cups crashes when using web-gui and refuses to print

Bug #217787 reported by Thomas Novin
28
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge
Hardy
Fix Released
High
Jamie Strandboge
Intrepid
Fix Released
High
Jamie Strandboge
samba (Ubuntu)
Triaged
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Intrepid
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: cupsys

I tried to print today but the printing job was just put in the queue and nothing was printed. I did not get the printer icon in the notification area.

I noticed how I got errors in auth.log from cups:

Apr 15 15:42:56 thnov-desktop cupsd: PAM unable to dlopen(/lib/security/pam_smbpass.so)
Apr 15 15:42:56 thnov-desktop cupsd: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]

I found that in bug #216990 this was solved by installing libpam-smbpass. Why was i missing this package?

Anyway, after I installed it, still I cannot print. I restarted cups via '/etc/init.d/cupsys restart' and I can see that user lp has a couple of processes which seems to be handling by printing jobs.

When I go to localhost:631 in a browser cups immediately crashes. This crash is not picked up by apport nor is anything written in /var/crash.

I started the process manually so I could see the crash:

$ sudo /usr/sbin/cupsd -f
sh: /usr/share/samba/panic-action: Permission denied
Aborted (core dumped)

So, every time I restart cups now my jobs are being processed but nothing is being printed. I see no activity at my printer. As soon as I try to use the web gui it crashes.

$ lsb_release -rd
Description: Ubuntu hardy (development branch)
Release: 8.04
$ dpkg -l | grep cups
ii bluez-cups 3.26-0ubuntu5 Bluetooth printer driver for CUPS
ii cups-pdf 2.4.6-4ubuntu2 PDF printer for CUPS
ii cupsddk 1.2.0-0ubuntu1 CUPS Driver Development Kit
ii cupsddk-drivers 1.2.0-0ubuntu1 CUPS Driver Development Kit - Driver files
ii cupsys 1.3.7-1ubuntu2 Common UNIX Printing System(tm) - server
ii cupsys-bsd 1.3.7-1ubuntu2 Common UNIX Printing System(tm) - BSD comman
ii cupsys-client 1.3.7-1ubuntu2 Common UNIX Printing System(tm) - client pro
ii cupsys-common 1.3.7-1ubuntu2 Common UNIX Printing System(tm) - common fil
ii cupsys-driver-gutenprint 5.0.2-2ubuntu1 printer drivers for CUPS
ii hal-cups-utils 0.6.13+svn86-0ubuntu4 CUPS integration with HAL
ii libcupsimage2 1.3.7-1ubuntu2 Common UNIX Printing System(tm) - image libs
ii libcupsys2 1.3.7-1ubuntu2 Common UNIX Printing System(tm) - libs
ii libgnomecups1.0-1 0.2.3-1ubuntu1 GNOME library for CUPS interaction
ii python-cups 1.9.34-0ubuntu1 Python bindings for CUPS

TEST CASE:
- install libpam-smbpass and cupsys
- adjust all the 'Require user' directives to point to a non-existant user
- go to http://localhost:631/ and try to change/save the configuration file.

Revision history for this message
Thomas Novin (thomasn80) wrote :

After booting the computer this morning I could immediately see that the printer icon appeared after logging in. I could see one job there struggling to get printed. After I while I got a popup that my printer might not be connected.

I cancelled the job and then tried the web-gui. It worked without any problem, no segmentation faults.

Printing new documents still fails though. My last completed printout was printed Mon 14 Apr 2008 08:29:32 PM CEST ("Show Completed Jobs").

Revision history for this message
Thomas Novin (thomasn80) wrote :
Revision history for this message
Thomas Novin (thomasn80) wrote :

Without removing libpam-smbpass myself, this package is now uninstalled from my system.

When I try to print now I get the messages about the missing file and the jobs will enter a "Held" state.

Revision history for this message
Mackenzie Morgan (maco.m) wrote :

Check your user's permissions in System -> Administration -> Users & Groups

Revision history for this message
Thomas Novin (thomasn80) wrote :

Full access except send/receive faxes, use scanners, use tape drives.

Revision history for this message
Milosz Derezynski (internalerror) wrote :

I can confirm this problem. Running 8.04, printer is a HP Laserjet 2100. Morphology of the problem is identical to how Thomas described it.

Revision history for this message
Thomas Novin (thomasn80) wrote :

As suggested in ubuntu-devel-discuss (https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2008-April/003992.html) I tried printing on a 8.04 Live CD. That worked without a hitch. I observed that I didn't have the package libpam-smbpass when using the Live CD.

I'd hate to be forced to reinstall the entire system just to get the printing to work.

I removed my printer before I rebooted to the Live CD and when I got back into my desktop I could see that the printer had been automatically installed. It's an EPSON EPL-5900.

When I tried to print a test page to the printer I got a popup a few moments later telling me that EPL-5900 might not be connected.

The web-gui works fine now (maybe after installing the libpam-package or maybe after just rebooting).

Revision history for this message
Thomas Novin (thomasn80) wrote :

I have now tried to remove all packages that are named *cups* (did it in a console session without X running because I was forced to remove a lot of packages that depended on cupsys) and also ran dpkg --purge <packagename>. Removed /etc/cups completely then reinstalled all packages again. Rebooted the computer and noticed that my printer had been autodetected. Still same result though!

Any suggestions on where to look for errors? I changed loglevel from warning to debug and I'm attaching a logfile from a job that I tried to print. Cannot see anything strange there though.

Revision history for this message
Thomas Novin (thomasn80) wrote :

Have now also tried moving the printer to another computer, also upgraded from Gutsy to Hardy.

Revision history for this message
Thomas Novin (thomasn80) wrote :

I did this to remedy this problem:

1) Stopped cupsys
2) Removed /var/cache/cups and re-created it
3) Started cupsys
4) Removed the printer that existed
5) Reinstalled it
6) Printed a test-page, it worked!

I can still reproduce one problem though, always when I via the web-gui stop a printer, cups crashes. I will try to obtain a backtrace.

Revision history for this message
Thomas Novin (thomasn80) wrote :
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

The crash happens inside the PAM module for SMB authentication /lib/security/pam_smbpass.so, provided by the libpam-smbpass package. Moving the bug to that package...

Revision history for this message
Thomas Novin (thomasn80) wrote :

When I deleted the package libpam-smbpass there were no more crashes in cups web-gui. I'm changing the bug to Invalid but at least now other people with the same problem can find an explanation

Changed in samba:
status: New → Invalid
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Then it is definitely a bug of our Samba package, reopening.

This is most probably not an upstream bug of Samba, though, as Milosz Derezynski tells on the ubuntu-devel-discuss mailing list that if he installs Samba compiled from source (version 3.0.28a) CUPS does not crash.

Changed in samba:
status: Invalid → New
Revision history for this message
Steve Langasek (vorlon) wrote :

Hi Thomas,

What version of libpam-smbpass do you have installed? This looks like a repeat of Debian bugs #346547 and #450738, but that only makes sense if you have a pre-hardy version of libpam-smbpass installed.

Hmm - this may be a cups apparmor issue...

Revision history for this message
Thomas Novin (thomasn80) wrote :

2008-04-30 15:36:42 remove libpam-smbpass 3.0.28a-1ubuntu4 3.0.28a-1ubuntu4

That was the version I had when I had the problem..

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thomas,

Can you please post your /var/log/kern.log when the printing fails or cups crashes? This will let us know if apparmor is causing the problem.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I can reproduce this by performing an action that cups needs a username and password for. An easy way to produce the is to adjust all the 'Require user' directives to point to a non-existant user, then go to http://localhost:631/ and try to change/save the configuration file. This results in:

May 2 16:46:50 hardy-i386-sec kernel: [ 519.383268] audit(1209746810.654:5): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/lib/samba/secrets.tdb" pid=5209 profile="/usr/sbin/cupsd" namespace="default"
May 2 16:46:50 hardy-i386-sec kernel: [ 519.389411] audit(1209746810.662:6): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/lib/samba/passdb.tdb" pid=5209 profile="/usr/sbin/cupsd" namespace="default"
May 2 16:46:50 hardy-i386-sec kernel: [ 519.396736] audit(1209746810.670:7): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/lib/samba/passdb.tdb" pid=5209 profile="/usr/sbin/cupsd" namespace="default"
May 2 16:46:50 hardy-i386-sec kernel: [ 519.401804] audit(1209746810.673:8): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/lib/samba/secrets.tdb" pid=5209 profile="/usr/sbin/cupsd" namespace="default"
May 2 16:46:50 hardy-i386-sec kernel: [ 519.409235] audit(1209746810.681:9): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/lib/samba/secrets.tdb" pid=5209 profile="/usr/sbin/cupsd" namespace="default"
May 2 16:46:50 hardy-i386-sec kernel: [ 519.439720] audit(1209746810.712:10): type=1503 operation="inode_permission" requested_mask="Ux::" denied_mask="Ux::" name="/usr/share/samba/panic-action" pid=5226 profile="/usr/sbin/cupsd" namespace="default"

Changed in samba:
assignee: nobody → jdstrand
status: New → Triaged
Revision history for this message
Steve Langasek (vorlon) wrote :

adding an apparmor task and milestoning. It is a bug in libpam-smbpass that it aborts the application when /var/lib/samba/secrets.tdb is inaccessible, but /var/lib/samba/secrets.tdb and /var/lib/samba/passdb.tdb need to be handled in the apparmor authentication abstraction anyway.

Changed in apparmor:
importance: Undecided → High
milestone: none → ubuntu-8.04.1
status: New → Triaged
Changed in apparmor:
assignee: nobody → jdstrand
Changed in samba:
assignee: jdstrand → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

*** SRU Request ***

1. Uploaded apparmor to hardy-proposed to fix this bug. apparmor 2.1+1075-0ubuntu9 did not allow access to /var/lib/samba/*.tdb, which can break any application that is protected by apparmor, accesses pam, and has libpam-smbpass installed.

2. apparmor 2.1+1075-0ubuntu9.1 fixes this by providing /etc/apparmor.d/abstractions/smbpass and updates /etc/abstractions/authentication to include it

3. debdiff is attached for review

4. See https://bugs.launchpad.net/ubuntu/+source/samba/+bug/217787/comments/18 for how to reproduce the bug.

5. Regression potential is considered negligible, as the change only allows for more access to the filesystem.

Steve Langasek (vorlon)
Changed in samba:
status: New → Won't Fix
Changed in apparmor:
assignee: nobody → jdstrand
importance: Undecided → High
milestone: none → ubuntu-8.04.1
status: New → Triaged
milestone: ubuntu-8.04.1 → none
milestone: ubuntu-8.04.1 → none
status: Triaged → Fix Committed
Changed in samba:
status: Won't Fix → Fix Committed
Steve Langasek (vorlon)
Changed in samba:
status: Fix Committed → Won't Fix
Steve Langasek (vorlon)
description: updated
Steve Langasek (vorlon)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

Updated apparmor package accepted into hardy-proposed. Thomas, can you please confirm that this fixes your issue with libpam-smbpass installed?

Steve Langasek (vorlon)
Changed in apparmor:
milestone: none → ubuntu-8.04.1
Revision history for this message
Chris Vigelius (chris-vigelius) wrote :

I can confirm that 2.1+1075-0ubuntu9.1 fixes this bug, and #221087 too (on Hardy final/I386)

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in apparmor:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.1+1075-0ubuntu10

---------------
apparmor (2.1+1075-0ubuntu10) intrepid; urgency=low

  [ Jamie Strandboge ]
   * added abstractions/smbpass and #include it in abstractions/authentication
     to allow access to /var/lib/samba/*.tdb. LP: #217787

  [ Mathias Gug ]
   * update likewise-open authentication abstraction: allow access to
     privileged pipe (LP: #235646).
   * Update smbd profile to include access to /var/spool/samba/ (printer
     sharing) and utmp update (LP: #237066).
   * Update esound location in audio profile (LP: #229127).
     Thanks to Adam Mondl.
   * Add dnsmasq profile (LP: #148590). Thanks to John Dong.

 -- Mathias Gug <email address hidden> Mon, 09 Jun 2008 18:24:09 -0400

Changed in apparmor:
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

not committing to this for intrepid.

Changed in samba:
status: Triaged → Won't Fix
Revision history for this message
Chuck Short (zulcss) wrote :

Updating status.

Changed in samba (Ubuntu):
status: Triaged → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

This is a real bug in samba, as noted in comment #19; it shouldn't be wontfix'ed.

Changed in samba (Ubuntu):
status: Won't Fix → Triaged
affects: samba (Ubuntu Hardy) → kdesudo (Ubuntu Hardy)
Changed in kdesudo (Ubuntu Hardy):
assignee: nobody → neil.james130@ntlworld.com (neil-james130)
Changed in kdesudo (Ubuntu):
assignee: nobody → neil.james130@ntlworld.com (neil-james130)
Steve Langasek (vorlon)
affects: kdesudo (Ubuntu) → samba (Ubuntu)
Changed in samba (Ubuntu):
assignee: neil.james130@ntlworld.com (neil-james130) → nobody
Changed in samba (Ubuntu Hardy):
assignee: neil.james130@ntlworld.com (neil-james130) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.