1195289 – cups from Printing repo has no write access to /etc/cups, rendering it mostly inoperational

Bug 1195289 - cups from Printing repo has no write access to /etc/cups, rendering it mostly inoperational

Summary: cups from Printing repo has no write access to /etc/cups, rendering it mostly...

Status:	RESOLVED DUPLICATE of bug 1195288

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Printing (show other bugs)
Version:	Leap 15.3
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Johannes Meixner
QA Contact:	Johannes Meixner

URL:	https://build.opensuse.org/request/sh...
Whiteboard:
Keywords:

Depends on:
Blocks:	1181400
	Show dependency tree / graph

Clone This Bug

Reported:	2022-01-28 18:07 UTC by Georg Jansing
Modified:	2022-02-01 07:57 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Community User
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Georg Jansing 2022-01-28 18:07:02 UTC

I hope this is the correct place to report this. It does not concern the cups version in the distribution itself. I switched to the printing repository because of another bug in the distribution.

Since sometime in late 2021, printing via cups started to fail. Printers are discovered with cups-browsed and are provided with two dedicated cups servers, one on each of two sites.

Discovery and printer administration failed with error messages like "....: read only filesystem". I am not sure, if printing itself worked, since I could not add printers manually.

I only got to investigate this further lately. Is seems for security reasons described in https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort, a number of security flags were added to cups' systemd .service file, including "ProtectSystem=full", which makes all of /etc read-only for the cups daemon. To add printers and I think autodiscovery does this as well, cups/cups-browsed write files to /etc/cups/ppd and modify /etc/cups/printers.conf. Those operations are prohibited with the above "ProtectSystem=full".

I solved this by modifying by adding ReadWritePaths=/etc/cups to both units. This might not be the "Minimal write access" solution. Maybe it would be enough to allow writing only for some of the content of /etc/cups (like printers.conf and ppd). Also I am not completely sure, if cups-browsed needs the access itself of uses lpadmin internally.

Comment 1 Johannes Meixner 2022-01-31 07:31:41 UTC

The matching OBS requests are
for CUPS
https://build.opensuse.org/request/show/925363
with its harden_cups.service.patch
https://build.opensuse.org/package/view_file/Printing/cups/harden_cups.service.patch?expand=1
and for cups-filters
https://build.opensuse.org/request/show/925364
with its harden_cups-browsed.service.patch
https://build.opensuse.org/package/view_file/Printing/cups-filters/harden_cups-browsed.service.patch?expand=1

Comment 2 Johannes Meixner 2022-01-31 07:37:43 UTC

Johannes Segitz,
could you please have a look here.

I have only very basic systemd knowledge
so I cannot imagine what the initial changes
and the proposed changes here in comment#0
mean in practice.

Comment 3 Johannes Meixner 2022-01-31 08:00:58 UTC

I would like to continue this issue only
in the matching Tumbleweed bug #1195288

*** This bug has been marked as a duplicate of bug 1195288 ***