From owner-freebsd-desktop@FreeBSD.ORG Wed Sep 17 06:01:54 2014 Return-Path: Delivered-To: freebsd-desktop@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9AA96639; Wed, 17 Sep 2014 06:01:54 +0000 (UTC) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 868DBA31; Wed, 17 Sep 2014 06:01:49 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id JAA22736; Wed, 17 Sep 2014 09:01:47 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1XU8JH-0008p6-68; Wed, 17 Sep 2014 09:01:47 +0300 Message-ID: <5419238E.8050708@FreeBSD.org> Date: Wed, 17 Sep 2014 09:00:46 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-stable List , FreeBSD Current Subject: Fwd: usb printer vs cups References: <54133325.9070302@FreeBSD.org> In-Reply-To: <54133325.9070302@FreeBSD.org> X-Forwarded-Message-Id: <54133325.9070302@FreeBSD.org> Content-Type: text/plain; charset=X-VIET-VPS Content-Transfer-Encoding: 7bit Cc: freebsd-desktop@FreeBSD.org X-BeenThere: freebsd-desktop@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Using and improving FreeBSD on the desktop List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 06:01:54 -0000 Soliciting help. -------- Forwarded Message -------- >From my experience I think that cupsd executes backend tools with all uids and gids set to cups and no supplementary groups. In the case of USB printers the backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a printer. That means that the access to those devices must be somehow granted to cups:cups. How do people solve this? What kind of permissions / configuration do you use? P.S. Maybe I over-generalized the issue to all USB printers. My personal experience is with an HP printer handled by hplip / hplip-plugin. -- Andriy Gapon From owner-freebsd-desktop@FreeBSD.ORG Wed Sep 17 06:21:32 2014 Return-Path: Delivered-To: freebsd-desktop@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 27A07C39; Wed, 17 Sep 2014 06:21:32 +0000 (UTC) Received: from mail.turbocat.net (heidi.turbocat.net [88.198.202.214]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D73BCC35; Wed, 17 Sep 2014 06:21:31 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id AC2D524800B; Wed, 17 Sep 2014 08:21:28 +0200 (CEST) Message-ID: <5419285D.8020909@selasky.org> Date: Wed, 17 Sep 2014 08:21:17 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Andriy Gapon , freebsd-stable List , FreeBSD Current Subject: Re: Fwd: usb printer vs cups References: <54133325.9070302@FreeBSD.org> <5419238E.8050708@FreeBSD.org> In-Reply-To: <5419238E.8050708@FreeBSD.org> Content-Type: multipart/mixed; boundary="------------040608000705010201090203" Cc: freebsd-desktop@FreeBSD.org X-BeenThere: freebsd-desktop@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Using and improving FreeBSD on the desktop List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 06:21:32 -0000 This is a multi-part message in MIME format. --------------040608000705010201090203 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 09/17/14 08:00, Andriy Gapon wrote: > > Soliciting help. > > -------- Forwarded Message -------- > >>From my experience I think that cupsd executes backend tools with all uids and > gids set to cups and no supplementary groups. In the case of USB printers the > backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a > printer. That means that the access to those devices must be somehow granted to > cups:cups. > How do people solve this? What kind of permissions / configuration do you use? > > P.S. > Maybe I over-generalized the issue to all USB printers. My personal experience > is with an HP printer handled by hplip / hplip-plugin. > Hi, The /usr/ports/print/cups-base should be updated. The pkg-message should not say that: # FreeBSD 8.x add path 'usb*' mode 0770 group cups add path 'ugen*' mode 0660 group cups add path 'usb/0.2.*' mode 0660 group cups Is needed. This is wrong. Instead make cups-base install the attached devd configuration file in /usr/local/etc/devd/ which does the needed chown for printers only. --HPS --------------040608000705010201090203 Content-Type: text/plain; charset=us-ascii; name="cups.conf.in" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cups.conf.in" # Generic USB printer devices notify 100 { match "system" "USB"; match "subsystem" "INTERFACE"; match "type" "ATTACH"; match "intclass" "0x07"; match "intsubclass" "0x01"; match "intprotocol" "(0x01|0x02|0x03)"; action "chown cups:cups /dev/$cdev"; }; --------------040608000705010201090203-- From owner-freebsd-desktop@FreeBSD.ORG Wed Sep 17 06:57:21 2014 Return-Path: Delivered-To: freebsd-desktop@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C1DEF699; Wed, 17 Sep 2014 06:57:21 +0000 (UTC) Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cloud.theravensnest.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 871B3F4B; Wed, 17 Sep 2014 06:57:20 +0000 (UTC) Received: from [192.168.0.7] (cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net [82.26.1.52]) (authenticated bits=0) by theravensnest.org (8.14.9/8.14.9) with ESMTP id s8H6vFed008803 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 17 Sep 2014 06:57:17 GMT (envelope-from theraven@FreeBSD.org) X-Authentication-Warning: theravensnest.org: Host cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net [82.26.1.52] claimed to be [192.168.0.7] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: usb printer vs cups From: David Chisnall In-Reply-To: <5419238E.8050708@FreeBSD.org> Date: Wed, 17 Sep 2014 07:57:10 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <54133325.9070302@FreeBSD.org> <5419238E.8050708@FreeBSD.org> To: Andriy Gapon X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-stable List , FreeBSD Current , freebsd-desktop@FreeBSD.org X-BeenThere: freebsd-desktop@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Using and improving FreeBSD on the desktop List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 06:57:21 -0000 There are a couple of similar issues currently. The other one that = comes to mind is that every X11 application that needs to use OpenGL (or = similar) must open /dev/dri/{something}, but the default permissions = only permit root. The correct solution is probably to ship a devfs.conf that puts these = devices in the a sensible group. For USB printers, we should probably = have a printers group and make cupsd run with that group (or set the GUI = of cups and printers to the same number if that's too difficult). =20 David On 17 Sep 2014, at 07:00, Andriy Gapon wrote: >=20 > Soliciting help. >=20 > -------- Forwarded Message -------- >=20 > =46rom my experience I think that cupsd executes backend tools with = all uids and > gids set to cups and no supplementary groups. In the case of USB = printers the > backends need to access /dev/usbctl and /dev/usb/foobar that = corresponds to a > printer. That means that the access to those devices must be somehow = granted to > cups:cups. > How do people solve this? What kind of permissions / configuration do = you use? >=20 > P.S. > Maybe I over-generalized the issue to all USB printers. My personal = experience > is with an HP printer handled by hplip / hplip-plugin. > --=20 > Andriy Gapon >=20 >=20 > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-desktop@FreeBSD.ORG Wed Sep 17 07:05:24 2014 Return-Path: Delivered-To: freebsd-desktop@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB2FBA46; Wed, 17 Sep 2014 07:05:24 +0000 (UTC) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id C8BE8C2; Wed, 17 Sep 2014 07:05:22 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id KAA23590; Wed, 17 Sep 2014 10:05:21 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1XU9Im-0008tO-Ks; Wed, 17 Sep 2014 10:05:20 +0300 Message-ID: <54193273.6080709@FreeBSD.org> Date: Wed, 17 Sep 2014 10:04:19 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: Hans Petter Selasky , freebsd-stable List , FreeBSD Current Subject: Re: Fwd: usb printer vs cups References: <54133325.9070302@FreeBSD.org> <5419238E.8050708@FreeBSD.org> <5419285D.8020909@selasky.org> In-Reply-To: <5419285D.8020909@selasky.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: freebsd-desktop@FreeBSD.org X-BeenThere: freebsd-desktop@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Using and improving FreeBSD on the desktop List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 07:05:25 -0000 On 17/09/2014 09:21, Hans Petter Selasky wrote: > On 09/17/14 08:00, Andriy Gapon wrote: >> >> Soliciting help. >> >> -------- Forwarded Message -------- >> >>> From my experience I think that cupsd executes backend tools with all uids and >> gids set to cups and no supplementary groups. In the case of USB printers the >> backends need to access /dev/usbctl and /dev/usb/foobar that corresponds to a >> printer. That means that the access to those devices must be somehow granted to >> cups:cups. >> How do people solve this? What kind of permissions / configuration do you use? >> >> P.S. >> Maybe I over-generalized the issue to all USB printers. My personal experience >> is with an HP printer handled by hplip / hplip-plugin. >> > > Hi, > > The /usr/ports/print/cups-base should be updated. > > The pkg-message should not say that: > > > # FreeBSD 8.x > add path 'usb*' mode 0770 group cups > add path 'ugen*' mode 0660 group cups > > add path 'usb/0.2.*' mode 0660 group cups > > Is needed. This is wrong. > > Instead make cups-base install the attached devd configuration file in > /usr/local/etc/devd/ which does the needed chown for printers only. The problem is that my printer does not work if I also do not change permissions on /dev/usbctl. But I do not really want /dev/usbctl to be owned by cups as there can be other services / users that need access to usbctl. Is there anything smarter than mucking with device ownership? In other words, I have no problem granting cups user or group a full access to all USB devices. I have a problem with changing owner or group of USB devices to cups, because that interferes with other accesses to those devices. -- Andriy Gapon From owner-freebsd-desktop@FreeBSD.ORG Wed Sep 17 07:25:05 2014 Return-Path: Delivered-To: freebsd-desktop@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 917CD320; Wed, 17 Sep 2014 07:25:05 +0000 (UTC) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 7C5E62DF; Wed, 17 Sep 2014 07:25:04 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id KAA23826; Wed, 17 Sep 2014 10:25:03 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1XU9bq-0008ud-M1; Wed, 17 Sep 2014 10:25:02 +0300 Message-ID: <5419372A.2050509@FreeBSD.org> Date: Wed, 17 Sep 2014 10:24:26 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: Hans Petter Selasky , freebsd-stable List , FreeBSD Current Subject: Re: Fwd: usb printer vs cups References: <54133325.9070302@FreeBSD.org> <5419238E.8050708@FreeBSD.org> <5419285D.8020909@selasky.org> <54193273.6080709@FreeBSD.org> In-Reply-To: <54193273.6080709@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-desktop@FreeBSD.org X-BeenThere: freebsd-desktop@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Using and improving FreeBSD on the desktop List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2014 07:25:05 -0000 On 17/09/2014 10:04, Andriy Gapon wrote: > On 17/09/2014 09:21, Hans Petter Selasky wrote: >> Instead make cups-base install the attached devd configuration file in >> /usr/local/etc/devd/ which does the needed chown for printers only. > > The problem is that my printer does not work if I also do not change permissions > on /dev/usbctl. But I do not really want /dev/usbctl to be owned by cups as > there can be other services / users that need access to usbctl. Actually I take this back. My /dev/usbctl was not world readable as it should be by default. Not sure why I changed its permissions from 0644 to 0660, probably a litle bit of paranoia. Now that I changed the permissions to 0664 and installed your script printing works without problems. Thanks! > Is there anything smarter than mucking with device ownership? > > In other words, I have no problem granting cups user or group a full access to > all USB devices. I have a problem with changing owner or group of USB devices > to cups, because that interferes with other accesses to those devices. > -- Andriy Gapon