Ubuntu
cups package

apparmor rules break filters in /usr/local

Bug #160092 reported by John McPherson
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
Medium
Martin Pitt

Bug Description

Binary package hint: cupsys

Ubuntu 7.10

local printer attached via USB.

On upgrading to gutsy and rebooting, printing no longer worked. My printer is set up with a 3rd party driver (ptouch), and the ppd file sets up a "foomatic-rip" line with gs output piped to "rastertoptch". This driver gets installed into /usr/local/lib/cups/filter/rastertoptch and has a symlink to it from /usr/local/bin.

After bumping up cupsd's logging, I see messages like "/bin/bash: /usr/local/bin/rastertoptch: Permission Denied" in cups's error_log. I could not for the life of me figure out why it was denied, but I eventually got it working by copying this binary to /usr/bin.

After wasting those hours, I have just discovered bug #131470 and now know that this problem is due to cupsd's "app armor" settings.
In particular, /etc/apparmor.d/usr.sbin.cupsd does not allow any read access to /usr/local/lib or /usr/local/bin.

So, this bug could be fixed by:
1) adding read-only access to a bit more of /usr/local in cupsd's apparmor settings, and
2) mentioning app-armor somewhere in /usr/share/doc/cupsys so poor sysadmins at least have a tiny hint as to what is happening.

CVE References

Revision history for this message
John McPherson (jrm+launchpadbugs) wrote :

this is related to bug #131470 but I don't think it's a duplicate. this is for a filter other than hplip.

Revision history for this message
Daniel T Chen (crimsun) wrote :

Is this symptom still reproducible in 8.10?

Changed in cupsys:
status: New → Incomplete
Revision history for this message
John McPherson (jrm+launchpadbugs) wrote : Re: [Bug 160092] Re: gutsy cupsys apparmor breaks filters in /usr/local

On Wed, Nov 12, 2008 at 04:35:43AM -0000, Daniel T Chen wrote:
> Is this symptom still reproducible in 8.10?

Hi,
I will update our systems in the next week or two and test it then.

John

Revision history for this message
Pascal De Vuyst (pascal-devuyst) wrote : Re: gutsy cupsys apparmor breaks filters in /usr/local

Gutsy is no longer supported, therefore closing this bug report.
Please upgrade to Hardy or newer and reopen this bug if this still is a problem.

Changed in cupsys (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Gábor Péntek (pentike) wrote :

Hi,

the problem still exists in 9.10. Bug reopened.

Changed in cupsys (Ubuntu):
status: Invalid → New
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

pitti, seems that our AppArmor rules do not cover everything regarding of driver/filter parts being in /usr/local.

affects: cupsys (Ubuntu) → cups (Ubuntu)
Changed in cups (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

Can you please do

  sudo aa-complain cups

and then do a test print, and then attach /var/log/kern.log here? Thanks!

summary: - gutsy cupsys apparmor breaks filters in /usr/local
+ apparmor rules break filters in /usr/local
Changed in cups (Ubuntu):
status: New → Incomplete
Revision history for this message
Martin Pitt (pitti) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in cups (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Jonathan Ernst (jonathan.ernst) wrote :

Printing is not working :

[ 1083.698228] type=1400 audit(1286355433.787:20): apparmor="DENIED" operation="open" parent=27112 profile="/usr/sbin/cupsd" name="/usr/local/lib/cups/filter/rastertoptch" pid=27114 comm="bash" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

Then I do
sudo aa-complain cupsd:

[ 1866.536089] type=1400 audit(1286356216.627:21): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=11166 comm="apparmor_parser"
[ 1866.536186] type=1400 audit(1286356216.627:22): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=11166 comm="apparmor_parser"

And printing is working.

[ 2113.893284] type=1400 audit(1286356463.987:23): apparmor="ALLOWED" operation="exec" parent=16418 profile="/usr/sbin/cupsd" name="/usr/local/lib/cups/filter/rastertoptch" pid=16420 comm="bash" requested_mask="x" denied_mask="x" fsuid=7 ouid=0 target="/usr/sbin/cupsd//null-c"

ls -al /usr/bin/rastertoptch
lrwxrwxrwx 1 root root 39 2010-03-04 10:47 /usr/bin/rastertoptch -> /usr/local/lib/cups/filter/rastertoptch

kern.log is attached

(tested on Maverick)

Changed in cups (Ubuntu):
status: Invalid → New
Revision history for this message
Martin Pitt (pitti) wrote :

Committed to packaging trunk.

Changed in cups (Ubuntu):
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.4-7

---------------
cups (1.4.4-7) unstable; urgency=low

  [ Till Kamppeter ]
  * debian/local/filters/pdf-filters/pdftopdf/parseargs.c,
    debian/local/filters/pdf-filters/pdftopdf/parseargs.cxx,
    debian/local/filters/pdf-filters/pdftopdf/parseargs.h,
    debian/local/filters/pdf-filters/pdftopdf/Makefile: Made pdftopdf
    building with Poppler 0.15.x. Thanks to Koji Otani for this patch.
  * debian/control: Added dependency on "cups-ppdc" package to the "cups"
    package, so that the PPDs of the drivers which come with CUPS get built
    (LP: #485383).

  [ Martin Pitt ]
  * ubuntu-upstart.dpatch: Wait until daemon is ready, to avoid race
    conditions with init scripts which expect cups tools to work right after
    restarting it. (LP: #647369)
  * ubuntu-upstart.dpatch: If D-BUS is not available, start on runlevels 2 to
    5, so that this also works in server environments. (LP: #650893)
  * debian/local/apparmor-profile: Allow access to /usr/local/lib/cups/**.
    (LP: #160092)
  * debian/local/apparmor-profile: Allow reading /usr/local/**, in case
    third-party printer drivers need auxiliary files.
  * debian/local/apparmor-profile: Allow reading /var/run/**. (LP: #659961)
  * ubuntu-upstart.dpatch: Time out after 5 seconds when the local socket
    doesn't get created. Apparently a lot of users disable it in cupsd.conf.
    (LP: #672438)
  * debian/local/filters/pdf-filters/addtocups: Link pdftoijs with $(CXX),
    since it's a C++ program. Fixes FTBFS with gcc 4.5.
  * debian/local/filters/pdf-filters/pdftopdf/Makefile: Explicitly pdftopdf
    with -lz. gcc 4.5 does not automatically link to transitive library
    dependencies any more.
  * drop_unnecessary_dependencies.dpatch: Drop hunk for reduced krb5/gssapi
    linkage. With gcc 4.5, we now need -lkrb5.

  [ Marc Deslauriers ]
  * Add CVE-2010-2941.dpatch: Fix denial of service and possible code execution
    via invalid free. Skip over and reserve unused tags in cups/ipp.{c,h}.
    [CVE-2010-2941]
 -- Martin Pitt <email address hidden> Fri, 12 Nov 2010 11:07:33 +0100

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
DiegoV (diegofcviegas) wrote :
Download full text (4.0 KiB)

Hi,

I had this problem with current Ubuntu version (10.10). After some update, the printer, that is a Lexmark with the driver provided by the manufacturer, stopped working. I found this bug and after using the suggest command

  sudo aa-complain cupsd
                                      ^^^

The printer started working again.

So I think there is still a bug, or a new one, as long as I should not be obligated to do such command (luckily I found it).

Bellow the dmesg output, with the first lines showing the situation before the aa-complain and the last ones with successful printing, after the command.

I can provide additional information if it's necessary.

Thanks,
DiegoV

[ 9153.073027] type=1400 audit(1292948087.453:16): apparmor="DENIED" operation="exec" parent=3189 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/lxk08/bin/lxkusb" pid=3190 comm="cups-deviced" requested_mask="x" denied_mask="x" fsuid=7 ouid=0
[ 9153.158526] usb 3-1: usbfs: interface 1 claimed by usblp while 'usb' sets config #1
[ 9163.210030] type=1400 audit(1292948097.593:17): apparmor="DENIED" operation="exec" parent=1014 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/lxk08/bin/printdriver" pid=3197 comm="cupsd" requested_mask="x" denied_mask="x" fsuid=7 ouid=0
[ 9200.472067] CE: hpet increased min_delta_ns to 7500 nsec
[ 9391.968515] type=1400 audit(1292948326.349:18): apparmor="DENIED" operation="exec" parent=3237 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/lxk08/bin/lxkusb" pid=3238 comm="cups-deviced" requested_mask="x" denied_mask="x" fsuid=7 ouid=0
[ 9392.075956] usb 3-1: usbfs: interface 1 claimed by usblp while 'usb' sets config #1
[ 9412.345226] type=1400 audit(1292948346.729:19): apparmor="DENIED" operation="exec" parent=3257 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/lxk08/bin/lxkusb" pid=3258 comm="cups-deviced" requested_mask="x" denied_mask="x" fsuid=7 ouid=0
[ 9412.460648] usb 3-1: usbfs: interface 1 claimed by usblp while 'usb' sets config #1
[ 9796.461360] type=1400 audit(1292948730.845:20): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=3459 comm="apparmor_parser"
[ 9796.461620] type=1400 audit(1292948730.845:21): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=3459 comm="apparmor_parser"
[ 9813.381693] type=1400 audit(1292948747.765:22): apparmor="ALLOWED" operation="exec" parent=1014 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/lxk08/bin/printdriver" pid=3462 comm="cupsd" requested_mask="x" denied_mask="x" fsuid=7 ouid=0 target="/usr/sbin/cupsd//null-d"
[ 9813.400482] type=1400 audit(1292948747.781:23): apparmor="ALLOWED" operation="open" parent=1014 profile="/usr/sbin/cupsd//null-d" name="/etc/ld.so.cache" pid=3462 comm="printdriver" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 9813.400500] type=1400 audit(1292948747.781:24): apparmor="ALLOWED" operation="getattr" parent=1014 profile="/usr/sbin/cupsd//null-d" name="/etc/ld.so.cache" pid=3462 comm="printdriver" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 9813.400546] type=1400 audit(1292948747.781:25): apparmor="ALLOWED" operation="open" parent=1014 profile="/usr/sbin/cupsd//null-d" na...

Read more...

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Can you replace the line

  /usr/local/** r,

by

  /usr/local/** rix,

in the file /etc/apparmor.d/usr.sbin.cupsd and then restart AppArmor with

sudo /etc/init.d/apparmor restart

Then execute the command

sudo aa-enforce cupsd

Can you print now?

Revision history for this message
Risto H. Kurppa (risto.kurppa) wrote :

I think I bumped to the same bug on Kubuntu 10.10

HP USB printer that suddenly stoppoed working (I run a long list of upgrades yesterday).

in /etc/apparmor.d/usr.sbin.cupsd I don't have line /usr/local/** r at all:

rhk@ribantu:~$ cat /etc/apparmor.d/usr.sbin.cupsd |grep "usr/local"
  /usr/local/share/** r,
rhk@ribantu:~$

I tried
sudo aa-complain cupsd (without restarting)
and no help.

dmesg output:

[33427.820037] usb 6-2: new full speed USB device using uhci_hcd and address 3
[33428.998956] usblp0: USB Bidirectional printer dev 3 if 0 alt 1 proto 2 vid 0x03F0 pid 0x0C17
[33428.998983] usbcore: registered new interface driver usblp
[33430.402012] usb 6-2: usbfs: interface 0 claimed by usblp while 'usb' sets config #1
[33430.438730] type=1400 audit(1299514018.176:17): apparmor="DENIED" operation="open" parent=31216 profile="/usr/sbin/cupsd" name="/dev/ttyUSB0" pid=31220 comm="serial" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[33850.791312] usb 6-2: USB disconnect, address 3
[33850.791437] usblp0: removed
[33860.820679] usb 6-2: new full speed USB device using uhci_hcd and address 4
[33861.020628] usblp0: USB Bidirectional printer dev 4 if 0 alt 1 proto 2 vid 0x03F0 pid 0x0C17
[33862.285372] type=1400 audit(1299514450.026:18): apparmor="DENIED" operation="open" parent=32178 profile="/usr/sbin/cupsd" name="/dev/ttyUSB0" pid=32182 comm="serial" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[33862.340186] usb 6-2: usbfs: interface 0 claimed by usblp while 'usb' sets config #1
[34095.540122] usb 6-2: USB disconnect, address 4
[34095.540251] usblp0: removed
[34104.630019] usb 6-2: new full speed USB device using uhci_hcd and address 5
[34104.890986] usblp0: USB Bidirectional printer dev 5 if 0 alt 1 proto 2 vid 0x03F0 pid 0x0C17
[34106.137494] usb 6-2: usbfs: interface 0 claimed by usblp while 'usb' sets config #1
[34106.147683] type=1400 audit(1299514693.886:19): apparmor="DENIED" operation="open" parent=32222 profile="/usr/sbin/cupsd" name="/dev/ttyUSB0" pid=32226 comm="serial" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[34288.520442] type=1400 audit(1299514876.266:20): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=32315 comm="apparmor_parser"
[34288.520578] type=1400 audit(1299514876.266:21): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=32315 comm="apparmor_parser"
[34322.649215] type=1400 audit(1299514910.386:22): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=32353 comm="apparmor_parser"
[34322.649348] type=1400 audit(1299514910.386:23): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=32353 comm="apparmor_parser"

Revision history for this message
JC Boggio (jissouille) wrote :
Download full text (4.9 KiB)

Same bug on Ubuntu 11.04/ia64 with a Dell 2155cdn.
Manually installed the files from the vendor supplied redhat package (in /usr/lib and /usr/share) and got the following errors :
In the diagnose/troubleshooting window :
E [20/Aug/2011:11:28:12 +0200] [Job 510] Job stopped due to filter errors; please consult the error_log file for details.

And at the end (I guess these 2 are not too harmful) :
E [20/Aug/2011:11:28:17 +0200] Failed to add Avahi entry for Dell 2155cdn Color MFP @ bast: -8
E [20/Aug/2011:11:28:17 +0200] Failed to update TXT record for Dell 2155cdn Color MFP @ bast: -2

And in /var/log/cups/error_log :
D [20/Aug/2011:11:28:12 +0200] [Job 510] PPD: /etc/cups/ppd/Dell-2155cdn-LPD.ppd
D [20/Aug/2011:11:28:12 +0200] [Job 510] /usr/lib/cups/filter/Dell_2155_Color_MFP/DLM_MF: Permission denied
D [20/Aug/2011:11:28:12 +0200] PID 10991 (/usr/lib/cups/filter/Dell_2155_Color_MFP/DLM_MF) stopped with status 22!

Don't know if this might be a problem but the drivers are 32bit :
$ file /usr/lib/cups/filter/Dell_2155_Color_MFP/DLM_MF
/usr/lib/cups/filter/Dell_2155_Color_MFP/DLM_MF: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.4, not stripped

I then tried :
$ sudo aa-complain cupsd

And now the printer works.

This is hopefully the relevant part in kern.log :

Aug 20 14:35:08 bast kernel: [14540.034461] type=1400 audit(1313843708.098:795): apparmor="ALLOWED" operation="exec" parent=1086 profile="/usr/sbin/cupsd" name="/usr/lib/cups/filter/Dell_2155_Color_MFP/DLM_MF" pid=1889 comm="cupsd" requested_mask="x" denied_mask="x" fsuid=7 ouid=0 target="/usr/sbin/cupsd//null-c"
Aug 20 14:35:08 bast kernel: [14540.034782] type=1400 audit(1313843708.098:796): apparmor="ALLOWED" operation="open" parent=1086 profile="/usr/sbin/cupsd//null-c" name="/etc/ld.so.cache" pid=1889 comm="DLM_MF" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
Aug 20 14:35:08 bast kernel: [14540.034793] type=1400 audit(1313843708.098:797): apparmor="ALLOWED" operation="getattr" parent=1086 profile="/usr/sbin/cupsd//null-c" name="/etc/ld.so.cache" pid=1889 comm="DLM_MF" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
Aug 20 14:35:08 bast kernel: [14540.034822] type=1400 audit(1313843708.098:798): apparmor="ALLOWED" operation="open" parent=1086 profile="/usr/sbin/cupsd//null-c" name="/usr/lib32/libcups.so.2" pid=1889 comm="DLM_MF" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
Aug 20 14:35:08 bast kernel: [14540.034836] type=1400 audit(1313843708.098:799): apparmor="ALLOWED" operation="getattr" parent=1086 profile="/usr/sbin/cupsd//null-c" name="/usr/lib32/libcups.so.2" pid=1889 comm="DLM_MF" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
Aug 20 14:35:08 bast kernel: [14540.034853] type=1400 audit(1313843708.098:800): apparmor="ALLOWED" operation="file_mmap" parent=1086 profile="/usr/sbin/cupsd//null-c" name="/usr/lib32/libcups.so.2" pid=1889 comm="DLM_MF" requested_mask="mr" denied_mask="mr" fsuid=7 ouid=0
Aug 20 14:35:08 bast kernel: [14540.034892] type=1400 audit(1313843708.098:801): apparmor="ALLOWED" operation="open" parent=1086 profile="/usr/sbin/cupsd//null-c" name="/lib32/libc-2.13.so" pid=1889...

Read more...

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

pitti, can you have a look into this?

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

There seems to be something still not working.

Revision history for this message
Martin Pitt (pitti) wrote :

name="/usr/lib32/libcups.so.2" .. are you trying to use the i386 cups package on an amd64 system? That won't work..

Revision history for this message
JC Boggio (jissouille) wrote :

That's what I thought (and wrote) but once apparmor was "configured" (with aa-complain), it started working. Currently, Dell only provides i386 drivers for linux.
If I can help, let me know.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

pitti, can we also open up subdirectories of /usr/lib/cups/filter/ for filter execution? In comment #15 it seems that a proprietary Dell driver is used with /usr/lib/cups/filter/Dell_2155_Color_MFP/DLM_MF as filter and AppArmor blocks this.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Problem of comment #15 should be fixed now in Oneiric.

Revision history for this message
L. POUZENC (lpouzenc) wrote :

Reply for comment #15, #20, #21 :

I have the same problem with an Dell_2150_Color_Printer printer.

I just have edited the /etc/apparmor.d/usr.sbin.cupsd file and added a line to say "I want to my Dell filter ran unconfined mode ("Ux" mode, see man 5 apparmor.d).

root@host:~# diff -p usr.sbin.cupsd.orig usr.sbin.cupsd
*** usr.sbin.cupsd.orig 2011-11-25 19:37:00.718556722 +0100
--- usr.sbin.cupsd 2011-11-25 19:36:28.383040010 +0100
***************
*** 98,103 ****
--- 98,105 ----
    # filters and drivers (PPD generators) are always run as non-root,
    # and there are a lot of third-party drivers which we cannot predict
    /usr/lib/cups/filter/* Uxr,
+ #lpo : Ajout du sous-dossier du driver DELL
+ /usr/lib/cups/filter/Dell_2150_Color_Printer/* Uxr,
    /usr/lib/cups/driver/* Uxr,
    /usr/local/** r,
    /usr/local/lib/cups/** rix,

And now, that works. No more "Permission denied" in /var/log/cups/error_log and no messages in kernel.log.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
kingtiger01 (mnovick1988)
affects: cups → ubuntu
no longer affects: ubuntu
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.