Needs to properly restart cupsd after changing options

Why do you think it needs to restart cupsd? It doesn't.

We do need in Ubuntu, since when cupsd tries to reinitialize itself, it drops the port binding to 631, and it cannot open this any more, since at that time it runs as unprivileged system user. So, while this is arguably a cups bug, it is very intrusive to fix in cupsd itself without upstream support, so we rather need to work around it and completely restart it.

Well, it can't be fixed properly in system-config-printer -- what about remote CUPS servers?

Fix it in CUPS.

I should point out that restarting cupsd willy-nilly is *really* bad for users who print long-running jobs (i.e. lots of copies, lots of pages). Aborting their job half-way through, then restarting it, means they will have to check through *all* of the output paper to see what went wrong, and also that they'll have to chuck a lot of it in the recycling bin.

Even 'service cups reload' suffers from this: cupsd will "put off" a reload for a while if there is a job running, but only for so long.

If you ever need to restart cupsd, something's wrong.

pitti, if you have already hacked the CUPS daemon to run non-root which is not supported upstream, why don't you also hack the cupsd to not close port 631 when receiving a HUP signal?

Hi,

Till Kamppeter [2007-08-01 10:14 -0000]:
> pitti, if you have already hacked the CUPS daemon to run non-root which
> is not supported upstream, why don't you also hack the cupsd to not
> close port 631 when receiving a HUP signal?

That would be ideal, of course, but as I said, it is very intrusive,
and as long as we need to sit on the derooting patches forever, I am
very hesitant to make them a lot bigger.

Just for the record, I'll look into creating an apparmor profile for cups. If I succeed, we can drop the derooting patches and solve this bug along with bug 119289.

Pitti : be aware that Tim have packaged cups 1.3

OK, I have a working profile now, let's go the apparmor route.

@Patrice: I am aware of this, but it's not yet decided whether we'll move to 1.3 in Gutsy.

cupsys (1.2.12-1ubuntu2) gutsy; urgency=low

  * Drop our derooting changes. It still has some regressions, and with
    upstream not even acknowledging the need for improving cupsys' security we
    will sit on this forever. (LP: #119289, LP: #129634)
    - Drop derooting related patches:
      06_disable_backend_setuid.dpatch
      10_external_pam_helper.dpatch
      09_runasuser.dpatch
      09_runasuser_autoconf.dpatch
    - debian/cupsys{,-client}.postinst: Drop the 'cupsys' user setup and file
      permission juggling.
    - debian/rules:
      + Drop --with-cups-user and --enable-privilege-dropping configure
        options.
      + Do not modify the upstream default backend permissions.
    - debian/cupsys.init.d: Do not touch log file permissions any more.
    - debian/cupsys.files: Drop cups-check-pam-auth.
    - debian/NEWS: Drop description of derooting changes.
    - debian/control: Drop adduser dependency.
  * debian/patches/44_fixconfdirperms.dpatch: Do not create
    /var/run/cups/certs as lp:lpadmin, but as root:lpadmin, so that cupsd
    does not need CAP_DAC_OVERRIDE. This will make it possible to create a
    sensible AppArmor profile.
  * debian/cupsys.preinst: Fix file permissions on upgrades (owner cupsys ->
    root).
  * Add debian/local/apparmor-profile: AppArmor profile for cupsys, to replace
    the former derooting patches. This uses complain mode for now, until we
    got some more testing. Install it to /etc/apparmor.d/usr.sbin.cupsd in
    debian/rules and reload apparmor in debian/cupsys.postinst on configure.

 -- Martin Pitt <email address hidden> Thu, 02 Aug 2007 14:06:05 +0200

With CUPS 1.3.0 RC2 this works out-of-the-box, so taking this version into Gutsy this bug is fixed immediately. Red Hat/Fedora (and these are the upstream developers of system-config-printer) have already switched on their development branch (Rawhide).

Here you can get Ubuntu Gutsy packages (the binaries are for 32-bit x86) for testing:

Source:
http://www.linux-foundation.org/~till/tmp/ubuntu/gutsy/cupsys13/

Binaries:
http://www.linux-foundation.org/~till/tmp/ubuntu/gutsy/cupsys13/binary/

These packages contain also all the recent changes which pitti has done on CUPS 1.2.12, especially the non-root mode dropped and AppArmor protection introduced.

I have tested system-config-printer with these CUPS packages and it works perfectly now. I did a "tail -f /var/log/cups/error_log and saw all actions which I diud in the GUI correctly being taken care of by CUPS, including the restarts on configuration chenges.

Tested also the CUPS 1.2.12-1ubuntu2 package now and with this system-config-printer works correctly, too.

Patrice, can you run the following commands and post the output here:

smbclient -N -L //192.168.1.100
nmblookup -R 'ENTREPRISE'
nmblookup -A 192.168.1.102
nmblookup -A 192.168.1.103
nmblookup -A 192.168.1.104
nmblookup -A 192.168.1.105

The first one is used by s-c-p and probably will not give any useful output for you. The second one should give you the IPs of all servers in the domain "ENTREPRISE" (which are the four IPs of the boxes findsmb has found for you according to the bug report at Red Hat). The last four commands reveal the NetBIOS names of each of your four boxes.

Does this happen that way? Can you post the output here? With this we will be able to fix s-c-p.

Please test on both Ubuntu and Red Hat (if you have the two distros installed somewhere), to exclude distro-specific problems.

Please ignore the last comment, it was meant for another bug. Sorry.