Bug 1195289 - cups from Printing repo has no write access to /etc/cups, rendering it mostly inoperational
cups from Printing repo has no write access to /etc/cups, rendering it mostly...
Status: RESOLVED DUPLICATE of bug 1195288
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Printing
Leap 15.3
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Meixner
Johannes Meixner
https://build.opensuse.org/request/sh...
:
Depends on:
Blocks: 1181400
  Show dependency treegraph
 
Reported: 2022-01-28 18:07 UTC by Georg Jansing
Modified: 2022-02-01 07:57 UTC (History)
1 user (show)

See Also:
Found By: Community User
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Georg Jansing 2022-01-28 18:07:02 UTC
I hope this is the correct place to report this. It does not concern the cups version in the distribution itself. I switched to the printing repository because of another bug in the distribution.

Since sometime in late 2021, printing via cups started to fail. Printers are discovered with cups-browsed and are provided with two dedicated cups servers, one on each of two sites.

Discovery and printer administration failed with error messages like "....: read only filesystem". I am not sure, if printing itself worked, since I could not add printers manually.

I only got to investigate this further lately. Is seems for security reasons described in https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort, a number of security flags were added to cups' systemd .service file, including "ProtectSystem=full", which makes all of /etc read-only for the cups daemon. To add printers and I think autodiscovery does this as well, cups/cups-browsed write files to /etc/cups/ppd and modify /etc/cups/printers.conf. Those operations are prohibited with the above "ProtectSystem=full".

I solved this by modifying by adding ReadWritePaths=/etc/cups to both units. This might not be the "Minimal write access" solution. Maybe it would be enough to allow writing only for some of the content of /etc/cups (like printers.conf and ppd). Also I am not completely sure, if cups-browsed needs the access itself of uses lpadmin internally.
Comment 2 Johannes Meixner 2022-01-31 07:37:43 UTC
Johannes Segitz,
could you please have a look here.

I have only very basic systemd knowledge
so I cannot imagine what the initial changes
and the proposed changes here in comment#0
mean in practice.
Comment 3 Johannes Meixner 2022-01-31 08:00:58 UTC
I would like to continue this issue only
in the matching Tumbleweed bug #1195288

*** This bug has been marked as a duplicate of bug 1195288 ***