Bug 1195289

Summary: cups from Printing repo has no write access to /etc/cups, rendering it mostly inoperational
Product: [openSUSE] openSUSE Distribution Reporter: Georg Jansing <georg.jansing>
Component: PrintingAssignee: Johannes Meixner <jsmeix>
Status: RESOLVED DUPLICATE QA Contact: Johannes Meixner <jsmeix>
Severity: Normal    
Priority: P5 - None CC: jsegitz
Version: Leap 15.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://build.opensuse.org/request/show/925363
Whiteboard:
Found By: Community User Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1181400    

Description Georg Jansing 2022-01-28 18:07:02 UTC 
I hope this is the correct place to report this. It does not concern the cups version in the distribution itself. I switched to the printing repository because of another bug in the distribution.

Since sometime in late 2021, printing via cups started to fail. Printers are discovered with cups-browsed and are provided with two dedicated cups servers, one on each of two sites.

Discovery and printer administration failed with error messages like "....: read only filesystem". I am not sure, if printing itself worked, since I could not add printers manually.

I only got to investigate this further lately. Is seems for security reasons described in https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort, a number of security flags were added to cups' systemd .service file, including "ProtectSystem=full", which makes all of /etc read-only for the cups daemon. To add printers and I think autodiscovery does this as well, cups/cups-browsed write files to /etc/cups/ppd and modify /etc/cups/printers.conf. Those operations are prohibited with the above "ProtectSystem=full".

I solved this by modifying by adding ReadWritePaths=/etc/cups to both units. This might not be the "Minimal write access" solution. Maybe it would be enough to allow writing only for some of the content of /etc/cups (like printers.conf and ppd). Also I am not completely sure, if cups-browsed needs the access itself of uses lpadmin internally.
Comment 2 Johannes Meixner 2022-01-31 07:37:43 UTC 
Johannes Segitz,
could you please have a look here.

I have only very basic systemd knowledge
so I cannot imagine what the initial changes
and the proposed changes here in comment#0
mean in practice.
Comment 3 Johannes Meixner 2022-01-31 08:00:58 UTC 
I would like to continue this issue only
in the matching Tumbleweed bug #1195288

*** This bug has been marked as a duplicate of bug 1195288 ***