10.5.7 fails to update PPC machines properly

May 21st, 2009 | Random Observation

One of the things Leopard changed from Tiger was who could add printers. In Leopard only admins could manage printers – a change made apparently because schools were complaining that non-admins were adding printers they weren’t supposed to. But then it turned out that there were just as many cases where this caused a problem. Apple tried to fix this in 10.5.7 – but forgot to apply the fix completely for PPC machines.

First – more background on the change made from Tiger to Leopard:

From John DeTroye’s Tips and Tricks document

–Begin Quote from page 37

Printing

Note that the selection to allow users to modify the printer list applies to only 10.4 and below. This is due to a change in the Leopard printer system preferences to require local admin access to add/remove printers. Funny thing is, this came about because of all the schools screaming at us because the students and teachers kept adding printers all the time. Now those of you who didn’t care about that then are now screaming. So… if you would like your users to be able to add their own printers, you can make a change to a file on the client system. To fix this for now, until we get it fixed in a future update, you need to locate the “/etc/cups/cupsd.conf” file on your admin system and open it with TextWrangler (or use terminal and your favorite editor). Locate the line:

All administration operations require an administrator to authenticate…

Change the following lines to:

<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default>
   # AuthType Default
   # Require user @SYSTEM
   Require valid-user
   Order deny,allow
</Limit>

So the fix was to modify /private/etc/cups/cupsd.conf to allow anyone to add printers.

also documented here and here among other places

The 10.5.7 update adds a parental control for non-admin users that controls whether or not they can add printers Parental Controls

Apple also provides instructions to allow network users to manage printers

However these changes are enabled though modifications to /etc/authorization that are made not when the update is applied, but at the first boot.

the 10.5.7 installer installs:

/System/Library/LaunchDaemons/com.apple.su.startup.plist

which calls the installed:

/private/etc/com.apple.su.startup/su.startup shell script

which checks for securityd and then runs the tool

/private/etc/com.apple.su.startup/authsysprintadmin_

which, I’m assuming, is what makes the edits on first boot to /etc/authorization

however that tool seems to be intel only…

bash-3.2# /usr/bin/lipo -info /Volumes/OS-Build-09-05-15/etc/com.apple.su.startup/authsysprintadmin

Non-fat file: /Volumes/OS-Build-09-05-15/etc/com.apple.su.startup/authsysprintadmin is architecture: i386

I checked and it is intel only regardless of the architecture of the machine the updater runs on and changes to /etc/authorization are not made on PPC machines.

Not sure how this one get through QA?

The symptom on machines with managed printers is that users are presented with a “Type an administrator’s name and password to allow ManagedClient to make changes.” screen over the loginwindow. While you can move this window around you can’t click to type into it and you can’t click OK or Cancel. The login is stalled. Restarting does not fix.

Removing managed printers from the user or group will allow users to log in – but the only true fix is to copy a version of /etc/authorization from an updated intel machine to the affected PPC machines.

or make these changes:

From /etc/authorization in 10.5:

<key>system.print.admin</key>
<dict>
    <key>class</key>
    <string>rule</string>
    <key>k-of-n</key>
    <integer>1</integer>
    <key>rule</key>
    <array>
        <string>is-lpadmin</string>
        <string>is-admin</string>
        <string>default</string>
    </array>
</dict>

To /etc/authorization in 10.5.7:

<key>system.print.admin</key>
<dict>
    <key>allow-root</key>
    <true/>
    <key>class</key>
    <string>user</string>
    <key>group</key>
    <string>lpadmin</string>
    <key>shared</key>
    <true/>
</dict>

10 comments ↓

#1 Dave on 05.21.09 at 4:58 pm
Good catch! Clearly, this is all part of their ingenious strategy to make us all run out and replace our PPC machines with something newer and shinier…
#2 ruckerz on 05.21.09 at 8:50 pm
Dave, yeah soon they’ll give us something called ‘Snow Leopard’ that doesn’t run on PPCs at all :(
#3 Preston on 05.21.09 at 10:30 pm
This has been filed with Apple as bug #6913177
#4 Jeff on 05.26.09 at 10:43 am
sadly, this is an issue on Intel machines using managed printers, too.
#5 Adam on 06.01.09 at 8:41 am
Yep, making the changes to /etc/authorization works, thanks for this.
#6 Clemens on 06.22.09 at 1:17 pm
Wow! I’m deeply impressed.
#7 steven on 07.24.09 at 4:50 am
Well done – and this applies to machines on which you run WGM to manage local machines (localhost) vs servers too.
#8 Kay on 08.07.09 at 2:17 pm
Wow – Thanks for posting this. I have an Intel MacBook Pro, and just updated from 10.5.6 to 10.5.8. As soon as the update took effect, my CPU temperature soared to 200 F. I discovered the su.startup process running like mad logging errors to system.log – “can’t find command ps/can’t find command sleep” I couldn’t find any information on this su.startup script, until I came across your post. I was so glad to see what the script was for. I killed it and reran it, and it seemed to have made the changes to /etc/authorization just like you posted. Now I’m happy again! Thank you so much.
#9 Preston on 08.07.09 at 2:41 pm
Note that reports are that 10.5.8 fixes this issue
#10 AnneHawkins34 on 08.15.11 at 2:36 pm
The loans are essential for people, which are willing to start their own organization. By the way, it’s comfortable to receive a consolidation loan.

Leave a Comment