[gentoo-user] cups settup broken? - please help

[gentoo-user] cups settup broken? - please help

[Helmut Jarausch]

Hi,
recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34

I see lots of strange error messages in /var/log/cups/error_log like


Filter "pdftops" not found.

  but there is a /usr/libexec/cups/filter/pdftops

   and then


ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" not  
available: No such file or directory

These paths look strange.

Does any know what's going on here?

Many thanks for a hint,
Helmut.

Re: [gentoo-user] cups settup broken? - please help

[Yuri K. Shatroff]

On 14.05.2013 13:05, Helmut Jarausch wrote:
> Hi,
> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>
> I see lots of strange error messages in /var/log/cups/error_log like
>
>
> Filter "pdftops" not found.
>
>   but there is a /usr/libexec/cups/filter/pdftops
>
>    and then
>
>
> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" not
> available: No such file or directory
>
> These paths look strange.
>
> Does any know what's going on here?
>
> Many thanks for a hint,
> Helmut.

Hi Helmut,
I also had this problem after installing CUPS. There is a trouble with 
permissions, AFAIR you need to check that /var/spool/cups is accessible 
to your user: that is, ensure that you're in the lp group and 
/var/spool/cups group is lp. I can not be sure that this dir was the 
only one to check but it was the permissions which was the problem.

-- 
Best wishes,
Yuri K. Shatroff

Re: [gentoo-user] cups settup broken? - please help

[Helmut Jarausch]

On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote:
> On 14.05.2013 13:05, Helmut Jarausch wrote:
>> Hi,
>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>> 
>> I see lots of strange error messages in /var/log/cups/error_log like
>> 
>> 
>> Filter "pdftops" not found.
>> 
>>   but there is a /usr/libexec/cups/filter/pdftops
>> 
>>    and then
>> 
>> 
>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops"  
>> not
>> available: No such file or directory
>> 
>> These paths look strange.
>> 
>> Does any know what's going on here?
>> 
>> Many thanks for a hint,
>> Helmut.
> 
> Hi Helmut,
> I also had this problem after installing CUPS. There is a trouble  
> with permissions, AFAIR you need to check that /var/spool/cups is  
> accessible to your user: that is, ensure that you're in the lp group  
> and /var/spool/cups group is lp. I can not be sure that this dir was  
> the only one to check but it was the permissions which was the  
> problem.



Thanks Juri.
What do you mean by 'accessible' - here I have only group execute  
permission, i.e.

ls -ld /var/spool/cups  gives
drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups

And what do you have in /etc/cups/cups-files.conf

Here I still have

# Default user and group for filters/backends/helper programs; this  
cannot be
# any user or group that resolves to ID 0 for security reasons...
#User lp
#Group lp

# Administrator user group, used to match @SYSTEM in cupsd.conf policy  
rules...
SystemGroup lpadmin


# User that is substituted for unauthenticated (remote) root accesses...
#RemoteRoot remroot

Many thanks again
Helmut.

Re: [gentoo-user] cups settup broken? - please help

[Yuri K. Shatroff]

On 14.05.2013 13:42, Helmut Jarausch wrote:
> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote:
>> On 14.05.2013 13:05, Helmut Jarausch wrote:
>>> Hi,
>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>>>
>>> I see lots of strange error messages in /var/log/cups/error_log like
>>>
>>>
>>> Filter "pdftops" not found.
>>>
>>>   but there is a /usr/libexec/cups/filter/pdftops
>>>
>>>    and then
>>>
>>>
>>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" not
>>> available: No such file or directory
>>>
>>> These paths look strange.
>>>
>>> Does any know what's going on here?
>>>
>>> Many thanks for a hint,
>>> Helmut.
>>
>> Hi Helmut,
>> I also had this problem after installing CUPS. There is a trouble with
>> permissions, AFAIR you need to check that /var/spool/cups is
>> accessible to your user: that is, ensure that you're in the lp group
>> and /var/spool/cups group is lp. I can not be sure that this dir was
>> the only one to check but it was the permissions which was the problem.
>
>
>
> Thanks Juri.
> What do you mean by 'accessible' - here I have only group execute
> permission, i.e.
>
> ls -ld /var/spool/cups  gives
> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups

Accessible really means accessible, i.e. when you are able to chdir to 
it and see its contents.
Apparently, the dir lacks "group read" permission, i.e. it should be
drwxr-x---
the `execute` bit alone doesn't allow one to access the directory.
That is probably a portage bug or sort of.

> And what do you have in /etc/cups/cups-files.conf

Actually I didn't even look there. Yes, everything is the same.

> Here I still have
>
> # Default user and group for filters/backends/helper programs; this
> cannot be
> # any user or group that resolves to ID 0 for security reasons...
> #User lp
> #Group lp
>
> # Administrator user group, used to match @SYSTEM in cupsd.conf policy
> rules...
> SystemGroup lpadmin
>
>
> # User that is substituted for unauthenticated (remote) root accesses...
> #RemoteRoot remroot
>
> Many thanks again
> Helmut.
>


-- 
Best wishes,
Yuri K. Shatroff

Re: [gentoo-user] cups settup broken? - please help

[Helmut Jarausch]

On 05/14/2013 11:55:23 AM, Yuri K. Shatroff wrote:
> On 14.05.2013 13:42, Helmut Jarausch wrote:
>> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote:
>>> On 14.05.2013 13:05, Helmut Jarausch wrote:
>>>> Hi,
>>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>>>> 
>>>> I see lots of strange error messages in /var/log/cups/error_log  
>>>> like
>>>> 
>>>> 
>>>> Filter "pdftops" not found.
>>>> 
>>>>   but there is a /usr/libexec/cups/filter/pdftops
>>>> 
>>>>    and then
>>>> 
>>>> 
>>>> ps: File  
>>>> "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" not
>>>> available: No such file or directory
>>>> 
>>>> These paths look strange.
>>>> 
>>>> Does any know what's going on here?
>>>> 
>>>> Many thanks for a hint,
>>>> Helmut.
>>> 
>>> Hi Helmut,
>>> I also had this problem after installing CUPS. There is a trouble  
>>> with
>>> permissions, AFAIR you need to check that /var/spool/cups is
>>> accessible to your user: that is, ensure that you're in the lp group
>>> and /var/spool/cups group is lp. I can not be sure that this dir was
>>> the only one to check but it was the permissions which was the  
>>> problem.
>> 
>> 
>> 
>> Thanks Juri.
>> What do you mean by 'accessible' - here I have only group execute
>> permission, i.e.
>> 
>> ls -ld /var/spool/cups  gives
>> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups
> 
> Accessible really means accessible, i.e. when you are able to chdir  
> to it and see its contents.
> Apparently, the dir lacks "group read" permission, i.e. it should be
> drwxr-x---
> the `execute` bit alone doesn't allow one to access the directory.
> That is probably a portage bug or sort of.

But then any user of group 'lp' on that machine can read what others  
have spooled for printing.
Isn't this a security breach?


Thanks,
Helmut.

Re: [gentoo-user] cups settup broken? - please help

[Yuri K. Shatroff]

On 14.05.2013 13:55, Yuri K. Shatroff wrote:
> On 14.05.2013 13:42, Helmut Jarausch wrote:
>> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote:
>>> On 14.05.2013 13:05, Helmut Jarausch wrote:
>>>> Hi,
>>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>>>>
>>>> I see lots of strange error messages in /var/log/cups/error_log like
>>>>
>>>>
>>>> Filter "pdftops" not found.
>>>>
>>>>   but there is a /usr/libexec/cups/filter/pdftops
>>>>
>>>>    and then
>>>>
>>>>
>>>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops" not
>>>> available: No such file or directory
>>>>
>>>> These paths look strange.
>>>>
>>>> Does any know what's going on here?
>>>>
>>>> Many thanks for a hint,
>>>> Helmut.
>>>
>>> Hi Helmut,
>>> I also had this problem after installing CUPS. There is a trouble with
>>> permissions, AFAIR you need to check that /var/spool/cups is
>>> accessible to your user: that is, ensure that you're in the lp group
>>> and /var/spool/cups group is lp. I can not be sure that this dir was
>>> the only one to check but it was the permissions which was the problem.
>>
>>
>>
>> Thanks Juri.
>> What do you mean by 'accessible' - here I have only group execute
>> permission, i.e.
>>
>> ls -ld /var/spool/cups  gives
>> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups
>
> Accessible really means accessible, i.e. when you are able to chdir to
> it and see its contents.
> Apparently, the dir lacks "group read" permission, i.e. it should be
> drwxr-x---
> the `execute` bit alone doesn't allow one to access the directory.
> That is probably a portage bug or sort of.

Well, sorry, I must be wrong, I have the same
drwx--x---
on /var/spool/cups. But I remember that I had to change permissions 
somewhere to make the filter work... I was in a hurry so I can't recall 
the exact place, alas.


-- 
Best wishes,
Yuri K. Shatroff

Re: [gentoo-user] cups settup broken? - please help

[Alan McKinnon]

On 14/05/2013 12:00, Helmut Jarausch wrote:
> On 05/14/2013 11:55:23 AM, Yuri K. Shatroff wrote:
>> On 14.05.2013 13:42, Helmut Jarausch wrote:
>>> On 05/14/2013 11:15:29 AM, Yuri K. Shatroff wrote:
>>>> On 14.05.2013 13:05, Helmut Jarausch wrote:
>>>>> Hi,
>>>>> recently I have problems with CUPS (1.6.2) with cups-filters-1.0.34
>>>>>
>>>>> I see lots of strange error messages in /var/log/cups/error_log like
>>>>>
>>>>>
>>>>> Filter "pdftops" not found.
>>>>>
>>>>>   but there is a /usr/libexec/cups/filter/pdftops
>>>>>
>>>>>    and then
>>>>>
>>>>>
>>>>> ps: File "/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops"
>>>>> not
>>>>> available: No such file or directory
>>>>>
>>>>> These paths look strange.
>>>>>
>>>>> Does any know what's going on here?
>>>>>
>>>>> Many thanks for a hint,
>>>>> Helmut.
>>>>
>>>> Hi Helmut,
>>>> I also had this problem after installing CUPS. There is a trouble with
>>>> permissions, AFAIR you need to check that /var/spool/cups is
>>>> accessible to your user: that is, ensure that you're in the lp group
>>>> and /var/spool/cups group is lp. I can not be sure that this dir was
>>>> the only one to check but it was the permissions which was the problem.
>>>
>>>
>>>
>>> Thanks Juri.
>>> What do you mean by 'accessible' - here I have only group execute
>>> permission, i.e.
>>>
>>> ls -ld /var/spool/cups  gives
>>> drwx--x--- 3 root lp 32768 May 14 11:37 /var/spool/cups
>>
>> Accessible really means accessible, i.e. when you are able to chdir to
>> it and see its contents.
>> Apparently, the dir lacks "group read" permission, i.e. it should be
>> drwxr-x---
>> the `execute` bit alone doesn't allow one to access the directory.
>> That is probably a portage bug or sort of.
> 
> But then any user of group 'lp' on that machine can read what others
> have spooled for printing.
> Isn't this a security breach?

Not by itself, not really.

Read on a directory lets; you read the directory inode. In other words
"ls" will work.

To see other's spool files, you need at least read on each individual
file. As a parallel, this is what makes "cat" work.

So read on a dir is not by itself a security risk, unless you want to
prohibit people even seeing who else has spool files at all. Doing that
cannot be done with Unix permissions alone (and it's a real PITA
deploying a way to do it, which is why we usually don't)




-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] cups settup broken? - please help

[Yuri K. Shatroff]

On 14.05.2013 14:05, Alan McKinnon wrote:
> Read on a directory lets; you read the directory inode. In other words
> "ls" will work.
>
> To see other's spool files, you need at least read on each individual
> file. As a parallel, this is what makes "cat" work.

Yes, of course; I obviously had a sudden eclipse of mind...
I'm sorry.

-- 
Best wishes,
Yuri K. Shatroff

Re: [gentoo-user] cups settup broken? - please help

[Charles Waldman]

[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]

Hi - saw this thread about CUPS, I've seen the same problems since a recent upgrade, I don't think it's a permissions issue.  The clue is in this error message:

"/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops"  file not found

The string "${EPREFIX}" is appearing in that file name unexpanded; i.e. rather than treating EPREFIX as an environment variable, CUPS is actually looking for a directory literally called "/etc/cups/${EPREFIX}".  This looks like an install-time bug.  I will file a Gentoo bug report if it's not already filed.  But, in the meanwhile, there's a very hackish workaround:

#  cd /etc/cups
# ln -s /  '${EPREFIX}'   # quotes needed!

which will create a symlink

lrwxrwxrwx 1 root root    1 May 13 18:11 /etc/cups/${EPREFIX} -> /

After this, the path

"/etc/cups/${EPREFIX}/usr/libexec/cups/filter/commandtops"  

will resolve to /usr/libexec/cups/filter/commandtops

and you should have a working CUPS again.

Just a workaround hack, not a nice solution!  

Hope this helps,

  - Charles