Bug#901529: cups: SystemGroup options cannot work with account/group NSS providers if don't enumerate groups
Package: cups
Version: 1.7.5-11+deb8u2
Severity: normal
Dear Maintainer,
I've found that setting 'SystemGroup' opton in cups-files.conf does not work
if the NSS provider does not enumerate group (eg, 'getent group <groupname>'
does not return the list of users).
Some examples:
a) using winbind nss providers. My user is correctly in 'printops' group:
root@vdmsv1:~# id gaio
uid=10000(gaio) gid=10513(domain users) gruppi=10513(domain users),11001(sir),10999(unixadm),10998(printops),5001(BUILTIN\users),5000(BUILTIN\administrators)
but if i check 'printops' groups there's no 'gaio' users:
root@vdmsv1:~# getent group printops
printops:x:10998:
and this is normal, Samba team suggest to disable users and group
enumeration for performance reasons.
b) using pam_groups (eg /etc/security/group.conf) to assign some local
groups to users:
gaio@vdmsv1:~$ id
uid=10000(gaio) gid=10513(domain users) gruppi=10513(domain users),4(adm),20(dialout),24(cdrom),25(floppy),46(plugdev),5000(BUILTIN\administrators),5001(BUILTIN\users),10998(printops),10999(unixadm),11001(sir)
but still no group enumeration:
gaio@vdmsv1:~$ getent group lpadmin
lpadmin:x:119:
and this is again normal, pam_groups add group membership dynamically on
logon (pam auth context).
In both way, eg, trying to use 'printops' group or 'lpadmin' group as
SystemGroup does not work, eg i can login to CUPS web interface with user
gaio, but without '@SYSTEM' privileges.
-- System Information:
Debian Release: 8.10
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages cups depends on:
ii cups-client 1.7.5-11+deb8u2
ii cups-common 1.7.5-11+deb8u2
ii cups-core-drivers 1.7.5-11+deb8u2
ii cups-daemon 1.7.5-11+deb8u2
ii cups-filters 1.0.61-5+deb8u3
ii cups-ppdc 1.7.5-11+deb8u2
ii cups-server-common 1.7.5-11+deb8u2
ii debconf [debconf-2.0] 1.5.56+deb8u1
ii ghostscript 9.06~dfsg-2+deb8u6
ii libavahi-client3 0.6.31-5
ii libavahi-common3 0.6.31-5
ii libc-bin 2.19-18+deb8u10
ii libc6 2.19-18+deb8u10
ii libcups2 1.7.5-11+deb8u2
ii libcupscgi1 1.7.5-11+deb8u2
ii libcupsimage2 1.7.5-11+deb8u2
ii libcupsmime1 1.7.5-11+deb8u2
ii libcupsppdc1 1.7.5-11+deb8u2
ii libgcc1 1:4.9.2-10+deb8u1
ii libstdc++6 4.9.2-10+deb8u1
ii libusb-1.0-0 2:1.0.19-1
ii lsb-base 4.1+Debian13+nmu1
ii poppler-utils 0.26.5-2+deb8u4
ii procps 2:3.3.9-9+deb8u1
Versions of packages cups recommends:
ii avahi-daemon 0.6.31-5
ii colord 1.2.1-1+b2
ii cups-filters [ghostscript-cups] 1.0.61-5+deb8u3
ii printer-driver-gutenprint 5.2.10-3
Versions of packages cups suggests:
pn cups-bsd <none>
pn cups-pdf <none>
pn foomatic-db-compressed-ppds | foomatic-db <none>
ii hplip 3.14.6-1+deb8u1
ii printer-driver-hpcups 3.14.6-1+deb8u1
ii smbclient 2:4.5.12+dfsg-2+deb9u2~bpo8+1
ii udev 215-17+deb8u7
-- debconf information:
* cupsys/backend: lpd, socket, usb, snmp, dnssd
* cupsys/raw-print: true
Reply to: