What group does a user need to belong to to permit cancellation of jobs, without needing the root password? Alternatively, can someone tell me how to set up the printer administration tool to allow non-root users to cancel their own jobs, preferably without requiring authentication?
On 2013-10-30 21:26, haughtonomous wrote:
>
> What group does a user need to belong to to permit cancellation of jobs,
> without needing the root password?
You can only cancel your own jobs.
If you want that somebody can cancel jobs from other people, you have to
adjust the configuration file. It has comments, and the localhost:631
page has help.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
What openSUSE Desktop do you use? Can you tell us about your printer hardware and how you installed it?
Thank You,
The CUPS admin groups are defined in /etc/cups/cupsd.conf, and by default it is as follows
SystemGroup sys root
So the user account should be configured as a member of the ‘sys’ group accordingly.
Thanks for the information
The default Gnome desktop for 12.3.
I think the printer itself is academic. I just want the user to be able to cancel her own jobs (using the Print Settings tool) without needing the root password.
My question concerned how to cancel your own jobs without needing root privileges, so you don’t need to enter the root password to do so. I don’t want the user to cancel another user’s jobs.
Unfortunately it doesn’t make any difference. With the user a member of the sys group, she still has to enter a root password to cancel a print job.
This means that for anyone to manage their own print jobs, they have to know the root password. A security risk for any system, surely? There must be an easy way to suppress this and allow a user to manage their own print jobs!
Not true. The user can supply their own credentials as well.
The CUPS policies are set in cupsd.conf
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
If you’re the administrator, you are free to change them as you like (as described in the CUPS documentation)
I missed this info before- I’m a KDE user, and I usually cancel jobs via the CLI or the CUPS web interface when the need arises. However, Gnome provides the graphical ‘system-config-printer’ tool, which does behave a bit differently AFAIU. In particular, maybe polkit is coming into play with this utility, as described here:
Printing/ConfigurationTool - FedoraProject
Bug report
https://bugzilla.redhat.com/show_bug.cgi?id=596711
Is this the case?
On 2013-10-31 07:56, haughtonomous wrote:
> My question concerned how to cancel your own jobs without needing root
> privileges, so you don’t need to enter the root password to do so. I
> don’t want the user to cancel another user’s jobs.
Well, as I said, a user can cancel his own jobs with no problem. At
least from the CLI and web.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I think that he’s referring to the Gnome utility behaviour (now that I’ve had a more careful read) 
On 2013-10-31 07:56, haughtonomous wrote:
> I think the printer itself is academic. I just want the user to be able
> to cancel her own jobs (using the Print Settings tool) without needing
> the root password.
Look:
cer@Telcontar:~> lpq
cp1510n_ps is ready and printing
Rank Owner Job File(s) Total Size
active cer 2335 hello 1024 bytes
cer@Telcontar:~> lprm 2335
cer@Telcontar:~> lpq
cp1510n_ps is ready
no entries
cer@Telcontar:~>
Now try the same on your printer. The file “hello” is a one line text
file, and the printer is off at the moment (or you don’t have time to
cancel it). If that works on your machine, but the gnome printer manager
can not do it, then it is a bug in gnome.
Alternatively, remember that
hhtp://localhost:631
controls the printers.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-10-31 10:06, deano ferrari wrote:
> I think that he’s referring to the Gnome utility behaviour (now that
> I’ve had a more careful read) 
Yes, and you say that polkit might have a play. I would first test the
CLI, then if gnome tool does not work, report bug.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I don’t somehow think the cli approach is going to cut it with my wife. I’ll try the URL approach, if I can’t do this with the Gnome printer utility (“Ptinter Settings” tool).
On 2013-10-31 13:26, haughtonomous wrote:
> I don’t somehow think the cli approach is going to cut it with my wife.
> I’ll try the URL approach, if I can’t do this with the Gnome printer
> utility (“Ptinter Settings” tool).
It doesn’t matter if you wife wants to use it or not. I simply intended
you to find out if it works or not. If it doesn’t work, there is
something broken in your system, and no other method will work.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I installed ‘system-config-printer’ to test the behaviour. (I’m using KDE 4.10 and openSUSE 12.2). I can confirm that it requests root credentials as haughtonomous has already indicated. There is a ‘org.opensuse.cupspkhelper.mechanism.job-edit.pkla’ policy file located in '/var/lib/polkit-1/localauthority/10-vendor.d/ that defines the authentication rules for cancelling a print job. The ‘cups-pk-helper’ package is responsible for setting the applicable default policies.
By default, 'org.opensuse.cupspkhelper.mechanism.job-edit.pkla is configured like this
[org.opensuse.cupspkhelper.mechanism.job-edit]
Identity=unix-group:*
Action=org.opensuse.cupspkhelper.mechanism.job-edit
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep
I changed it to
[org.opensuse.cupspkhelper.mechanism.job-edit]
Identity=unix-group:*
Action=org.opensuse.cupspkhelper.mechanism.job-edit
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=yes
then proceeded to cancel a print job via ‘system’config-printer’ with no credentials now requested.
The workaround suggested in the Fedora page I linked to should work too. It is mentioned there
The printing configuration tool uses PolicyKit when configuring CUPS on the local machine. For normal IPP operations the policy determining who gets to modify what is defined in the CUPS configuration file /etc/cups/cupsd.conf. Configuring CUPS using PolicyKit (cups-pk-helper) is an extra mechanism with its own policy.
There have been a number of polkit changes with openSUSE versions, so the rule name and/or location may be different for openSUSE 12.3.
On 2013-10-31 21:36, deano ferrari wrote:
> I installed ‘system-config-printer’ to test the behaviour. (I’m using
> KDE 4.10 and openSUSE 12.2). I can confirm that it requests root
> credentials as haughtonomous has already indicated.
Interesting!
> There is a
> ‘org.opensuse.cupspkhelper.mechanism.job-edit.pkla’ policy file located
…
> then proceeded to cancel a print job via ‘system’config-printer’ with no
> credentials now requested.
Interesting… thanks.
Curious that they intentionally force those permissions when cups
doesn’t. I hadn’t noticed, because I always use the CLI to cancel a
print job, or the control web page.
IMO, this is a bug.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I think CUPS has been ‘protected’ from being polkit aware, by the fact it is largely driven by Apple. However, Gnome is quite integrated with ‘freedesktop.org’, so it doesn’t surprise me to find issues like this.
I hadn’t noticed, because I always use the CLI to cancel a
print job, or the control web page.
Me too.
IMO, this is a bug.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
Yes, I think it should be treated as such too. I dislike overly restrictive policies like this.
I note from
cat /usr/share/doc/packages/cups-pk-helper/README
cups-pk-helper
==============
http://www.freedesktop.org/wiki/Software/cups-pk-helper
cups-pk-helper is a PolicyKit helper to configure cups with fine-grained
privileges.
For example, it's possible to let users enable/disable printers without
requiring a password, while still requiring a password for editing printer
settings. The full list of policies is described in
src/org.opensuse.cupspkhelper.mechanism.policy.in.
You may download updates to the package from:
http://www.freedesktop.org/software/cups-pk-helper/releases/
Installation
============
See the file 'INSTALL'. If you are not using a released version of
cups-pk-helper (for example, if you checked out the code from git), you
first need to run './autogen.sh'.
How to report bugs
==================
Bugs should be reported to the freedesktop.org bug tracking system:
https://bugs.freedesktop.org/ (product cups-pk-helper)
You will need to create an account for yourself.
Please read the following page on how to prepare a useful bug report:
https://bugs.freedesktop.org/page.cgi?id=bug-writing.html
Please read the HACKING file for information on where to send changes or
bugfixes for this package.
The issue described here is related to the bug reported here
https://bugzilla.novell.com/show_bug.cgi?id=749451
and upstream
https://bugs.freedesktop.org/show_bug.cgi?format=multiple&id=46943