@{HOME} does not expand to the real home dir, but hardcodes /home/

Thank you for taking the time to report this bug.
Can you attach /etc/cups/cupsd.conf and /etc/cups/cups-pdf.conf files ?

As requested, I provide the two required configuration files.

Changing state back to "New", since I provided requested data.

Me too !
Thu Aug 28 15:55:47 2008 [ERROR] failed to create directory (/home/david/PDF)
Thu Aug 28 15:55:47 2008 [ERROR] failed to create user output directory (/home/david/PDF)

The issue is in permission troubles. setting 777 to my home dir solved the problem but it's obviously a bad solution. (setting 777 to ~/PDF was'nt enough)

I hope thath'll be usefull.

Best regards,
David C.
<email address hidden>

Nope, in my case it is not a permission problem. locust, you might be able to close your permission now that the directory is created and see if it still works.

I have the problem on all my Ubuntu machines, though I copy my home directory from one to another. So it is probably something related with some configuration in my account. I have not tried with a fresh account (too lazy for that).

I found that it fails if you don't have a 'PDF' directory in your home directory (since the default cups-pdf config is to print to ~/PDF).

You can get away with permissions of 0701 on your home directory. The main thing is that "other" users have at least +x permission, so that cups-pdf can at least navigate to the 'PDF' directory within. This isn't as bad as 0777 on your home directory, because, even though other users will be able to chdir to your home dir, they won't be able to list the contents, or read/write/delete any files. If they guess directory names (ie, 'Documents'), they may be able to read stuff within those directories, depending on the dir/file permissions.

Can you try this command in a terminal :

sudo aa-complain cupsd

And then try to print a PDF file? Does that workaround work for you?

Saïvann Carignan, you found the problem. Running `sudo aa-complain cupsd ` made it work. I got the following in /var/log/messages:

Sep 14 04:31:04 sitari kernel: [ 6932.328269] audit(1221381064.144:3): type=1502 operation="capable" name="dac_override" pid=29723 profile="/usr/lib/cups/backend/cups-pdf" namespace="default"
Sep 14 04:31:15 sitari kernel: [ 2780.167101] audit(1221381075.444:4): type=1502 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/sp/home/hans/PDF/_Bug_212280__Re__cups-pdf_printer_not_generating_PDF_file.pdf" pid=29726 profile="/usr/lib/cups/backend/cups-pdf" namespace="default"
Sep 14 04:31:16 sitari kernel: [ 2781.035451] audit(1221381076.352:5): type=1502 operation="setattr" requested_mask="w::" denied_mask="w::" attribute="mode,ctime," name="/sp/home/hans/PDF/_Bug_212280__Re__cups-pdf_printer_not_generating_PDF_file.pdf" pid=29724 profile="/usr/lib/cups/backend/cups-pdf" namespace="default"

I cannot make sense of it though. What is next?

apparmor is a security tool designed to prevent security flaw, however in that case, it refuses something that it shouldn't. Now that you successfully printed with cups-pdf, can you set cupsd back to aa-enforce mode, try to print with it and report if that worked?

You can use that command to set back apparmor to enforce mode : sudo aa-enforce cupsd

`sudo aa-enforce cupsd` causes the PDF printer to fail again.

Now why all my systems I install Hardy on have this problem, yet 99% of the users don't? It must be something I do during the installation, but I have no clue what. I do not fiddle with App Armor settings.

pitti. csn you check and fix the AppArmor configuration for cups-pdf?

Till Kamppeter, pitti : Informations in bug 270046 might also be useful.

Hans Deragon : Do you have a /home folder on another partition?

I have never fiddled with AppArmor. I have no clue how to work on it. I could hit the books and learn about it, but unfortunately I have other priorities, including my personal Open Source project Autopoweroff.

I have an old /home/hans home directory, but it is not being used by any user.

cups-pdf's apparmor profile already uses the @{HOME} abstraction. So the real problem here is that apparmor hardcodes that to be /home/$USER, instead of using the actual home directory (which is /sp/home/$USER for Hans). Therefore I am reassigning this to apparmor.

However, realistically I don't see this getting fixed anytime soon, so I'm afraid if you are using nonstandard home directory locations, you have to adapt the path in /etc/apparmor.d/usr.sbin.cupsd as well.

On Tue, Sep 16, 2008 at 09:26:37PM -0000, Martin Pitt wrote:
> cups-pdf's apparmor profile already uses the @{HOME} abstraction. So the
> real problem here is that apparmor hardcodes that to be /home/$USER,

This is entirely configurable in /etc/apparmor.d/tunables/home.

> instead of using the actual home directory (which is /sp/home/$USER for
> Hans). Therefore I am reassigning this to apparmor.

Change the @{HOMEDIRS} tunable to reflect the other locations. e.g.:

 @{HOMEDIRS}=/home/ /sp/home/

Blaaagh, I touched the “also needs fixing here” button. (I was curious what it meant. I know, I shouldn’t have done that!) I suppose I’ve re-opened a “won’t fix” bug, or something.

In any case, I’ve done enough damage for one day. Could somebody who knows what they’re doing revert whatever I did? ...Thanks!