[Printing-summit] [lsb-discuss] Printer/driver testing andcertification

Klaus Singvogel kssingvo at suse.de
Mon Aug 21 08:55:22 PDT 2006


Hi.
It's getting boring now, but I will repeat again.

Michael Sweet wrote:
[...]
> For CUPS 1.1.x, all a Linux distro needs to do is change the default
> cupsd.conf to use "Listen localhost:631" or the equivalent, and that
> is in fact how most distros (and Apple!) ship their cupsd.conf file.
> (and we changed the default in 1.2 specifically because of that...)

Didn't we came to the conclusion that a distro should not change the
configuration toward less usability and more security? I might have
missed something between the last two posts. But it seems that you're
telling now, that a distro should change a default configuration
(here: cupsd.conf).

> Mind you, there is the possibility of remote attack as soon as you
> *do* open things up enough to share your printers, but you have to
> specifically enable a remotely accessible address and change the
> default access controls ("Allow from @LOCAL") to expose yourself to
> that risk.

Again: "Allow from @LOCAL" means bytes and data were read and are
evaluated (e.g. location "/admin") in old cups-1.1.x. A potential
attack might be possible by this.

> In addition, there is the built-in Linux firewall and
> the firewall functionality included with every router sold today that
> you have to disable or bypass before a potential outside attacker can
> access the server remotely.

Do I understand your argument right? CUPS can only be runned in systems
which are protected by built-in firewalls or routers? Sorry? What!?

And again: a user (or distro with default settings) should activate a
security feature, by losing usability? Doesn't this somehow contradict
the arguments I heard before: no restrictions, full usability by
default?
I'm puzzled somehow, and got the feeling that you exactly follow the
ways I pointed out before: first claim full usability, and after a
while change your mind and high security.

As said first: it's getting borring now. No real new arguments. Only a
jump between usability and security. And a distro settings are always
illogical and false. Which means under no circumstances one can
respect the opinion of the other (which means, that there exists only
one valid and therefore you have to give up yours if you don't flame
the other to death).

Regards,
	Klaus.
-- 
Klaus Singvogel
SUSE LINUX Products GmbH
Maxfeldstr. 5                     E-Mail: Klaus.Singvogel at SuSE.de
90409 Nuernberg                   Phone: +49 (0) 911 740530
Germany                           GnuPG-Key-ID: 1024R/5068792D  1994-06-27




More information about the Printing-summit mailing list