[Printing-summit] [lsb-discuss] Printer/driver testing andcertification

Michael Sweet mike at easysw.com
Mon Aug 21 08:29:30 PDT 2006


Klaus Singvogel wrote:
> Michael Sweet wrote:
>> I'm trying to stay out of this discussion as much as possible, but
>> this is a bogus argument.  The default CUPS configuration does not
>> accept connections from remote systems - we only listen on the
>> local loopback interface (localhost), so unless a user sets up a
>> network-accessible tunnel/proxy pointing at localhost:631 (which I
>> am quite sure SuSE is *not* doing :), it is impossible to access
>> the printing system remotely and thus there is no remote access
>> security issue there.
> 
> Sorry, to disagree.
> 
> The scheduler code (at least cups-1.1.x, didn't check cups-1.2.x)
> showed different details. A connection was _always_ accepted, and data
> on port 631 was always read, only after getting this information a
> decission was made by the scheduler, whether to accept a connection or
> not.

In CUPS 1.2, the default cupsd.conf file (which is what determines
what addresses the scheduler listens to) uses:

     Listen localhost:631

For CUPS 1.1.x, all a Linux distro needs to do is change the default
cupsd.conf to use "Listen localhost:631" or the equivalent, and that
is in fact how most distros (and Apple!) ship their cupsd.conf file.
(and we changed the default in 1.2 specifically because of that...)

Mind you, there is the possibility of remote attack as soon as you
*do* open things up enough to share your printers, but you have to
specifically enable a remotely accessible address and change the
default access controls ("Allow from @LOCAL") to expose yourself to
that risk.  In addition, there is the built-in Linux firewall and
the firewall functionality included with every router sold today that
you have to disable or bypass before a potential outside attacker can
access the server remotely.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com




More information about the Printing-summit mailing list