Soliciting help. -------- Forwarded Message -------->From my experience I think that cupsd executes backend tools with all uids andgids set to cups and no supplementary groups. In the case of USB printers the backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a printer. That means that the access to those devices must be somehow granted to cups:cups. How do people solve this? What kind of permissions / configuration do you use? P.S. Maybe I over-generalized the issue to all USB printers. My personal experience is with an HP printer handled by hplip / hplip-plugin. -- Andriy Gapon
On 09/17/14 08:00, Andriy Gapon wrote:> > Soliciting help. > > -------- Forwarded Message -------- > >>From my experience I think that cupsd executes backend tools with all uids and > gids set to cups and no supplementary groups. In the case of USB printers the > backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a > printer. That means that the access to those devices must be somehow granted to > cups:cups. > How do people solve this? What kind of permissions / configuration do you use? > > P.S. > Maybe I over-generalized the issue to all USB printers. My personal experience > is with an HP printer handled by hplip / hplip-plugin. >Hi, The /usr/ports/print/cups-base should be updated. The pkg-message should not say that: # FreeBSD 8.x add path 'usb*' mode 0770 group cups add path 'ugen*' mode 0660 group cups add path 'usb/0.2.*' mode 0660 group cups Is needed. This is wrong. Instead make cups-base install the attached devd configuration file in /usr/local/etc/devd/ which does the needed chown for printers only. --HPS _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
On 09/17/14 08:00, Andriy Gapon wrote:> > Soliciting help. > > -------- Forwarded Message -------- > >>From my experience I think that cupsd executes backend tools with all uids and > gids set to cups and no supplementary groups. In the case of USB printers the > backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a > printer. That means that the access to those devices must be somehow granted to > cups:cups. > How do people solve this? What kind of permissions / configuration do you use? > > P.S. > Maybe I over-generalized the issue to all USB printers. My personal experience > is with an HP printer handled by hplip / hplip-plugin. >Hi, The /usr/ports/print/cups-base should be updated. The pkg-message should not say that: # FreeBSD 8.x add path 'usb*' mode 0770 group cups add path 'ugen*' mode 0660 group cups add path 'usb/0.2.*' mode 0660 group cups Is needed. This is wrong. Instead make cups-base install the attached devd configuration file in /usr/local/etc/devd/ which does the needed chown for printers only. --HPS -------------- next part -------------- # Generic USB printer devices notify 100 { match "system" "USB"; match "subsystem" "INTERFACE"; match "type" "ATTACH"; match "intclass" "0x07"; match "intsubclass" "0x01"; match "intprotocol" "(0x01|0x02|0x03)"; action "chown cups:cups /dev/$cdev"; };
There are a couple of similar issues currently. The other one that comes to
mind is that every X11 application that needs to use OpenGL (or similar) must
open /dev/dri/{something}, but the default permissions only permit root.
The correct solution is probably to ship a devfs.conf that puts these devices in
the a sensible group. For USB printers, we should probably have a printers
group and make cupsd run with that group (or set the GUI of cups and printers to
the same number if that's too difficult).
David
On 17 Sep 2014, at 07:00, Andriy Gapon <avg@FreeBSD.org> wrote:
>
> Soliciting help.
>
> -------- Forwarded Message --------
>
> From my experience I think that cupsd executes backend tools with all uids
and
> gids set to cups and no supplementary groups. In the case of USB printers
the
> backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to
a
> printer. That means that the access to those devices must be somehow
granted to
> cups:cups.
> How do people solve this? What kind of permissions / configuration do you
use?
>
> P.S.
> Maybe I over-generalized the issue to all USB printers. My personal
experience
> is with an HP printer handled by hplip / hplip-plugin.
> --
> Andriy Gapon
>
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
"freebsd-current-unsubscribe@freebsd.org"
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
There are a couple of similar issues currently. The other one that comes to
mind is that every X11 application that needs to use OpenGL (or similar) must
open /dev/dri/{something}, but the default permissions only permit root.
The correct solution is probably to ship a devfs.conf that puts these devices in
the a sensible group. For USB printers, we should probably have a printers
group and make cupsd run with that group (or set the GUI of cups and printers to
the same number if that's too difficult).
David
On 17 Sep 2014, at 07:00, Andriy Gapon <avg at FreeBSD.org> wrote:
>
> Soliciting help.
>
> -------- Forwarded Message --------
>
> From my experience I think that cupsd executes backend tools with all uids
and
> gids set to cups and no supplementary groups. In the case of USB printers
the
> backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to
a
> printer. That means that the access to those devices must be somehow
granted to
> cups:cups.
> How do people solve this? What kind of permissions / configuration do you
use?
>
> P.S.
> Maybe I over-generalized the issue to all USB printers. My personal
experience
> is with an HP printer handled by hplip / hplip-plugin.
> --
> Andriy Gapon
>
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at
freebsd.org"
On 17/09/2014 09:21, Hans Petter Selasky wrote:> On 09/17/14 08:00, Andriy Gapon wrote: >> >> Soliciting help. >> >> -------- Forwarded Message -------- >> >>> From my experience I think that cupsd executes backend tools with all uids and >> gids set to cups and no supplementary groups. In the case of USB printers the >> backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a >> printer. That means that the access to those devices must be somehow granted to >> cups:cups. >> How do people solve this? What kind of permissions / configuration do you use? >> >> P.S. >> Maybe I over-generalized the issue to all USB printers. My personal experience >> is with an HP printer handled by hplip / hplip-plugin. >> > > Hi, > > The /usr/ports/print/cups-base should be updated. > > The pkg-message should not say that: > > > # FreeBSD 8.x > add path 'usb*' mode 0770 group cups > add path 'ugen*' mode 0660 group cups > > add path 'usb/0.2.*' mode 0660 group cups > > Is needed. This is wrong. > > Instead make cups-base install the attached devd configuration file in > /usr/local/etc/devd/ which does the needed chown for printers only.The problem is that my printer does not work if I also do not change permissions on /dev/usbctl. But I do not really want /dev/usbctl to be owned by cups as there can be other services / users that need access to usbctl. Is there anything smarter than mucking with device ownership? In other words, I have no problem granting cups user or group a full access to all USB devices. I have a problem with changing owner or group of USB devices to cups, because that interferes with other accesses to those devices. -- Andriy Gapon _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"