Tim Waugh 2010-05-27 07:05:14 EDT
Description of problem:
The file /var/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla lists several action patterns that users in the desktop_admin_r group should be able to perform:

Action=org.gnome.clockapplet.mechanism.*;org.freedesktop.udisks.*;org.freedesktop.RealtimeKit1.*

Is it intentional that these are missed out?:

org.fedoraproject.config.*
org.opensuse.cupspkhelper.mechanism.*
org.libvirt.unix.*

Version-Release number of selected component (if applicable):
polkit-0.96-1.fc13
Comment 1 Steven Haigh 2010-09-14 01:49:17 EDT
This also seems to be an issue in F14 with:
polkit-0.98-4.fc14.i686

I am required to enter the root password 3 times to add a printer.
Comment 2 Stephen John Smoogen 2010-10-05 12:09:48 EDT
How does one add themselves as desktop_admin_r group?
Comment 3 Tim Waugh 2010-10-05 12:23:13 EDT
With the Users and Groups tool.  Select user, click Properties, select Group tab, tick desktop_admin_r group, click OK.
Comment 4 Steven Haigh 2010-10-05 12:29:28 EDT
Ah. Nice tip Tim. Should save me quite a few password entries ;)
Comment 5 Steven Haigh 2010-10-05 12:31:31 EDT
Oh, and for what its worth, these are still missing in F14.
Comment 6 Stephen John Smoogen 2010-10-05 12:38:41 EDT
SLAM. That is my hand against my head. I thought these were capability/Selinux items from their name and not /etc/group. 

groupadd -a -G desktop_admin_r <username> works also in that case.
Comment 7 Steven Haigh 2010-10-05 12:40:20 EDT
(In reply to comment #6)
> SLAM. That is my hand against my head. I thought these were capability/Selinux
> items from their name and not /etc/group. 
> 
> groupadd -a -G desktop_admin_r <username> works also in that case.

Yeah - to be honest, I thought they were for selinux stuff too - but didn't quite understand what was going on. Tims comment above turned on the lightbulb for me too :)
Comment 8 Tim Waugh 2010-11-30 13:38:03 EST
*** Bug 658555 has been marked as a duplicate of this bug. ***
Comment 9 Tim Waugh 2010-12-06 06:39:08 EST
*ping*

Would be great to get this fixed.
Comment 10 Bug Zapper 2011-06-02 09:16:13 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Tim Waugh 2011-06-02 09:31:55 EDT
Yes, still applies to Fedora 15.  However there is now this:

/etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf

which specifies 'wheel' as an administrative group.  Should I also modify our default /etc/cups/cupsd.conf so that it recognises 'wheel' as a system group?
Comment 12 Ben Boeckel 2011-11-08 23:49:43 EST
It'd be nice for wheel to have authorization for org.freedesktop.UPower.* as well.
Comment 13 Adam Williamson 2012-03-02 16:33:53 EST
let's bump the version a bit. David, anything?



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 14 David Zeuthen 2012-03-03 13:52:41 EST
No, it doesn't make any sense to have some kind of "desktop admin" group so you can skip password dialogs - we tried it and it doesn't work [1]. The answer is really that the mechanism we ship should work out of the box, not that users should add themselves to some "admin" group to make their OS actually work. Hence, if you see useless password dialogs, just complain to the author of the mechanism that makes the password dialog appear.

The place to discuss this in upstream polkit is here

 https://bugs.freedesktop.org/show_bug.cgi?id=41008#c1

so I'm closing this as UPSTREAM. If you disagree, the place to discuss is in that upstream bug, not some downstream bugzilla.

[1] : we do have a 'wheel' group that is used to specify what "administrator authentication" means but that is different...
Comment 15 Tim Waugh 2012-03-05 08:15:21 EST
Re-opening as this still affects Fedora.  The policy in cups-pk-helper was designed by following the Fedora rules (AFAIR drafted by adamw, I can't find them now) on what the default polkit policies for mechanisms should be.

If those rules are no longer correct, let's just change the cups-pk-helper policy and fix this bug.
Comment 16 Adam Williamson 2012-03-05 17:54:50 EST
Tim: that policy proposal never made it out of draft, so you don't have to consider yourself to be bound by it. I certainly wouldn't; I'm no kind of security expert, I only ever drafted the policy as a starting point. It did get some discussion and refinement at the time, but I would still not invest any kind of confidence in it as a guideline, to be honest.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 17 Valent Turkovic 2012-06-14 05:50:27 EDT
Created attachment 591796 [details]
Screenshot from "gnome-control-center printers" asking for password

Screenshot from "gnome-control-center printers" asking for password
Comment 18 Valent Turkovic 2012-06-14 05:54:15 EDT
This is still an issue on Fedora 16 and 17, is has been 2 years and this issue has still not been resolved, why?

Why are Administrator users being asked for root pasword when editing printer options?

I have been asked during the install and I choose to put my user in Administrator group (wheel) but I still get asked all the time to provide password.

if I'm not mistaken this is the same issue that Linus Torvalds vented regarding same issue on OpenSuse - https://plus.google.com/102150693225130002912/posts/1vyfmNCYpi5

There is an simple fix on Fedora wiki:
http://fedoraproject.org/wiki/Printing/ConfigurationTool

Create a pklocalauthority file called /etc/polkit-1/localauthority/50-local.d/10-printer-config.pkla with this content: 

[Desktop Administrator Permissions]
Identity=unix-group:wheel
Action=org.opensuse.cupspkhelper.mechanism.*
ResultAny=no
ResultInactive=no
ResultActive=yes


So why isn't this being done?
Comment 19 Valent Turkovic 2012-10-10 07:40:08 EDT
I'm using Fedora 17 with all latest patches and this is still an open bug. Is anybody working on this? It is trivial to fix.
Comment 20 Marek Kašík 2012-10-10 10:20:18 EDT
Hi Valent,

I've just tested this and polkit asks me for my (non-root) password when I'm in "wheel" group on Fedora 17 and Fedora 18.

Marek
Comment 21 Adam Williamson 2012-10-10 19:52:16 EDT
/usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy does seem to require auth_admin for most CUPS actions, so it _looks_ like it ought to work. i'll take a look at it myself if I can find a minute. valent, exactly what reproduction procedure are you using here?
Comment 22 Valent Turkovic 2012-10-12 09:04:59 EDT
Looks like it works now. I'll try a few different things and report back.
Comment 23 Tim Waugh 2013-02-01 06:59:21 EST
Seems to work OK in Fedora 18.  A user with account type 'Administrator' (I think this means 'in the wheel group'?) can add/modify/remove printers by providing their own password -- this is the same as is required for e.g. modifying the system time.
Comment 24 Marek Kašík 2013-04-23 11:03:04 EDT
(In reply to comment #22)
> Looks like it works now. I'll try a few different things and report back.

I'm closing this then.

Note You need to log in before you can comment on or make changes to this bug.