Printing and cups: KDE removes filter entrys!

Duncan 1i5t5.duncan at cox.net
Mon Aug 16 08:18:45 BST 2010 

Wilhelm posted on Sun, 15 Aug 2010 16:05:51 +0000 as excerpted:

> we are using cupsd / smbspool for printing to printers hosted on a
> remote windows printserver. Therefore the cups-clients need to to the
> filtering local. So I setup the local printers.conf to include the
> nessesary filter definitions. Up to this point all is well and printing
> works.
> 
> The problem seems to be the KDE printer-mgr. If someone logs into the
> client using a KDE session, the kde startup procedure somehow removes
> the filter entrys from printers.conf and then I have printers.conf
> (modified, without the filter definitions) and printers.conf.0 (the
> previous working one).
> 
> If I set cupsd to LogLevel debug, it says that it is modifying
> printers.conf.
> 
> So, the question is: how do I prevent KDE from sending modifying
> requests to cupsd or how do I refuse those modifications ?

Note that I don't have a printer ATM, and even if I did, it'd very likely 
be local printing only...  As such, I don't know much about printing in 
kde4.

That said... there's a few more generic possibilities you may be able to 
activate, depending on your installation.  This list is arguably in 
reverse order of likelihood to work... that's just the order I thought of 
them.

1)  If you're running SELinux, you can setup the cupsd SELinux security 
policy so it isn't allowed to write to printers.conf, only read it.  (The 
same may well be possible with app-armor and tomoko (sp?), I'm not sure.)  
Since Fedora ships with SELinux active by default, if that's what you're 
using, it should be a rather minor change.

2)  If you're running ext2/3/4, consider setting the printers.conf file 
immutable.  As with the printer disclaimer above, I should mention that I 
run reiserfs myself (and likely will until btrfs loses its dev status and 
seems reasonably stable for a kernel or two), and thus haven't actually 
ever had occasion to use ext2/3/4's immutable attribute (viewable with 
lsattr, settable with chattr, see the manpages), but it or possibly
append-only sounds like it'd fit the bill to me. =:^)

3) This one I KNOW should work as I actually use it for various purposes 
(chroots, etc) myself.  Take a look at the mount --bind option, for 
remounting part of a filesystem (may be a single file) elsewhere.  The 
idea is to remount either that dir, or just that file, as read-only.  The 
catch is that you can't change the mount options with mount --bind itself 
-- it inherits the mount options of the original filesystem.  However, you 
CAN do the mount --bind, then do a remount -o remount,ro.  Again, see the 
manpage, this time for mount, in particular, the bind mounts section.  If 
the filesystem (even if it consists of a single bind-mount file) is 
mounted read-only, neither cupsd nor anything else is going to write 
anything on it using access to that mountpoint! =:^)  Of course, assuming 
the file is stored elsewhere on the original filesystem, so the mount --
bind isn't directly over top of itself, you can still modify it if desired 
using the original location.  But the point is, cupsd won't be accessing 
it using that path, but rather, the bind-mount path, which is read-only, 
so it will be unable to modify the file!

I'm quite sure there's actually a way to get kde to quit telling cupsd to 
mess with it, but as I said, I don't have a printer ATM (and haven't had 
since quite some time back in the kde3 era), so I don't happen to know the 
specifics of that.  But I DO know how to force a file to read-only if I 
need to, using bind-mounts.  As no one else seems to have answered so 
far... well, you know at least one way to make it work, now, even if it's 
rather like using a cannon to kill a fly.  I've actually used it and know 
it does work.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

More information about the kde mailing list