From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: muradm <mail@muradm.net>
Cc: Ricardo Wurmus <rekado@elephly.net>, 63198-done@debbugs.gnu.org
Subject: bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication
Date: Tue, 23 May 2023 20:46:52 -0400 [thread overview]
Message-ID: <87353mimir.fsf@gmail.com> (raw)
In-Reply-To: <87edngon5j.fsf@muradm.net> (muradm's message of "Tue, 16 May 2023 08:17:56 +0300")
Hi muradm,
muradm <mail@muradm.net> writes:
[...]
>> Could you look into adding "regular" login PAM support instead of a
>> bypass disabled by default? The user should still be prompted for
>> its
>> password, and it should go through the PAM auth module.
>>
>> I'm not very PAM-aware, but I believe there are examples spread in
>> the
>> code base.
>
> This patch provides necessary configuration for proper PAM support.
> I decided to take screen-locker-service-type's configuration as
> basis, since it is was most simpliest and adequate enough for this
> case.
> This patch does not disables, baypasses or cheats PAM in any way.
> User may navigate to CUPS portal. In the event of administrative
> actions taken by user, CUPS portal asks user to authenticate.
> With this configuration, it will attempt to authenticate as local
> system user. In the event of proper system user/password supplied
> and positively authenticated against PAM using "cups" service name,
> user allowed to take administrative action. In the event of invalid
> system user/password supplied, CUPS portal will keep looping
> begging for password (just as in your original case). If user decides
> to Cancel the authentication dialog, CUPS portal is navigated to
> Unauthorized access informing page.
>
> Why would I submit something that it is not working?
I didn't mean to imply that it didn't work; I just thought that it was
somehow bypassing PAM (and the original problem it caused in the first
place). As I wrote earlier, I know next to nothing about PAM, and
misread your patch.
I've now installed the change. Thanks for the fix, and thanks to
Ricardo for the reminder.
--
Maxim
next prev parent reply other threads:[~2023-05-24 0:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-01 3:08 bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication Maxim Cournoyer
2023-05-03 12:46 ` Maxim Cournoyer
2023-05-13 13:43 ` muradm
2023-05-13 13:48 ` muradm
2023-05-15 15:13 ` Maxim Cournoyer
2023-05-15 15:12 ` Maxim Cournoyer
2023-05-13 18:38 ` bug#63198: [PATCH] services: cups: Add cups PAM service muradm
2023-05-15 15:24 ` bug#63198: cups-service-type uses PAM-enabled 'cups' by default which prevents authentication Maxim Cournoyer
2023-05-16 5:17 ` muradm
2023-05-24 0:46 ` Maxim Cournoyer [this message]
2023-05-24 11:37 ` muradm
2023-05-23 22:14 ` Ricardo Wurmus
2023-05-24 11:07 ` bug#63198: End-to-end tests Was: " Csepp
2023-05-24 11:28 ` muradm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87353mimir.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=63198-done@debbugs.gnu.org \
--cc=mail@muradm.net \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).