bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication

[Maxim Cournoyer <maxim.cournoyer@gmail.com>]

Hi muradm,

muradm <mail@muradm.net> writes:

[...]

>> Could you look into adding "regular" login PAM support instead of a
>> bypass disabled by default?  The user should still be prompted for
>> its
>> password, and it should go through the PAM auth module.
>>
>> I'm not very PAM-aware, but I believe there are examples spread in
>> the
>> code base.
>
> This patch provides necessary configuration for proper PAM support.
> I decided to take screen-locker-service-type's configuration as
> basis, since it is was most simpliest and adequate enough for this
> case.
> This patch does not disables, baypasses or cheats PAM in any way.
> User may navigate to CUPS portal. In the event of administrative
> actions taken by user, CUPS portal asks user to authenticate.
> With this configuration, it will attempt to authenticate as local
> system user. In the event of proper system user/password supplied
> and positively authenticated against PAM using "cups" service name,
> user allowed to take administrative action. In the event of invalid
> system user/password supplied, CUPS portal will keep looping
> begging for password (just as in your original case). If user decides
> to Cancel the authentication dialog, CUPS portal is navigated to
> Unauthorized access informing page.
>
> Why would I submit something that it is not working?

I didn't mean to imply that it didn't work; I just thought that it was
somehow bypassing PAM (and the original problem it caused in the first
place).  As I wrote earlier, I know next to nothing about PAM, and
misread your patch.

I've now installed the change.  Thanks for the fix, and thanks to
Ricardo for the reminder.

-- 
Maxim