Fix apparmor profile for Kerberos
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cups (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
Binary package hint: cupsys
Description: Ubuntu 8.04.2
Release: 8.04
cupsys 1.3.7-1ubuntu3.3
Hi,
Fresh install of CUPS is working, including access to /admin pages.
As soon as I add AuthType Basic and Require User @SYSTEM to /admin, cupsd blows up with a SIGSEGV just after trying to authenticate the user (me).
My system is set up to use PAM to auth to MIT kerberos and that is working well.
The attachment includes my cupsd.conf (minimal changes from default), a LogLevel debug2 trace via syslog (file: cupslog), an strace of cupsd (file: log) and my pam.d config (file: cupsys).
I have a similar setup working fine with cupsys 1.2.7-4 on Debian Testing. I've even copied the cupsd.conf file over.
I've checked the Base64 user/pass in the logs and it decodes correctly to my username and password (I've redacted it for obvious reasons in the attached file).
It's probably related to Pam/kerberos - but cupsd really should not be segfaulting.
I'm happy to undertake further testing under your direction.
Many thanks
Tim
Changed in cups: | |
status: | In Progress → Fix Committed |
I have a solution!
It was bl**dy app-armor preventing cupsd from reading /etc/krb5.keytab (required by PAM/Krb5) and apparantly preventing it writing a ticket cache into /tmp.
used aa-complain /usr/sbin/cupsd to disable AppArmor enforcement and that's fixed the problem.
I wonder how many other ubuntu/CUPS random crash bugs are due to AppArmor?...
*sigh*
This bug may be marked as closed - BUT if you care, you might consider disabling AppArmour, or putting in a big fat hairy warning on the CUPS webpages about it.
Cheers
Tim