CUPS on Vybrid PCM-052: filter exits with "permission denied"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CUPS on Vybrid PCM-052: filter exits with "permission denied"

Jump to solution
3,631 Views
mpfgregory
Contributor III

I'm using a Phytec PCM-052 development kit with Timesys embedded Linux 3.0.13 and I'm trying to get CUPS 1.5.3 working. I've come pretty far. I can print postscript on our network printer, and I can manually pipe files through the filter chain to get a .pclx file that I can print on a USB printer. However, when I use the same filter chain from within the cupsd daemon, the filters exit with the satus "permission denied":

PID 799 (rastertopclx) stopped with status 113 (Permission denied)

How to reproduce:

- build the Timesys toolchain with cups, ghostscript, libusb and kernel usb printing support enabled

- the build stops with errors because of multiply defined symbols. Comment out "typedef signed long long int64_t"; in /ghostscript-9.05/base/stdint_.h and "struct timeval" { in /ghostscript-9.05/base/time_.h to fix the build !

- install the bootloader, kernel and rootfs on an SD card and start the PCM-052

- plug a USB printer into USB0

# echo hello > bla.txt

# cat bla.txt > /dev/usb/lp0

- the printer prints "hello", now let's use CUPS

# lpadmin -p printer_name -E -v parallel:/dev/usb/lp0

- usb:/dev/usb/lp0 URI doesn't work, I don't know why it works with parallel

# export LPDEST=printer_name

# chmod 0700 /usr/lib/cups/backend/parallel

- the backends come with 755 permissions after a fresh install, this doesn't work for some reason. Lowering the permissions to 0700 fixes it

# lpr bla.txt

- the printer prints "hello", now let's use the cups filters to print postscript

# lpadmin -x printer_name

# lpadmin -p printer_name -E -v parallel:/dev/usb/lp0 -P /usr/share/cups/model/pxlmono.ppd

- a standard PPD file that comes with the installation, for our printer we have a PPD provided by the manufacturer

# vi /etc/cups/cupsd.conf

- set LogLevel to debug2

# reboot

# export LPDEST=printer_name

# lpr bla.txt

- nothing is printed

# cat /var/log/cups/error_log | tail -n 200

- somewhere in the output you'll find the error messages from the filters: PID 799 (rastertopclx) stopped with status 113 (Permission denied), the same for the other filters in the chain.

If I manually call the filter chain and convert bla.txt to bla.ps to bla.raster to bla.pclx, I can "lpr bla.pclx" to print a "hello" in the font defined by the PPD file. The filters work fine, but not from within cupsd.

From what I've learned from the CUPS documentation (Filter and Backend Programming - CUPS.org ) the filters run as user "lp". I first thought they try to open some files, like the PPD or cupsd.conf, and don't have the permissions to do so. But replacing the filters with an executable that simply returns 0 gives the same error message in /var/log/cups/error_log. I've tried changing permissions of all CUPS related files and directories to 700, 755, 555, but I got the same result. Changing permissions to 0777 produces an "inscure filter permissions" error in /var/log/cups/error_log. I've also tried changing user and group of all CUPS related files and directories to "lp", same result.

Does anybody have CUPS from the Timesys distribution running?

Labels (2)
0 Kudos
Reply
1 Solution
2,718 Views
mpfgregory
Contributor III

I have got it working now. The problem was that all files in /lib had 0700 permissions. Looks like CUPS depends on some of these libraries and couldn't use them when it forked to a non-root user. After changing all files in /lib to 0755 CUPS works as expected. Thanks for all the support!

View solution in original post

0 Kudos
Reply
8 Replies
2,719 Views
mpfgregory
Contributor III

I have got it working now. The problem was that all files in /lib had 0700 permissions. Looks like CUPS depends on some of these libraries and couldn't use them when it forked to a non-root user. After changing all files in /lib to 0755 CUPS works as expected. Thanks for all the support!

0 Kudos
Reply
2,718 Views
Nouchi
Senior Contributor II

Hello Gregory,

I've CUPS printing system that works, but there's many problems to solve.

- to build ghostscript you have to apply ghostscript-9.05-enable-systime.patch

- don't forget to check "Install cups to Toolchain" in menuconfig

- compile CUPS before ghostscript

- add "--with-docdir=/usr/share/cups/doc-root" to cups config options to have full CUPS web page administration.

- in my case, to solve USB printer permissions problems, I replaced mdev by udev with a printer rule (ATTR{bDeviceClass}=="00", MODE:="666", GROUP:="root"), then lpinfo -v gives  :

direct usb://HP/LaserJet%20P2015%20Series?serial=xxxxxxx

- to solve some usb back-end problems, apply a set of patch found in ubuntu 12.04LTS.

- add "--with-docdir=/usr/share/cups/doc-root" to cups config options to have full CUPS web page administration.

- add your user to lp group if you want to use administration web page

it should work.

Now I can print with high quality on many USB or network printers from my Qt application.

Emmanuel

2,718 Views
mpfgregory
Contributor III

Hello Emmanual

Thanks for the reply. I'm glad to hear you got it working. Your other post (How to setup basic USB printing system with LPD / Qt on Vybrid ) helped me get printing to work at all. I thought you had given up on CUPS and sticked with lpd. What board are you using, and which kernel version and CUPS version?

I have installed udev and added the rule from your post. At first it didn't change anything, but when I "chmod 0700 /usr/lib/backend/usb", lpinfo -v gave me:

direct usb://GeBE/USB%20Printer%20N78

I installed the printer with this URI without a PPD file, and I was able to print text. But when I installed it with my PPD, I got the same permission denied errors from the filters.

Then I applied the Ubuntu patches, but same result. I still need to chmod 0700 the USB backend, and the filters throw the same permission denied errors.

I've also tried it with a network printer. I need to chmod 0700 the socket backend. It prints postscript when installed without a PPD, but with a PPD the filters throw permission denied.

I've seen forum posts of Desktop Linux users with the same problem. In their case AppArmor caused the problem. I've checked the kernel config, but AppArmor is not installed. Is there another security feature in the Timesys Linux that might cause this problem?

Emmanuel, what does your /etc/cups/cupsd.conf look like?

Best regards

Michael

0 Kudos
Reply
2,718 Views
Nouchi
Senior Contributor II

Hello Michael,

usb back-end  permission looks like this :

stat /usr/lib/cups/backend/usb

  File: '/usr/lib/cups/backend/usb'   Size: 26700          Blocks: 56         IO Block: 4096   regular file Device: dh/13d     Inode: 6554        Links: 1    Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

and the same for other back-ends.

Maybe your problem depends on how you installed the root file system, in my case the RFS is in NAND flash on UBI file system

Have a look to your timeSys factory build to see if permissions are Ok, if not try to clean and rebuild your RFS.

In my cupd.conf, I only enable remote configuration with web page.

Regards,

Emmanuel

2,718 Views
mpfgregory
Contributor III

You're right, there's something wrong with the permissions in my rfs. No user but root can execute any program:

# su test

su: can't execute '/bin/sh': Permission denied

How can I check the rfs permissions in the Timesys factory?

I can make CUPS run on my system by commenting out line 519 in scheduler/process.c:

if (!RunUser && user && setuid(user))

But that's not the way to go. I need to fix the rfs permissions.

0 Kudos
Reply
2,718 Views
timesyssupport
Senior Contributor II

Hello,

We would ask that you please open a ticket (if you have haven't already) in our support queue for this issue, as it's mostly Timesys Factory related. If we can review your build, and reproduce the issues, we can assist there.

By default, a Timesys Factory installs a rootfs owned by root, and unless configured otherwise at build time, only provides a root user.

Please login to LinuxLink here: http://linuxlink.timesys.com and click the "Support" link to submit a new request.

Thank you,

Timesys Support

2,718 Views
karina_valencia
NXP Apps Support
NXP Apps Support

timesyssupport​ can you help here?

0 Kudos
Reply
2,718 Views
mpfgregory
Contributor III

Hello Emmanuel,

Thanks again for your answer. I have etx2 on an SD card, rootfs is rw. I just reinstalled the factory, rebuilt everything from scratch, copied bootloader, kernel and rootfs to the SD card, same error. Trying ubifs was on my TODO list anyway, so I just flashed rootfs.ubi and booted it. It's exactly the same as when I boot from the SD card (0700 backend required, permission denied from filters). Our cupsd.conf are identical except for your changes to enable the web interface.

One more interesting thing: When I chmod 0755 the backend, it throws the same error as the filters:

PID 912 (/usr/lib/cups/backend/parallel) stopped with status 113 (Permission denied)

Just setting the filters to 0700 doesn't help. Maybe there's another file with 0755 permission that cups tries to open. I wonder how it is possible at all that I can get rid of a "permission denied" error by lowering file permissions.

0 Kudos
Reply