backend "/usr/lib/cups/backend/smb" has insecure permissions

Hello!
I’m trying to print to a network printer in my domain with kerberos authentication.
I had configured samba to authenticate trhought kerberos tickets and it works fine.

But when I define a cups printer:/etc/cups/printers.conf:
<DefaultPrinter CPD_KM1650>
UUID urn:uuid:47f4a06e-f9ba-353a-4e24-8f480621b3e8
Info Impresora sala CPD
Location CPD
MakeModel Ricoh Aficio MP 161 PS
DeviceURI smb://printsrv/CPD_KM1650
State Idle
StateTime 1382427829
Type 8425684
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>

And try to print, then the queue return an error:
File “/usr/lib/cups/backend/smb” has insecure permissions (0104750/uid=0/gid=7)

I had been searching info for several days and I haven’t found any solution that works for me.

Please, I need your answers.

Kind regards
Juan.

Well, I don’t really know anything about kerberos authentication, but /usr/lib/cups/backend/smb is just a symlink on my system:

# ls -l /usr/lib/cups/backend/smb
lrwxrwxrwx 1 root root 28 10. Mär 2011  /usr/lib/cups/backend/smb -> /usr/bin/get_printing_ticket

where /usr/bin/get_printing_ticket looks like this:

# ls -l /usr/bin/get_printing_ticket
-rwsr-x--- 1 root lp 10592  6. Aug 12:35 /usr/bin/get_printing_ticket

If I understand your error message correctly, this seems to be different on your system. So please compare the permissions/ownership.

And /usr/bin/get_printing_ticket is contained in the package “samba-krb-printing”, maybe you don’t have that installed?

Thanks for the answer.

In my system is the same:

# ls -l /usr/lib/cups/backend/smblrwxrwxrwx 1 root root 28 Oct 22 08:50 /usr/lib/cups/backend/smb -> /usr/bin/get_printing_ticket

# ls -l /usr/bin/get_printing_ticket
-rwsr-x--- 1 root lp 10592 Aug  6 12:35 /usr/bin/get_printing_ticket

I have checked in /etc/permissions* the cups backend has the correct permissions:

# smb printing with kerberos authentication (#177114)
/usr/bin/get_printing_ticket                            root:lp           4750

I think that cups check wether this file has correct permissions. But This permissions 4750 are default and come from the installation of the backend throught the package samba-krb-printing.

Regards,
Juan

But your /usr/bin/get_printing_ticket doesn’t have 4750 permissions. That’s 0755.
AFAICS this is the setting in /etc/permissions.paranoid, so what do you have in /etc/sysconfig/permissions?

grep PERMISSION /etc/sysconfig/security

If it contains “paranoid” try to change that to “secure” (or add “/usr/bin/get_printing_ticket root:lp 4750” to /etc/permissions.local) and run “chkstat --system” afterwards. It should have the same permissions as on my system then (and hopefully work).

Maybe there’s a way to disable that check in cups, but I don’t know about that.

The code that a put in the above post was from a test and is not correct. I have modified the post and now apears ok. Despite, the problem continue with 4750 permissions.
But I’ve solved the problem changing the permissions to 700 and owner root.root like the other cups backends.

sudo chmod 700 /usr/lib/cups/backend/smb
sudo chown root.root /usr/lib/cups/backend/smb 

After that cups not show any error.

This maybe a bug. There is an inconsistency between /etc/permissions* and cups.

Thanks.
Kind regards,
Juan

You should file a bugreport at http://bugzilla.novell.org/ then. (same username/password as here in the forums)

Done.https://bugzilla.novell.com/show_bug.cgi?id=847212