Bug 10084 - Guest user has wrong group membership when running the 'print command'
Guest user has wrong group membership when running the 'print command'
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Printing
x64 FreeBSD
: P5 minor
: ---
Assigned To: printing-maintainers
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2013-08-14 05:00 UTC by John Waugh
Modified: 2013-08-14 05:00 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description John Waugh 2013-08-14 05:00:05 UTC
I have a Samba print share set up, with a "print command" specified
that just 'cat's the file to /dev/ulpt0. The share is accessed by the
guest Samba account, which I have set to be the 'smbguest' username.

I can manually run the print command as root, and the file prints.
I can manually run the print command as 'smbguest' (through sudo) and
the file prints. Therefore, I know the printer hardware is set up correctly.

However, when run the command through Samba itself (by printing over
the network from another machine), I get:

    cannot create /dev/ulpt0: Permission denied

which is the same message I would get if I don't have write permissions
to the device.

NOTE: I have recently done an upgrade of samba (might have been from 3.5, but I think it was an earlier 3.6.x - I can track that down if it's important). In the previous version, everything was working.

The device itself has the following permissions:

    $ ls -l /dev/ulpt*
    crw-rw----  1 root  print    0, 142 Aug  5 22:31 /dev/ulpt0

The 'smbguest' account is in the 'print' group, as evidenced below:

    $ groups smbguest
    smbguest smbguestgroup print

so it should be able to write to ulpt0. In fact, it can, when the
command is run through sudo -u smbguest ...

Further, if I change permissions on the device to, for instance, have a group of 'smbguest', everything works. Also, if I change permissions on the device to have read/write for the 'other' users, again everything works. I do not want to put that in place permanently, of course.

I have found that when the Samba 'print command' itself is run, the group
membership *only* includes the 'smbguest' group. I altered the print
command to write a log message including the output of `id`, for instance, and
it only includes the 'smbguest' group, rather than the above three groups.

NOTE: I have tried using 'force group = print' as a workaround, but that does not seem to have any effect for me. I don't know if that ever worked, because I had no reason to try, before.

I am happy to provide additional information if needed.