Cups lppasswd problems in 11.0

xcrln · July 17, 2008, 9:14pm

Hello all,

I have used CUPS for my printing for a long time now (since 10.2),

when i upgraded from 10.3 to 11.0 and tried to use lppasswd to set up a root account and password, i get the error:

lppasswd: Unable to open password file: Permission denied

permission denied? I am running lppasswd as root!

I have tried ‘lppasswd -g sys -a root’ and it doesn’t work either…

can anyone shed some light on my predicament?

Many thanks

deano_ferrari · July 17, 2008, 10:49pm

Post the output of

cat /etc/cups/cupsd.conf

It should have the line

Administrator user group…

SystemGroup sys root

As I understand things (and it works for me), I can configure via the CUPS web interface as root with root password ok.

I get the same error with the lppasswd command, but it does not affect my CUPS configuration.

xcrln · July 18, 2008, 1:17am

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup sys root


# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow 127.0.0.2
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Encryption Required
  Order allow,deny
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an administrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#

when you say it works with root password, do you mean your superuser root password, or the root password you set through lppasswd?

kastorff · July 18, 2008, 2:49am

Thread moved to Network/Internet
opensuse.org.help.network-internet

deano_ferrari · July 18, 2008, 7:51am

when you say it works with root password, do you mean your superuser root password, or the root password you set through lppasswd?
Reply With Quote

The superuser account with root password works for me for cups administration. (I’m not able to add or delete any other accounts with lppasswd though as others have also reported).

deano_ferrari · July 18, 2008, 9:15am

Looking into this lppasswd issue a little more, I found that the owner of this file is ‘lp - sys’ by default. This will limit the actions you can take with adding users etc. They say a little knowledge is dangerous, so I can see steps have been taken to enhance the security of cups (ie this is not a bug).

Anyway, if you want to take control back again, then you can do the following:

chown root /usr/bin/lppasswd

Now you will fine you can do

lppasswd -g sys -a anythingyoulike

I actually think (in my limited user experience) that this is not needed, and that all configuration can be done via cupsd.conf editing (as root) and the CUPS interface or yast printer utility, but maybe some users have good reason to use lppasswd to add users etc. If so, go ahead and change ownership as explained above. Hope this clarifies things.

xcrln · July 19, 2008, 3:18pm

Thank you so much, I will give it a try and get back to you,

all configuration can be done via cupsd.conf editing (as root) and the CUPS interface or yast printer utility

Actually for me, neither the CUPS interface nor yast acutally completely configured the printer with out the authorization error

thank you again,

jengelh · July 20, 2008, 10:22am

CUPS uses PAM, not lppasswd anymore.

user · August 12, 2008, 7:48pm

Today I have upgraded to OpenSuse 11.0 on one of my computers, bumped into the same problem and have found a rather strange solution.

When I have opened the CUPS administration page (localhost:631) with Konqueror authentication never worked. (Tried to play with /etc/cups/cupsd.conf but without any success.)

However when I opened the same page with Opera even the displayed picture was different and with my root password everything worked fine.

All in all I have no idea what did I do today and why did it work, but my network printer works fine.

user · August 12, 2008, 8:17pm

One more little - and maybe unimportant - detail to my previous post: during the trial and error process at one point I have overwritten the /etc/cups/cupsd.conf file with /etc/cups/cupsd.conf.default.

Maybe it did not have any effect because the two seemed to be rather identical, but I am not sure.