We should also be able to remove printers

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/ac4fb6a3cf93586c386eea2b671e83c8392247ed

commit ac4fb6a3cf93586c386eea2b671e83c8392247ed
Author: Sean Kau <skau@chromium.org>
Date: Mon Aug 15 20:15:37 2016

security_AccountsBaseline: Add lpadmin user

lpadmin is used as the service account to perform
administrative actions on CUPS such as adding and
removing a printer.

BUG= chromium:633382 
TEST=`test_that ... security_AccountsBaseline`
CQ-DEPEND=I0f095d7f7566a6b9438e359c3aa54a01b9a37ac8
CQ-DEPEND=Icc38698d07a6f510480a466d9cb6651a47d8aa56

Change-Id: I15eda88deb9cbf517a29ee5e90d393e6c244c86e
Reviewed-on: https://chromium-review.googlesource.com/370617
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/ac4fb6a3cf93586c386eea2b671e83c8392247ed/client/site_tests/security_AccountsBaseline/baseline.group
[modify] https://crrev.com/ac4fb6a3cf93586c386eea2b671e83c8392247ed/client/site_tests/security_AccountsBaseline/baseline.passwd

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/autotest-lakitu/+/5cd587c8a1f60850e697070553ee3b7ce3d09a70

commit 5cd587c8a1f60850e697070553ee3b7ce3d09a70
Author: Sean Kau <skau@chromium.org>
Date: Thu Aug 18 20:43:35 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/fecedb19a72ee34774aa84f08d45630568030312

commit fecedb19a72ee34774aa84f08d45630568030312
Author: Sean Kau <skau@chromium.org>
Date: Sat Aug 13 01:20:50 2016

net-print/cups: Add lpadmin user

lpadmin is the service account for debugd to add and remove
CUPS printers.

BUG= chromium:633382 
TEST='id lpadmin'
CQ-DEPEND=I15eda88deb9cbf517a29ee5e90d393e6c244c86e

Change-Id: Icc38698d07a6f510480a466d9cb6651a47d8aa56
Reviewed-on: https://chromium-review.googlesource.com/370422
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/fecedb19a72ee34774aa84f08d45630568030312/net-print/cups/cups-2.1.4.ebuild
[rename] https://crrev.com/fecedb19a72ee34774aa84f08d45630568030312/net-print/cups/cups-2.1.4-r4.ebuild

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/eclass-overlay/+/0b13d22f2c9bf155ef68bb60e90449ab57f272d1

commit 0b13d22f2c9bf155ef68bb60e90449ab57f272d1
Author: Sean Kau <skau@chromium.org>
Date: Fri Aug 12 01:15:54 2016

Create lpadmin service user.

We need a service user to and and remove printers from CUPS
but which can't modify any files.

BUG= chromium:633382 
TEST='id lpadmin' returns values.
CQ-DEPEND=I15eda88deb9cbf517a29ee5e90d393e6c244c86e
CQ-DEPEND=CL:*277562

Change-Id: I0f095d7f7566a6b9438e359c3aa54a01b9a37ac8
Reviewed-on: https://chromium-review.googlesource.com/370677
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[add] https://crrev.com/0b13d22f2c9bf155ef68bb60e90449ab57f272d1/profiles/base/accounts/user/lpadmin
[modify] https://crrev.com/0b13d22f2c9bf155ef68bb60e90449ab57f272d1/profiles/base/accounts/group/lp
[modify] https://crrev.com/0b13d22f2c9bf155ef68bb60e90449ab57f272d1/profiles/base/accounts/group/lpadmin

Waiting on review of final CL.  Shouldn't take toooooo much longer.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/037b1e663b835ed011abf1f0b5603f1ece4a8586

commit 037b1e663b835ed011abf1f0b5603f1ece4a8586
Author: Sean Kau <skau@chromium.org>
Date: Wed Aug 31 23:09:37 2016

debugd: Add CupsAddPrinter and CupsRemovePrinter methods

lpadmin needs to be invoked in a sandbox to add/remove printers in
CUPS.  Chrome and crosh need to be able to do this.  Use debugd to
invoke lpadmin with some basic checks.  Future work to validate
PPDs before we insert them into CUPS.

BUG= chromium:633382 

TEST=To add a printer, run `dbus-send --system --print-reply
--dest=org.chromium.debugd /org/chromium/debugd
org.chromium.debugd.CupsAddPrinter string:'lex'
string:'ipps://192.168.1.4/ipp/print' string:'' boolean:true`.  To
remove a printer run `dbus-send --system --print-reply
--dest=org.chromium.debugd /org/chromium/debugd
org.chromium.debugd.CupsRemovePrinter string:'lex'`.  `lpstat -v` can be
used to confirm the existence and removal of the printer 'lex'.
CQ-DEPEND=I0f095d7f7566a6b9438e359c3aa54a01b9a37ac8

Change-Id: I62812ce05c7e9c5bfe364046a8a552c3c47ce892
Reviewed-on: https://chromium-review.googlesource.com/366392
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/cups_tool.cc
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/cups_tool.h
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/debug_daemon.h
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/dbus_bindings/org.chromium.debugd.xml
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/debug_daemon.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/037b1e663b835ed011abf1f0b5603f1ece4a8586

commit 037b1e663b835ed011abf1f0b5603f1ece4a8586
Author: Sean Kau <skau@chromium.org>
Date: Wed Aug 31 23:09:37 2016

debugd: Add CupsAddPrinter and CupsRemovePrinter methods

lpadmin needs to be invoked in a sandbox to add/remove printers in
CUPS.  Chrome and crosh need to be able to do this.  Use debugd to
invoke lpadmin with some basic checks.  Future work to validate
PPDs before we insert them into CUPS.

BUG= chromium:633382 

TEST=To add a printer, run `dbus-send --system --print-reply
--dest=org.chromium.debugd /org/chromium/debugd
org.chromium.debugd.CupsAddPrinter string:'lex'
string:'ipps://192.168.1.4/ipp/print' string:'' boolean:true`.  To
remove a printer run `dbus-send --system --print-reply
--dest=org.chromium.debugd /org/chromium/debugd
org.chromium.debugd.CupsRemovePrinter string:'lex'`.  `lpstat -v` can be
used to confirm the existence and removal of the printer 'lex'.
CQ-DEPEND=I0f095d7f7566a6b9438e359c3aa54a01b9a37ac8

Change-Id: I62812ce05c7e9c5bfe364046a8a552c3c47ce892
Reviewed-on: https://chromium-review.googlesource.com/366392
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/cups_tool.cc
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/cups_tool.h
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/debug_daemon.h
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/dbus_bindings/org.chromium.debugd.xml
[modify] https://crrev.com/037b1e663b835ed011abf1f0b5603f1ece4a8586/debugd/src/debug_daemon.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/eclass-overlay/+/cb7f07bba05036718ee4808f00d36ae0ae96dabf

commit cb7f07bba05036718ee4808f00d36ae0ae96dabf
Author: Sean Kau <skau@chromium.org>
Date: Sun Aug 21 05:14:07 2016

Drop chronos from group lpadmin

We've decided to run printer add/remove over dbus using debugd.
Thus, chronos will no longer need to run as lpadmin.  chronos is
in lp so it can still print and cancel jobs that it started.

BUG= chromium:633382 
TEST=`test_that ... security_AccountsBaseline`
CQ-DEPEND=Iadd0c23ea1949d05c4a2f999883fbe81a4170eb1

Change-Id: I68824c77da1203843d21212f5487df82997b210a
Reviewed-on: https://chromium-review.googlesource.com/370678
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/cb7f07bba05036718ee4808f00d36ae0ae96dabf/profiles/base/accounts/group/lpadmin

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/cb41966e7f274c464303fa9f1b1d854cbf01ec6e

commit cb41966e7f274c464303fa9f1b1d854cbf01ec6e
Author: Sean Kau <skau@chromium.org>
Date: Mon Aug 15 20:15:37 2016

security_AccountsBaseline: Remove chronos from lpadmin

The chronos user should not be administering printers.
Requests to administer printers should be run by
debugd under the user lpadmin.

BUG= chromium:633382 
TEST=`test_that ... security_AccountsBaseline`
CQ-DEPEND=I68824c77da1203843d21212f5487df82997b210a

Change-Id: Iadd0c23ea1949d05c4a2f999883fbe81a4170eb1
Reviewed-on: https://chromium-review.googlesource.com/370660
Commit-Ready: Sean Kau <skau@chromium.org>
Tested-by: Sean Kau <skau@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/cb41966e7f274c464303fa9f1b1d854cbf01ec6e/client/site_tests/security_AccountsBaseline/baseline.group
[modify] https://crrev.com/cb41966e7f274c464303fa9f1b1d854cbf01ec6e/client/site_tests/security_AccountsBaseline/baseline.passwd