I have a web application that is run as www-data. I need to have cupsenable and cupsdisable accessible for that user. Its a server that isn't connected to the internet and is running a small internal application and i NEED to be able to give the users the ability to re-enable a printer.
I have already made the executables permissions world executable.
Testing with ...
sudo -u www-data /usr/sbin/cupsenable laser_01
cupsenable: Operation failed: client-error-forbidden
I just needed to add the user to the lpadmin group. I was over thinking this.
It seems like you don't have a problem with the execute-permissions. You must be permitted to administrate cups. So it isn't enough to modify your sudo-rules. In fact i rolled back my sudo-modifications after configuring cups correctly.
Try to edit your /etc/cups/cups-files.conf:
You can define a SystemGroup. All groups added here match the policy rules #SYSTEM in cupsd.conf.
Add the group(s) of your user(s) here and restart cups.
Find out the group of your user www-data.
Then add it, seperated by whitespace, to the SystemGroup in your cups.files.conf.
Restart cups.
That worked for me.
Related
We use chef to provision our boxes but most of our deployments are onto windows, as such infrastructure for our linux boxes isn't all there; because of this I can't log on using my own user/password.
The mechanisms for allowing login only work on windows (it's just not a priority for doing it on linux at the moment) and we only have root passwords and I don't have access to that (rightfully so).
However I could create a user during the chef run, I've looked but to be honest they're all kinda confusing, so I thought I'd ask and hope someone with experience might have a better solution.
How do I create a user with admin access so I can ssh in and do what needs to be done on the box via chef?
Best guidance I can give:
Use the user resource to create the user and then the sudo cookbook to add this user to the sudoers list.
User resource documentation
A stackoverflow question on the password attribute
Sudo cookbook
So you should end up with a cookbook containing the following:
metadata.rb
[...] # stripped usual lines for cookbook name version
depends 'sudo' # add the dependency to use only one cookbook
attributes/default.rb:
default['user_to_create'] = "user3536548" # took you SO account here
default['authorization']['sudo']['users'] << node['user_to_create'] # Add the defined user in the array (using attribute to avoid duplication of user name), this avoid overwriting entries from other recipes and as the attribute is initialized as an empty array it will be ok anyway.
recipes/default.rb
user node['user_to_create'] # create the user, see the doc for details
include_recipe 'sudo' # include the sudo recipe to take advantages of the atrtibutes above.
Currently we use ITHit Webdav Ajax Library to develop a new feature of our product. We intend to provide a link in web browser allowing user to open a document inside our webdav server.
In Windows it runs well but in Ubuntu, we face a problem with credentials. The ITHit applet always ask: 1.Webdav credentials 2.Sudo credentials.
If I log in the os by user in sudo group (suppose that is USER1), I can open/edit the document well when providing id/password of USER1 in step2. But if I log in by the user that does not belong to sudo group(suppose that is USER2), then in step2 I enter id/password of USER2, I can not open/edit the document. The exception I always see is: java.lang.RuntimeException: Could not mount webdav server, please verify provided credentials. I even grant permission for running mount & mount.davfs for USER2 but still get the same error.(Notice that with these permission, I log in as USER2 and can mount the webdav folder to a local folder manually successfully!)
I test www.webdavsystem.com/ajaxfilebrowser and face the same issue.
The question here is, why do you need the sudo credentials? As I understand, you need to create a local folder and mount it with the webdav folder containing the document that user wants to open. With that action, only mount or mount.davfs is enough. It is too risk to provide the sudo credentials to an applet.
WDYT?
From our experience to successfully mount and use WebDAV on Ubuntu you will need davfs2, not davfs. Unfortunately davfs2 requires sudo credentials.
Note that if you have KDE installed it would not ask for sudo credentials.
I'm logged in with the Perforce viewer client on my MacBook Pro, and I keep getting this popup that says:
You don't have permission to execute the "P4 change -o" command
This happens ever 5 minutes or so. How do I turn this off?
The P4V client program will run certain commands as needed. It is possible that your workspace specification could have something mapped in it that you do not have sufficient permissions to run this command on. You can see what permissions are required for certain commands in the Server Administrator's Guide: http://www.perforce.com/perforce/doc.current/manuals/p4sag/chapter.protections.html#DB5-35217 (the change command requires "open" access level).
You may wish to check with your server administrator to check what you do have access to and look at the client workspace mapping to see if there might be something mapped there that your user does not have sufficient permission to access.
i am using Jenkins war 1.520 in Ubuntu 12.04 i had configured jenkins with openid plugin and authenticated with Google apps. I made some changes in role based security and matrix based security why prompts me
Access Denied- asdf#gmail.com is missing the Read permission
please let me know, what needs to be done in order to get the access to jenkins
You will have to reconfigure your permissions. Do you still have a user with login access or not ? If not you might have to reset it by temporarily disabling the security. This can be achieved by modifying the $JENKINS_HOME/config.xml ($HOME/.jenkins/config.xml by default when running the jenkins.war on your system) and setting <useSecurity> from true to false. Be sure to backup your config!
Once you are there reenable the security, and show us what you have in matrix and role based security.
Had the same issue with Jenkins, turns out my user name was Gideon but error I was getting was 'gideon is missing the overall administer/register permission'. Edited config.xml by changing Gideon to gideon in the /hudson/authorizationStrategy/permission tags and everything is working fine now.
My permissions file was here:
/var/lib/jenkins/config.xml
As suggested in Disable security page, you need to edit config.xml in your $JENKINS_HOME (e.g. /var/lib/jenkins) and remove lines with useSecurity, authorizationStrategy and securityRealm, then restart Jenkins.
See: Jenkins Github Authentication error: user is missing the Overall/Read permission
Maybe that's more of a Linux question than an Adobe Air one, but there you go: I have an AIR 2 app that does auto-update in the background, with no need for user interaction. It uses Air's own ApplicationUpdater framework (the one that doesn't require a UI) - all goes well until the package gets downloaded and needs to be installed - at that point, the Air Installer prompts for SUDO password and won't proceed without some user interaction.
Is there any way to circumvent/avoid that?
I solved this by adding a rule to the sudoers file (/etc/sudoers)
<username> ALL=(root) NOPASSWD: /tmp/air.*/setup
This rule can enable the update to all users
ALL ALL=(root) NOPASSWD: /tmp/air.*/setup
Note that it could lead to some security issues but I think if you are going to use this as a Linux Kiosk it's going to work.
You could do that by rolling your own updating mechanism. Is not really that difficult, if you plan it correctly you don't even need to close the app.
We did so for an internal project, where we use git. Since I guess you can't rely on Git being available on the user's machine, you could check out the server, download a zip file, uncompress it and replace the contents of your app.
AIR doesn't sign or checksum the files it installs, you can safely replace them and re-load the app without problems.
HTH,
J