[SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
Nyanko-sensei
Level 1
Level 1
Posts: 16
Joined: Tue Aug 20, 2019 10:25 pm

[SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by Nyanko-sensei » Tue Oct 08, 2019 6:38 am

Hey there,

Have a Linux Mint 19.2 MATE machine in AD domain enterprise environment with auth through sssd/realmd. Most AD related stuff (like sudoers from AD group membership) works fine, however printer management GUI is not.

You see, printer settings are "locked".

Screenshot at 2019-10-08 16-17-27.png
Screenshot at 2019-10-08 16-17-27.png (12.89 KiB) Viewed 271 times

But if I try to "unlock" this thing it requires elevation in permissions but gives me only local accounts as options (my guess it's based on local sudo group membership).

Screenshot at 2019-10-08 16-32-41.png

As you can imagine, supplying everyone who needs to adjust his own printer with local sudo account is out of the table in production environment.

So, what can I do about this switch?
More specifically:
- How to get rid of evelation request for regular non-local user?
or
- How to supply any custom account with sudo permission (like obtained through /etc/sudoers.d/ rather then sudo group membership)?

Could anyone please assist?
Last edited by Nyanko-sensei on Thu Oct 17, 2019 4:50 am, edited 1 time in total.

gm10
Level 19
Level 19
Posts: 9797
Joined: Thu Jun 21, 2018 5:11 pm

Re: Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by gm10 » Wed Oct 09, 2019 2:47 am

In an enterprise environment you usually have centrally administered printers, but anyway, you must understand this: https://www.freedesktop.org/software/po ... kit.8.html and that will also allow you to adjust any authentication requirements on your system.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

Nyanko-sensei
Level 1
Level 1
Posts: 16
Joined: Tue Aug 20, 2019 10:25 pm

Re: Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by Nyanko-sensei » Thu Oct 17, 2019 2:09 am

Thanks a lot. That clarified things for me quite a bit! Still can't solve my problem, perhaps I'm just dumb ))

Anyhow.. I've figured out that for polkit's autherization/authentication activities package named "cups-pk-helper" is responsible. The said package provides an auth window for action "org.opensuse.cupspkhelper.mechanism.all-edit". This action is defined in "/usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy" file.

Now the tricky question:
How to allow me proceed without said window?
or
How to make window let anyone through?
or
How to ask for not predifined username
or
Where to set list of accounts in dropdown list?

I tried creating a rule in "/usr/share/polkit-1/rules.d/" but without much success:
Screenshot at 2019-10-17 12-01-35.png

gm10
Level 19
Level 19
Posts: 9797
Joined: Thu Jun 21, 2018 5:11 pm

Re: Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by gm10 » Thu Oct 17, 2019 3:11 am

Since you based that rule on sudo group membership it will apply only to members of the sudo group.

The overall list of admin groups and users allowed to elevate privileges is, by default, defined in this file: /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
You can add other groups or users.
Last edited by gm10 on Fri Oct 18, 2019 2:34 am, edited 1 time in total.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

Nyanko-sensei
Level 1
Level 1
Posts: 16
Joined: Tue Aug 20, 2019 10:25 pm

Re: Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by Nyanko-sensei » Thu Oct 17, 2019 4:49 am

Ok, thanks!

After a brief sleep, I've digged into polkit link you've provided me earlier with and found a solution to my problem. All I needed was actually to edit action in question in file "/usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy" following way:
replace tags

Code: Select all

<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
with

Code: Select all

<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
And behold: no more stupid "Unlock" switch and no more authentication to edit printer settings either!

gm10
Level 19
Level 19
Posts: 9797
Joined: Thu Jun 21, 2018 5:11 pm

Re: [SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by gm10 » Thu Oct 17, 2019 6:05 am

Yes, that's actually what I expected you to do to begin with, although that way your changes will be overwritten should there ever be another update to the package. You are likely aware of that, just mentioning it to make sure.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

Nyanko-sensei
Level 1
Level 1
Posts: 16
Joined: Tue Aug 20, 2019 10:25 pm

Re: [SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by Nyanko-sensei » Thu Oct 17, 2019 6:30 am

Hmm, good point. However, I have not a clue how to make thing work otherwise. I tried to create simpliest rule but it feels like it just ignored.
Screenshot at 2019-10-17 16-21-05.png
Manual says that rule might be overwriten by other rules, but I don't see anything among standard rules which should affect it.
Any thoughts how to achive similar results in update safe way?..

gm10
Level 19
Level 19
Posts: 9797
Joined: Thu Jun 21, 2018 5:11 pm

Re: [SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by gm10 » Thu Oct 17, 2019 7:56 am

My bad, that's what I get for pointing you to the online manual rather than your local version. The manual is for the current version, but seems Mint still ships with an ancient version of PolicyKit that does not support rules (I'm not on Mint or I'd have realized sooner). What it does support is only this: https://www.freedesktop.org/software/po ... ity.8.html. That's the old way to override default policies, works basically the same but in a different format.

Again, best check your local manual on that as well. ;)
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

Nyanko-sensei
Level 1
Level 1
Posts: 16
Joined: Tue Aug 20, 2019 10:25 pm

Re: [SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by Nyanko-sensei » Fri Oct 18, 2019 1:15 am

gm10 wrote:
Thu Oct 17, 2019 7:56 am
seems Mint still ships with an ancient version of PolicyKit that does not support rules (I'm not on Mint or I'd have realized sooner)
Funny thing there are some rules in rules.d. Looks like someone on the team got lazy :D
gm10 wrote:
Thu Oct 17, 2019 7:56 am
That's the old way to override default policies, works basically the same but in a different format.
Seems like that polkit is cursed for me. As I said before, I'm doing with domain users. And those users doesn't seem to be part of any accepted by polkit group. They are basically nobody in terms of local group membership, as far as I can tell. Adding domain group to pkla file does nothing. Asterisk as username does nothing. Not specifying Identity doesn't work either. Specifying domain user does the trick but it's kinda lame. Guess I could make a script for generating said file, but lame still.

Guess I''ll look for a way to replace polkit package with more recent one now.

gm10
Level 19
Level 19
Posts: 9797
Joined: Thu Jun 21, 2018 5:11 pm

Re: [SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by gm10 » Fri Oct 18, 2019 2:41 am

That wouldn't be easy. Plus it should generally work.

Maybe double check your sssd configuration. Maybe also try disabling the Policykit Authentication Agent from your startup applications, relog and then try starting e.g. synaptic-pkexec from a terminal window (without the agent you lack the GUI for authenticating).
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

Nyanko-sensei
Level 1
Level 1
Posts: 16
Joined: Tue Aug 20, 2019 10:25 pm

Re: [SOLVED] Control Center -> Printers (system-config-printer) UNLOCK switch permissions

Post by Nyanko-sensei » Fri Oct 18, 2019 6:02 am

Ok, an update. Issue is solved (sort of, as often the case with linux).

Apperently domain group membership works now. So I've created a file /etc/polkit-1/localauthority/20-org.d/10-cupspkhelper.pkla with following content.

[Any Rule Name]
Identity=user-group:domain-group-workstations-printer-control
Action=org.opensuse.cupspkhelper.mechanism.*
ResultAny=yes
ResultInActive=yes
ResultActive=yes

Adding domain users groups to said group kinda solves the issue. I guess it have to do for now.

Post Reply

Return to “Software & Applications”