[Printing-summit] [lsb-discuss] Printer/driver testing andcertification

Michael Sweet mike at easysw.com
Mon Aug 21 10:54:34 PDT 2006 

Klaus Singvogel wrote:
> Hi.
> It's getting boring now, but I will repeat again.
> 
> Michael Sweet wrote:
> [...]
>> For CUPS 1.1.x, all a Linux distro needs to do is change the default
>> cupsd.conf to use "Listen localhost:631" or the equivalent, and that
>> is in fact how most distros (and Apple!) ship their cupsd.conf file.
>> (and we changed the default in 1.2 specifically because of that...)
> 
> Didn't we came to the conclusion that a distro should not change the
> configuration toward less usability and more security? I might have
> missed something between the last two posts. But it seems that you're
> telling now, that a distro should change a default configuration
> (here: cupsd.conf).

Please, no trolls.  There is a BIG difference between closing remote
access by default and closing *all* access by default.

You expressed a concern about the default CUPS 1.1.x configuration
which allows any host to connect to cupsd, and I mentioned what most
CUPS integrators have done, namely to change the default to only
listen on the loopback interface.  This was a sane and practical
approach to the security risk posed vs user experience, and made so
much sense that we changed the default in CUPS 1.2 to only listen on
the loopback interface, too!

In short, I simply recommended that you adopt the CUPS 1.2 defaults
on CUPS 1.1.x if you are still shipping/supporting CUPS 1.1.x.

>> Mind you, there is the possibility of remote attack as soon as you
>> *do* open things up enough to share your printers, but you have to
>> specifically enable a remotely accessible address and change the
>> default access controls ("Allow from @LOCAL") to expose yourself to
>> that risk.
> 
> Again: "Allow from @LOCAL" means bytes and data were read and are
> evaluated (e.g. location "/admin") in old cups-1.1.x. A potential
> attack might be possible by this.

Sure, by opening a port on your system, it might become vulnerable.
I don't think I've said any different, and we've covered this issue
for MANY years in the CUPS security documentation.

But as I mentioned before, using "Listen localhost:631" avoids this
type of attack while still allowing printing to work.  The only time
you need to open port 631 is to share your local printers (act as a
server) with other CUPS clients on the network.

>> In addition, there is the built-in Linux firewall and
>> the firewall functionality included with every router sold today that
>> you have to disable or bypass before a potential outside attacker can
>> access the server remotely.
> 
> Do I understand your argument right? CUPS can only be runned in systems
> which are protected by built-in firewalls or routers? Sorry? What!?

Noooo, the fact that distros and routers provide firewall protection
makes it harder for someone to even get to the CUPS server.

I mentioned that only because you claimed that shipping with CUPS
turned on by default exposes your company to liability, when in
fact the user of the software must make a lot of changes to disable
all of the various security features that are in place by default.

> And again: a user (or distro with default settings) should activate a
> security feature, by losing usability? Doesn't this somehow contradict
> the arguments I heard before: no restrictions, full usability by
> default?

Please don't try to misquote me.

We have always had to balance security against usability.  Not
everyone agrees with our choices, but I stand by them.

Our goal has always been to allow a standalone system or a client
on a network to print with little or no configuration.  For a
standalone system, this means providing easy-to-use interfaces
to find and add a printer to the system.  For a client system,
we want the client to see all of the available printers that are
shared on the network so that the user can pick a printer and
print.

To accomplish this goal, the standard configuration is setup to
allow access only from the local system and to enable printer
browsing so that we can see the other printers/servers on the LAN.

Significantly, we disable sharing of local printers, remote access
to printers, and remote administration by default.  However, we
also provide (in 1.2) a simple interface for users to enable these
features (the web interface) so that *if*, for example, they want
to share a printer with another computer on their network, it is
as simple as checking the "share printers connected to this system"
box.

In short, those features that are disabled by default are a) not
needed by most systems and b) easy to enable if you do need them.

> As said first: it's getting borring now. No real new arguments. Only a
> jump between usability and security. And a distro settings are always
> illogical and false.

I don't think anyone has said (certainly not me!) that your settings
are always illogical and false.  I do not fully understand why SuSE
has chosen to disable CUPS by default, but I know you have your
reasons and am not judging you for it.  I can only advocate my
viewpoint and try to understand what the issues are so that I can
further improve CUPS security (there is always room for improvement!)
while providing the best possible user experience for everyone on
all operating systems and distributions.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com

More information about the Printing-summit mailing list