Bugzilla – Bug 1195289
cups from Printing repo has no write access to /etc/cups, rendering it mostly inoperational
Last modified: 2022-02-01 07:57:31 UTC
I hope this is the correct place to report this. It does not concern the cups version in the distribution itself. I switched to the printing repository because of another bug in the distribution.
Since sometime in late 2021, printing via cups started to fail. Printers are discovered with cups-browsed and are provided with two dedicated cups servers, one on each of two sites.
Discovery and printer administration failed with error messages like "....: read only filesystem". I am not sure, if printing itself worked, since I could not add printers manually.
I only got to investigate this further lately. Is seems for security reasons described in https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort, a number of security flags were added to cups' systemd .service file, including "ProtectSystem=full", which makes all of /etc read-only for the cups daemon. To add printers and I think autodiscovery does this as well, cups/cups-browsed write files to /etc/cups/ppd and modify /etc/cups/printers.conf. Those operations are prohibited with the above "ProtectSystem=full".
I solved this by modifying by adding ReadWritePaths=/etc/cups to both units. This might not be the "Minimal write access" solution. Maybe it would be enough to allow writing only for some of the content of /etc/cups (like printers.conf and ppd). Also I am not completely sure, if cups-browsed needs the access itself of uses lpadmin internally.
The matching OBS requests are
with its harden_cups.service.patch
and for cups-filters
with its harden_cups-browsed.service.patch
could you please have a look here.
I have only very basic systemd knowledge
so I cannot imagine what the initial changes
and the proposed changes here in comment#0
mean in practice.
I would like to continue this issue only
in the matching Tumbleweed bug #1195288
*** This bug has been marked as a duplicate of bug 1195288 ***