users-admin doesn't add admin users to lpadmin

Bug #152107 reported by James Bardin on 2007-10-12
56
Affects Status Importance Assigned to Milestone
gnome-system-tools (Ubuntu)
High
Sebastien Bacher
Hardy
High
Sebastien Bacher

Bug Description

When adding a new "Administrator" user, the user isn't added to the lpadmin group. That user cannot modify cups in any way other than running 'sudo sytem-config-printer'
There is no "administer printers" option under "User Privileges".

A new administrator user also isn't added to the groups video and netdev, which are set for the user that installed the system.

Ante Karamatić (ivoks) wrote :

I can confirm this one.

Changed in gnome-system-tools:
importance: Undecided → High
milestone: none → ubuntu-7.10
status: New → Confirmed
Till Kamppeter (till-kamppeter) wrote :

Can you post your file

/etc/gnome-system-tools/users/profiles

It tells which settings for new desktop users, administrators, or unprivileged user should be used.

Other problem (which need to be patched in users-admin itself) is that when a user is once created one cannot assign a profile to him any more and under the groups on the "User Privileges" tab there is NO "Printer Administration" (for group "lpadmin") nor "System Administration" adds users to "lpadmin".

lpadmin is in the profile here - I also reconfirmed that new users are not added to the lpadmin group after seeing this.
The same thing seems to happen for the video group; it's listed, but not added/

/etc/gnome-system-tools/users/profiles:
[Unprivileged]
name=Unprivileged
name[es]=Usuario sin privilegios
shell=/bin/bash
home-prefix=/home
uid-min=1000
uid-max=6000

[Desktop]
name=Desktop user
name[es]=Usuario del escritorio
default=1
shell=/bin/bash
home-prefix=/home
uid-min=1000
uid-max=6000
groups=cdrom,floppy,dialout,tape,dip,adm,plugdev,fax,audio,scanner,fuse,lpadmin,video

[Administrator]
name=Administrator
name[es]=Administrador
shell=/bin/bash
home-prefix=/home
uid-min=1000
uid-max=6000
groups=cdrom,floppy,dialout,tape,dip,adm,plugdev,fax,audio,scanner,fuse,admin,lpadmin,video

Changed in gnome-system-tools:
milestone: ubuntu-7.10 → gutsy-updates
assignee: nobody → seb128
Till Kamppeter (till-kamppeter) wrote :

Problem seems to be here that users-admin only adds users to groups which it has in some "secret list", even if the group is requested by a profile in /etc/gnome-system-tools/users/profiles or by a selection on the "Privileges" tab in the user properties dialog. Perhaps users-admin does not add the users to /etc/group by itself but calls a function of an external library (GTK, GNOME, or whatever library) and this library function has its secret list of "approved" groups. This is a restriction which breaks usability of user-admin and makes it also unsuitable for the special needs of Ubuntu.

Groups discovered up to now which users-admin refuses to handle silently are: lpadmin, video, netdev.

Ubuntu requires addition of admin and desktop users to these groups. See also /etc/gnome-system-tools/users/profiles.

In addition, the "Privileges" tab in the user properties dialog is missing entries to add/remove users to/from these groups manually. As fixing this would break string freeze in Gutsy, I suggest that when checking "Administer the system" the user should be also added to "lpadmin" and "netdev".

I do not know for what the "video" group is good for, but one can couple this probably also to one of the existing entries in "Privileges".

Getting this fixed is very important for Gutsy, so that Gutsy's features "just work". In addtion this is a regression from Feisty. Therefore I suggest to get it fixed ASAP and provided as SRU. Milestoned as "gutsy-updates".

Henrik Nilsen Omma (henrik) wrote :

Tried confirming on Hardy, but user-admin crashed with bug 175430

Harvey Muller (hlmuller) wrote :

Hardy Alpha 2 Desktop amd64

I've observed similar issues with services-admin and time-admin. Any modifications to the system made in either application does not result in a change. This behavior is observed in both the LiveCD, and the resulting installed system. So the problem appears to be common to all of the gnome-system-tools.

services-admin: Checked service (NTP) clicked close. There is no indication the change was not made unless services-admin reopened and the situation is observed.

time-admin: Changed timezone, clicked close. Get warning that user not authorized to make change. This occurs whether run with sudo or without.

It seems the "Unlock" button does not result in proper permissions, and a popup requesting password is conspicuously absent.

If there are any further questions, or requests for information, they will be answered promptly.

Happy Holidays,

Harvey

SoloTurn (soloturn) wrote :

tried to check this, but users-admin is run as normal users and no users can be added:

$ sudo users-admin

** (users-admin:14049): CRITICAL **: Unable to lookup session information for process '14049'

Maybe the thing to do is force an add to the printer group.

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of
SoloTurn
Sent: Thursday, March 13, 2008 4:29 PM
To: <email address hidden>
Subject: [Bug 152107] Re: users-admin doesn't add admin users to lpadmin

tried to check this, but users-admin is run as normal users and no users
can be added:

$ sudo users-admin

** (users-admin:14049): CRITICAL **: Unable to lookup session
information for process '14049'

--
users-admin doesn't add admin users to lpadmin
https://bugs.launchpad.net/bugs/152107
You received this bug notification because you are a direct subscriber
of a duplicate bug.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-system-tools - 2.22.0-0ubuntu3

---------------
gnome-system-tools (2.22.0-0ubuntu3) hardy; urgency=low

  * debian/control.in:
    - updated the description
  * debian/patches/22_root_only.dpatch:
    - really remove this change which is not used nor required
  * debian/patches/24_lpadmin_group_definition.dpatch:
    - lists the lpadmin group as known so it can be used when adding users
      (lp: #152107)

 -- Sebastien Bacher <email address hidden> Fri, 14 Mar 2008 00:17:25 +0100

Changed in gnome-system-tools:
status: Confirmed → Fix Released

I am reopening this bug as users-admin currently lets every new desktop user get added to the lpadmin group, so every "real" (human) user on a typical machine will be able to create and remove print queues or to kill anyone's print jobs. By default only users of the category "Administrator" should be added to the lpadmin group (have "Manage printers" active. For users of the "Desktop" category all privileges except "System administration" and "Manage printers" should be selected by default.

The patch to add lpadmin to the supported and listed groups/privileges seems to be OK.

Changed in gnome-system-tools:
milestone: gutsy-updates → ubuntu-8.04
status: Fix Released → Confirmed
Sebastien Bacher (seb128) wrote :

only the desktop and admin users have those rights, do you expect a standard desktop user to not be able to add a printer?

Changed in gnome-system-tools:
status: Confirmed → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-system-tools - 2.22.0-0ubuntu4

---------------
gnome-system-tools (2.22.0-0ubuntu4) hardy; urgency=low

  * debian/gnome-system-tools.manpages, debian/menu, debian/rules:
    - don't install shares-admin since nautilus-share is used in hardy
  * debian/patches/25_sambashare_group_definition.dpatch:
    - lists the sambashare group as known so it can be used when adding users
  * debian/profiles:
    - add sambashare to the admin groups
    - don't list the lpadmin group in the desktop profile (lp: #152107)

 -- Sebastien Bacher <email address hidden> Thu, 27 Mar 2008 23:54:25 +0100

Changed in gnome-system-tools:
status: Incomplete → Fix Released
Feistybird (bryanjen-tw) wrote :

gnome-system-tools (2.22.0-0ubuntu9) hardy
policykit 0.7-2ubuntu7 hardy

Still having the same problem on my clean installed Hardy:

'Unlock' button grayed out in users-admin & time-admin

Hey you guys are lucky. I cannot even add a user at all.

neither with gksu, nor with su

# users-admin
** (users-admin:10982): CRITICAL **: Unable to lookup session information for process '10982'

:(

It's a fresh Hardy install.

... ooops. I did not notice what the "unloc" button is good for.
"Unlock" or "Entsperren" is not self explaining at all. It should be changed to e.g. "Unlock screen".

Feistybird (bryanjen-tw) wrote :

I think I've my problem solved.

The 'Unlock' button worked if I just type 'users-admin' in the terminal, (without sudo or gksu in front of the command)

Then I checked my 'users-admin' launcher setting in the alacarte menu editor, the command was 'gksu users-admin', so I simply delete the 'gksu', and it worked properly without 'gksu'

I guess it could be caused by my previous installation of 8.04 Release Candidate version, it left the old launcher setting in my home directory, so even I made a clean install of the formal 8.04 release later, the menu still uses the old setting (gksu users-admin) of my home directory.

Brunellus (luigi12081) wrote :

This is still a problem in gnome-system-tools_2.20 in Gutsy. Will there not be a fix released for Gutsy, or must we upgrade to Hardy to fix?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers