[cups.general] CGI script not authenticating correctly to parent process?

Alex Korobkin korobkin+cups at gmail.com
Fri Oct 12 10:50:51 PDT 2012 

Hello team,

I recently posted a question about broken pipe error, and eventually found
out what was actually happening. Now I'm looking for clues to why would
this happen.

Problem:
CUPS 1.5.4 on Ubuntu 10.04 x64. User authenticates to CUPS admin interface,
goes to Set Default Options menu for a printer, tries to change default
options, received Broken Pipe error.

What I found out:
Child process admin.cgi reads all the options, tries to change them with
"POST /admin/" request, and receives "401 Not authenticated" from the
parent process. Parent process closes pipe (cups.sock) and child process
cannot communicate to it anymore. "cupsdAuthorize: No authentication data
provided." is written to the error_log.

Question:
Why would child process suddenly be unable to authenticate to parent?
It works fine if printer is added, removed, etc., but changing default
options always fails with this error. User is a member of cups-admins group
listed below.

Log excerpt:
D [12/Oct/2012:15:32:30 +0000] [CGI] Setting options...
d [12/Oct/2012:15:32:30 +0000] cupsdReadClient(con=0x7f798af6c6c0(15))
con->http.error=0 con->http.used=0, con->http.state=0
con->data_encoding=HTTP_ENCODE_LENGTH, con->data_remaining=0, con->file=-1
D [12/Oct/2012:15:32:30 +0000] cupsdReadClient: 15 POST /admin/ HTTP/1.1
D [12/Oct/2012:15:32:30 +0000] cupsdSetBusyState: newbusy="Active clients",
busy="Active clients"
d [12/Oct/2012:15:32:30 +0000] cupsdFindBest: uri = "/admin/"...
d [12/Oct/2012:15:32:30 +0000] cupsdFindBest: Location /admin/conf Limit 7f
d [12/Oct/2012:15:32:30 +0000] cupsdFindBest: Location /admin Limit 7f
d [12/Oct/2012:15:32:30 +0000] cupsdFindBest: Location / Limit 7f
d [12/Oct/2012:15:32:30 +0000] cupsdFindBest: best = /admin
d [12/Oct/2012:15:32:30 +0000] cupsdAuthorize: con->uri="/admin/",
con->best=0x7f798ae895d0(/admin)
d [12/Oct/2012:15:32:30 +0000] cupsdAuthorize: Authorization=""
D [12/Oct/2012:15:32:30 +0000] cupsdAuthorize: No authentication data
provided.
d [12/Oct/2012:15:32:30 +0000] cupsdIsAuthorized: con->uri="/admin/",
con->best=0x7f798ae895d0(/admin)
d [12/Oct/2012:15:32:30 +0000] cupsdIsAuthorized: level=CUPSD_AUTH_USER,
type=None, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=4
d [12/Oct/2012:15:32:30 +0000] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
D [12/Oct/2012:15:32:30 +0000] cupsdIsAuthorized: username=""
d [12/Oct/2012:15:32:30 +0000] cupsdSendError(con=0x7f798af6c6c0(15),
code=401, auth_type=0
D [12/Oct/2012:15:32:30 +0000] cupsdSendHeader: 15 WWW-Authenticate: Basic
realm="CUPS", trc="y"
D [12/Oct/2012:15:32:30 +0000] cupsdCloseClient: 15
D [12/Oct/2012:15:32:30 +0000] cupsdSetBusyState: newbusy="Active clients",
busy="Active clients"
d [12/Oct/2012:15:32:30 +0000] cupsdRemoveSelect(fd=15)
D [12/Oct/2012:15:32:30 +0000] [CGI] cgiSetVariable: TITLE="Set Printer
Options"

cupsd.conf:
================
ConfigFilePerm 0644
LogFilePerm 0644

MaxLogSize 1000000000
AccessLog syslog
PageLog syslog
LogLevel debug2

SystemGroup root cups-admins

Port 631
Listen /var/run/cups/cups.sock
SSLPort 443
ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key

MaxClients 2000
MaxClientsPerHost 10
MaxJobs 750
MaxJobsPerPrinter 75

DefaultAuthType Basic

ErrorPolicy retry-job

<Location />
  Encryption Required
</Location>

<Location /admin>
  Encryption Required
  Require user @SYSTEM @printers-admins
</Location>

<Location /admin/conf>
  Encryption Required
  Require user @SYSTEM @printers-admins
</Location>

<Policy default>
  <Limit Send-Document Send-URI Set-Job-Attributes Create-Job-Subscription
Renew-Subscription Cancel-Subscription Get-Notifications CUPS-Move-Job
CUPS-Get-Document>
    Require user @OWNER @SYSTEM
  </Limit>

  <Limit Hold-Job Release-Job Restart-Job Purge-Jobs Reprocess-Job
Cancel-Current-Job Suspend-Current-Job Resume-Job>
    Require user @OWNER @SYSTEM @printers-admins
  </Limit>

  <Limit Activate-Printer CUPS-Accept-Jobs CUPS-Add-Class
CUPS-Add-Modify-Printer CUPS-Delete-Class CUPS-Delete-Printer
CUPS-Reject-Jobs CUPS-Set-Default Deactivate-Printer Disable-Printer
Enable-Printer Hold-New-Jobs Pause-Printer Pause-Printer-After-Current-Job
Promote-Job Release-Held-New-Jobs Restart-Printer Resume-Printer
Schedule-Job-After Set-Printer-Attributes Shutdown-Printer Startup-Printer>
    Require user @SYSTEM @printers-admins
  </Limit>

  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM @printers-admins
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cups.org/pipermail/cups/attachments/20121012/ab97d8a2/attachment-0001.html>

More information about the cups mailing list