Bugzilla – Bug 860481
Printer sharing stopped working after installing security fix for bnc#857372
Last modified: 2014-01-28 16:09:49 UTC
The fix for bnc 857372 broke printer announcements on my box. I ran strace on the cupsd process and got: baltazar:~ # strace -p 3739 Process 3739 attached epoll_wait(8, {}, 4096, 21000) = 0 sendto(7, "829056 5 ipp://192.168.84.69:631"..., 233, 0, {sa_family=AF_INET, sin_port=htons(631), sin_addr=inet_addr("192.168.84.255")}, 16) = -1 ENETUNREACH (Network is unreachable) epoll_wait(8, Then I did the following: 1. I copied /usr/lib/systemd/system/cups.socket to /etc/systemd/system/cups.socket 2. I reverted cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch on this copy 3. I restarted cups and cups.socket 4. Printer announcement works again. This is the output from strace after the change: baltazar:~ # strace -p 3810 Process 3810 attached epoll_wait(3, {}, 4096, 16000) = 0 sendto(10, "829056 5 ipp://192.168.84.69:631"..., 233, 0, {sa_family=AF_INET, sin_port=htons(631), sin_addr=inet_addr("192.168.84.255")}, 16) = 233 epoll_wait(3, {{EPOLLIN, {u32=3217210880, u64=140693460925952}}}, 4096, 31000) = 1 recvfrom(10, "829056 5 ipp://192.168.84.69:631"..., 1540, 0, {sa_family=AF_INET, sin_port=htons(631), sin_addr=inet_addr("192.168.84.69")}, [16]) = 233 epoll_wait(3, Alternatively, I was also able to get this to work by stopping the cups.socket systemd service completely. This has the added benefit of stopping these messages in /var/log/cups/error_log: E [25/Jan/2014:14:43:36 +0100] Unable to bind socket for address 0.0.0.0:631 - Address already in use. E [25/Jan/2014:14:43:36 +0100] Unable to bind socket for address [v1.::]:631 - Address already in use. So, it seems somehow related to bnc 857778, but I'm not sure because that one was reported before the last cups maintenance update was released. Honestly, I don't fully understand the handling of cups sockets under systemd, but breaking existing features sounds wrong to me. You may say it's a configuration issue, but please consider the following questions: 1. How does the configuration of cups.socket correspond to the web interface, particularly http://localhost:631/admin/ option [ ] Share printers connected to this system ? 2. If you suggest that cups.socket is not needed on a typical system, then why is it enabled by default?
I fixed it by changing /usr/lib/systemd/system/cups.socket from [Unit] Description=CUPS Printing Service Sockets [Socket] ListenStream=/var/run/cups/cups.sock ListenStream=127.0.0.1:631 ListenStream=[::1]:631 ListenDatagram=127.0.0.1:631 ListenDatagram=[::1]:631 BindIPv6Only=ipv6-only [Install] WantedBy=sockets.target to: [Unit] Description=CUPS Printing Service Sockets [Socket] ListenStream=/var/run/cups/cups.sock ListenStream=127.0.0.1:631 ListenDatagram=127.0.0.1:631 BindIPv6Only=ipv6-only [Install] WantedBy=sockets.target Those two lines were added after updating cups from 1.5.4-12.1.3 to 1.5.4-12.4.1
I was also able to get it working with the following configuration: [Unit] Description=CUPS Printing Service Sockets [Socket] ListenStream=/var/run/cups/cups.sock BindIPv6Only=ipv6-only [Install] WantedBy=sockets.target Given that cups creates the TCP and UDP sockets on startup, I'm unsure how things are supposed to work if they are created by systemd instead.
Hi Christoph, first of all, I have experienced the same issue you observed. I tried your fix and changed /usr/lib/systemd/system/cups.socket according to your proposal (1:1). Unfortunately, this was not successful. The printer is not shared in the network. Hope we get a regular fix soon. Best regards Sebastian (In reply to comment #1) > I fixed it by changing /usr/lib/systemd/system/cups.socket from > > [Unit] > Description=CUPS Printing Service Sockets > > [Socket] > ListenStream=/var/run/cups/cups.sock > ListenStream=127.0.0.1:631 > ListenStream=[::1]:631 > ListenDatagram=127.0.0.1:631 > ListenDatagram=[::1]:631 > BindIPv6Only=ipv6-only > > [Install] > WantedBy=sockets.target > > to: > > [Unit] > Description=CUPS Printing Service Sockets > > [Socket] > ListenStream=/var/run/cups/cups.sock > ListenStream=127.0.0.1:631 > ListenDatagram=127.0.0.1:631 > BindIPv6Only=ipv6-only > > [Install] > WantedBy=sockets.target > > Those two lines were added after updating cups from 1.5.4-12.1.3 to > 1.5.4-12.4.1
cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch is the "right" security fix for bnc#857372 according to what was discusseed there, see in particular https://bugzilla.novell.com/show_bug.cgi?id=857372#c18 I think it is the intended purpose that with this fix it must no longer "just work" without explicit settings by the admin to make the cupsd accessible via outer network because otherwise it would be insecure. I think the security people together with the systemd people should try to find a secure and usable way how normal users can use the cupsd, see also bnc#860331 I think the current situation is a dilemma between security and "make it all just work out of the box" that I cannot solve, see https://bugzilla.novell.com/show_bug.cgi?id=857372#c19 According to https://bugzilla.novell.com/show_bug.cgi?id=860331#c1 I also change the bugzilla component to "Security" here.
I reopened bnc#857372 and assigned it to me. I will try to clean up the mess - regardless that my knowledge regarding systemd unit files is very limited. For the full story see bnc#857372 ... ;-) *** This bug has been marked as a duplicate of bug 857372 ***