|
Bugzilla – Full Text Bug Listing |
| Summary: | CUPS complains about "Read-only file system" although it is writable | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Axel Schwarzer <SchwarzerA> |
| Component: | Printing | Assignee: | Johannes Meixner <jsmeix> |
| Status: | RESOLVED FIXED | QA Contact: | Johannes Meixner <jsmeix> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | dimstar, georg.jansing, jsegitz, wolfgang |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | openSUSE Tumbleweed | ||
| URL: | https://bugzilla.suse.com/show_bug.cgi?id=1195289 | ||
| Whiteboard: | |||
| Found By: | Community User | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1181400 | ||
|
Description
Axel Schwarzer
2022-01-28 17:48:32 UTC
cups-browsed.service seems to have the same issue. The matching OBS requests are for CUPS https://build.opensuse.org/request/show/925363 with its harden_cups.service.patch https://build.opensuse.org/package/view_file/Printing/cups/harden_cups.service.patch?expand=1 and for cups-filters https://build.opensuse.org/request/show/925364 with its harden_cups-browsed.service.patch https://build.opensuse.org/package/view_file/Printing/cups-filters/harden_cups-browsed.service.patch?expand=1 Johannes Segitz, could you please have a look here. I have only very basic systemd knowledge so I cannot imagine what the initial changes and the proposed changes here in comment#0 mean in practice. *** Bug 1193216 has been marked as a duplicate of this bug. *** *** Bug 1195289 has been marked as a duplicate of this bug. *** https://bugzilla.suse.com/show_bug.cgi?id=1195289#c1 proposes "adding ReadWritePaths=/etc/cups to both units" Sorry for the breakage. Didn't expect cups to write to /etc The solution outlined in https://bugzilla.suse.com/show_bug.cgi?id=1195289#c1 is the correct one. Would you like me to submit or will you add it yourself? Johannes Segitz, thank you for the info! This is what I need - i.e. what "the right setting" is for systemd. I will fix CUPS and cups-filters myself. FYI what cupsd basically does: All print queue setup things happen via the cupsd. A a client (e.g. the local lpadmin command) only talks to the cupsd and the cupsd does the actual setup, cf. "How to set up a print queue in full compliance with CUPS" in https://en.opensuse.org/SDB:CUPS_in_a_Nutshell For printer autodetection a client calls "lpinfo" which talks to the cupsd and the cupsd runs each so called backend, cf. https://en.opensuse.org/SDB:CUPS_in_a_Nutshell#The_Backends in /usr/lib/cups/backend as child processes to let each backend autodetect its printers. Some backends run as root to be able to access device nodes to access the actual printer devices. Some backends are wrappers that call other backends. CUPS backends are arbitrary programs that implement whatever is needed to send printing data to a printer and alternativerly to autodetect printer devices. All print job processing is done via the cupsd. A local or remote client submits a print job to the cupsd. The cupsd stores print job data in /var/spool/cups. To get a print job output on a printer device the cupsd runs several so called filters as child processes. Those filters are arbitrary programs (normally run as 'lp') that implement whatever is needed to produce printing data for a specific printer from the original print job data. Often filters call other programs as child processes (e.g. several filters call Ghostscript). If those systemd sandboxing restrictions do not only apply to the cupsd itself but when also child processes inherit them then it becomes likely highly problematic to keep the current functionality what current CUPS backends and filters need to do to make printing work in all currently implemented cases (which are more than I can remember). Added ReadWritePaths=/etc/cups to cups.service for cups in OBS Printing and forwarded it to openSUSE:Factory ------------------------------------------------------------------ # osc request accept -m \ 'Added ReadWritePaths=/etc/cups to cups.service (boo#1195288)' \ 950380 Result of change request state: ok openSUSE:Factory Forward this submit to it? ([y]/n)y Added ReadWritePaths=/etc/cups to cups.service (boo#1195288) (forwarded request 950380 from jsmeix) New request # 950381 ------------------------------------------------------------------ I added print queues via command line ('lpadmin'), via the YaST printer module and via the CUPS web interface ('localhost:631') which worked for me and I printed as normal user to those three queues via command line ('echo Hello | lp -d <queue_name>') which also worked for me. I cannot test printing via network on my homeoffice laptop. As an example of a special use case: I guess "ProtectHome=true" conflicts with what cups-pdf could do if configured (not by default), cf. "PDF output location" in https://en.opensuse.org/SDB:Printing_to_PDF when cupsd also child processes inherit cupsd restrictions (here the cups-pdf backend). This is an autogenerated message for OBS integration: This bug (1195288) was mentioned in https://build.opensuse.org/request/show/950381 Factory / cups Now I understand why there are not tons of such bug reports: https://build.opensuse.org/request/show/950381 shows that the initial hardening of cupsd.service via harden_cups.service.patch had somehow never made it into openSUSE:Factory - as far as I understand it. So the Product "openSUSE Tumbleweed" seems plain wrong in this bug report here and actually it happened only to those users who use CUPS from the OBS Printing development project - so bug #1195289 is the actually right description with the actually right fix. See also https://bugzilla.suse.com/show_bug.cgi?id=1193216#c3 Now let's wait and see how hell breaks loose when that hardening of cupsd.service appears in Tumbleweed ;-) Because cups-filters in Tumbleweed has already the hardening of cups-browsed.service since about Oct 2021 and I got no bugs about cups-browsed because of this I leave the hardening of cups-browsed.service as is. (In reply to Johannes Meixner from comment #13) > Because cups-filters in Tumbleweed has already the hardening > of cups-browsed.service since about Oct 2021 > and I got no bugs about cups-browsed because of this > I leave the hardening of cups-browsed.service as is. https://bugzilla.opensuse.org/show_bug.cgi?id=1193134 That had been reverted twice in Factory already r161 | dimstar_suse | 2022-01-02 10:54:36 | c26f8459d144d35ccbc99b238233d4c7 | 2.3.3op2 | boo#1193134 ---------------------------------------------------------------------------- r160 | dimstar_suse | 2021-12-31 12:44:18 | b22f316054d9ca9c71f6e799862995c4 | 2.3.3op2 | rq943130 Automatic submission by obs-autosubmit ---------------------------------------------------------------------------- r159 | dimstar_suse | 2021-11-27 23:37:25 | afdb86c476ff86443f30923f09d1f266 | 2.3.3op2 | boo#1193134 ---------------------------------------------------------------------------- r158 | dimstar_suse | 2021-11-26 23:50:44 | b22f316054d9ca9c71f6e799862995c4 | 2.3.3op2 | rq933432 Automatic submission by obs-autosubmit Dominique Leuenberger https://build.opensuse.org/request/show/933432 and https://build.opensuse.org/request/show/943130 are both about CUPS. CUPS and cups-filters are totally separated source Packages from different upstream projects. As far as I can imaginge what https://bugzilla.opensuse.org/show_bug.cgi?id=1193134 shows that has nothing to do with cups-browsed. Fix just landed my updates, removed my workaround and printing still works (tested with CUPS-PDF via VPN). :) So fixed for me. Since this bug is not mine, I don't close it. Thanks everyone! This one is fixed since (excerpt from cups.changes): -------------------------------------------------------- Tue Feb 1 09:18:27 UTC 2022 - jsmeix@suse.de - Enhanced harden_cups.service.patch by adding ReadWritePaths=/etc/cups because cupsd needs write access in /etc/cups (boo#1195288) -------------------------------------------------------- *** Bug 1193134 has been marked as a duplicate of this bug. *** |