Fix auth failure when printing to authenticated CUPS policy#61
Merged
tillkamppeter merged 18 commits intoOpenPrinting:masterfrom Mar 23, 2026
Merged
Fix auth failure when printing to authenticated CUPS policy#61tillkamppeter merged 18 commits intoOpenPrinting:masterfrom
tillkamppeter merged 18 commits intoOpenPrinting:masterfrom
Conversation
…ket and add cupsFreeOptions and g_free for failure return paths
…ups for better job creation feedback
cupsCreateDestJob() was called with a manually managed http_t* from cupsConnectDest(). This creates a TCP connection to the printer queue where Local peer credential auth is impossible and Kerberos is unavailable, causing a 401 Unauthorized when the CUPS policy requires authentication. Fix by using CUPS_HTTP_DEFAULT for all CUPS job I/O. This causes the CUPS library to connect to cupsd via the Unix domain socket, where the kernel automatically vouches for the caller's UID via peer credentials (SO_PEERCRED), satisfying the authenticated policy without a password. Also fix a thread safety bug: cupsStartDestDocument was called on the main thread but cupsWriteRequestData and cupsFinishDestDocument were called on the worker thread using the same http_t*. Since CUPS_HTTP_DEFAULT is per-thread (stored in _cups_globals_t), all three calls must be on the same thread. Move cupsStartDestDocument and cupsCopyDestInfo into the worker thread alongside the data transfer calls.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cupsCreateDestJob() was called with a manually managed http_t* from
cupsConnectDest(). This creates a TCP connection to the printer queue
where Local peer credential auth is impossible and Kerberos is
unavailable, causing a 401 Unauthorized when the CUPS policy requires
authentication.
Fix by using CUPS_HTTP_DEFAULT for all CUPS job I/O. This causes the
CUPS library to connect to cupsd via the Unix domain socket, where the
kernel automatically vouches for the caller's UID via peer credentials
(SO_PEERCRED), satisfying the authenticated policy without a password.
Also fix a thread safety bug:
cupsStartDestDocument was called on the
main thread but cupsWriteRequestData and cupsFinishDestDocument were
called on the worker thread using the same http_t*. Since
CUPS_HTTP_DEFAULT is per-thread (stored in _cups_globals_t), all three
calls must be on the same thread. Move cupsStartDestDocument and
cupsCopyDestInfo into the worker thread alongside the data transfer
calls.