10084 – Guest user has wrong group membership when running the 'print command'

Bug 10084 - Guest user has wrong group membership when running the 'print command'

Summary: Guest user has wrong group membership when running the 'print command'

Status:	NEW

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	Printing (show other bugs)
Version:	3.6.13
Hardware:	x64 FreeBSD

Importance:	P5 minor
Target Milestone:	---
Assignee:	printing-maintainers
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-14 05:00 UTC by John Waugh
Modified:	2021-06-24 15:36 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Waugh 2013-08-14 05:00:05 UTC

I have a Samba print share set up, with a "print command" specified
that just 'cat's the file to /dev/ulpt0. The share is accessed by the
guest Samba account, which I have set to be the 'smbguest' username.

I can manually run the print command as root, and the file prints.
I can manually run the print command as 'smbguest' (through sudo) and
the file prints. Therefore, I know the printer hardware is set up correctly.

However, when run the command through Samba itself (by printing over
the network from another machine), I get:

cannot create /dev/ulpt0: Permission denied

which is the same message I would get if I don't have write permissions
to the device.

NOTE: I have recently done an upgrade of samba (might have been from 3.5, but I think it was an earlier 3.6.x - I can track that down if it's important). In the previous version, everything was working.

The device itself has the following permissions:

$ ls -l /dev/ulpt*
crw-rw---- 1 root print 0, 142 Aug 5 22:31 /dev/ulpt0

The 'smbguest' account is in the 'print' group, as evidenced below:

$ groups smbguest
smbguest smbguestgroup print

so it should be able to write to ulpt0. In fact, it can, when the
command is run through sudo -u smbguest ...

Further, if I change permissions on the device to, for instance, have a group of 'smbguest', everything works. Also, if I change permissions on the device to have read/write for the 'other' users, again everything works. I do not want to put that in place permanently, of course.

I have found that when the Samba 'print command' itself is run, the group
membership *only* includes the 'smbguest' group. I altered the print
command to write a log message including the output of `id`, for instance, and
it only includes the 'smbguest' group, rather than the above three groups.

NOTE: I have tried using 'force group = print' as a workaround, but that does not seem to have any effect for me. I don't know if that ever worked, because I had no reason to try, before.

I am happy to provide additional information if needed.