Home

Upgrading Ubuntu Breaks Printer (cupsys)

Tue, 02/05/2008 - 12:02 — dvogels

During an upgrade of Ubuntu my printing capability was suddenly cut short. A red sign appeared on my printer icon on my task bar and any printed documents would be queued but not printed.

The Symptoms

A quick look in /var/log/cupsd/error_log gave the following clue:

Filter "brightq-CPCA" for printer "print" not available: Permission denied

In my case the printer driver is a proprietary driver called "BrightQTM" provided by Codehost Inc. The proprietary driver is for a Canon ImageRunner 2200 (ir2200).

I accessed the web interface for cups bu pointing my brower to http://localhost:631. I tried to restart a job that was still queued and got this error message on the screen:

"Unable to start filter "brightq-CPCA" - Permission denied."

Another check of /var/log/cups/error_log showed more information:

E  Unable to execute /usr/lib/cups/filter/brightq-CPCA: Permission denied
E [Job 76] Unable to start filter "brightq-CPCA" - Permission denied.
E Restart-Job: Unauthorized
E Unable to execute /usr/lib/cups/filter/brightq-CPCA: Permission denied
E [Job 76] Unable to start filter "brightq-CPCA" - Permission denied.

The syslog gave up some information as well:

kernel: [14228.196000] audit(1202243051.870:8):  type=1503 operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/local/brightq/filters/brightq-CPCA" pid=5049 profile="/usr/sbin/cupsd"
kernel: [14257.180000] audit(1202243080.872:9):  type=1503 operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/local/brightq/filters/brightq-CPCA" pid=5049 profile="/usr/sbin/cupsd"

The Cause

Some quick search engine lookups of the error messages indicated that the problem revolves around a security tool created by Novell/openSUSE called AppArmor. AppArmor runs in the kernel and uses the Linux Security Modules (LSM) framework. Basically a profile is created for each binary that specifies (or confines) how that file can interact with other files on the system.

In this case the binary "/usr/sbin/cupsd" wants to execute (x) "/usr/local/brightq/filters/brightq-CPCA". Because the proprietary driver is not included in a normal Ubuntu installation AppArmour considers the binary foreign and protects the system from running a file it does not trust. AppArmor is simply doing it's job!

When the cupsys package was updated line 7 of /etc/apparmor/usr.local.cupsd was changed from:

/usr/sbin/cupsd flags=(complain) {

to:

/usr/sbin/cupsd {

The old /etc/apparmor/usr.local.cupsd file allowed /usr/sbin/cupsd to access files by forcing only complaints. The new /etc/apparmor/usr.local.cupsd file is more strict and hence third party drivers are not loaded anymore.

A Workaround

This workaround will work for all proprietary drivers. As many people will have their drivers in different locations this quick-fix is the simplest way to tell AppArmour to allow access to proprietary printer drivers by allowing access to everything (security risk!). By telling AppArmor to only "complain" rather than enforce policies for the cupsd binary printing will be allowed to continue:

sudo aa-complain cupsd

This of course leaves your system vulnerable to other proprietary printer drivers infecting your system. A better and relatively more secure option is to tell AppArmor to allow the third party driver. Note that I say relatively more secure: the profile located at /etc/apparmor/usr.local.cupsd has many entries that are wide open. However it is always a good idea to follow good security practices:

The Fix

I am going to edit the AppArmor profile for /usr/sbin/cupsys and add an entry for my third party driver. Open /etc/apparmor.d/usr.sbin.cupsd:

sudo gedit /etc/apparmor.d/usr.sbin.cupsd

Move to line 100 and change the configuration to read:

  # third-party printer drivers; no known structure here
  /opt/** rix,

  # FIXME: no policy ATM for hplip
  /usr/bin/hpijs Ux,

  # Add third party driver here
  /usr/local/brightq/filters/brightq-CPCA Ux,

}

NOTE: replace /usr/local/brightq/filters/brightq-CPCA with your driver. You can determine the path to the file by looking at your /var/log/syslog file for "audit" events (see the last error message in "The Cause" section).

Setting a program to run Unconstrained Execute Mode (Ux) is similiar to running a program setuid. Note that this is "wide-open" as the binary driver runs without any restrictions. While this is generally undesirable there are many cases that require the freedom especially with third party closed source drivers.

Now reload AppArmor:

sudo /etc/init.d/apparmor reload

You may get an error message:

Reloading AppArmor profiles  Skipping profile /etc/apparmor.d/usr.sbin.cupsd.dpkg-old
: Warning.

Removing /etc/apparmor.d/usr.sbin.cupsd.dpkg-old will eliminate the warning:

sudo rm /etc/apparmor.d/usr.sbin.cupsd.dpkg-old

That's it! Happy printing.

Links

 
 

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Tue, 10/28/2008 - 11:47 — kurtt

It looks like some printers

It looks like some printers bring serious functionality troubles, if I had such a problem I don't think I could ever fix it by myself. I am checking for hp printers as we speak, do you have any specific tips for me?

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h1> <h2> <h3> <h4> <h5> <h6> <pre> <hr>
  • Lines and paragraphs break automatically.

More information about formatting options