Bug#747073: [cups-daemon] Doesn't work with systemd

To: 747073@bugs.debian.org
Cc: Didier 'OdyX' Raboud <odyx@debian.org>
Subject: Bug#747073: [cups-daemon] Doesn't work with systemd
From: Josh Triplett <josh@joshtriplett.org>
Date: Fri, 24 Oct 2014 10:13:00 -0700
Message-id: <[🔎] 20141024171258.GA2798@jtriplet-mobl1>
Reply-to: Josh Triplett <josh@joshtriplett.org>, 747073@bugs.debian.org
In-reply-to: <2256874.DRCqINlK8W@gyllingar>
References: <2822726.AsanuiiTlr@zmeu> <20140803101158.GA19010@bongo.bofh.it> <2601161.7DIPdKOWlN@gyllingar> <2256874.DRCqINlK8W@gyllingar>

On Thu, 25 Sep 2014 22:24:49 +0200 Didier 'OdyX' Raboud <odyx@debian.org> wrote:
>  ii) ListenStream with only the port number.
>      This works for the localhost ipv6 [::1] but it doesn't listen on 
>      127.0.0.1:631 but on :::631 . This implies that accessing
>      http://localhost:631/ doesn't spawn CUPS (of course, if you try
>      accessing http://[::1]:631/ first, then CUPS is spawned and the
>      IPv4 access works duing the 30 seconds, as cups has taken the port.

This seems like the fundamental bug here.  Listening on [::1]:631 with
BindIPv6Only=both *should* work equivalently to listening on
127.0.0.1:631 or localhost:631, and accessing http://localhost:631/
should then spawn CUPS rather than giving an error.

Regarding the "v4-over-v6 is widely seen as a major security problem" in
the CUPS bug report: per
https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 , the
problem is using v4mapped addresses *on the wire*, not using such
addresses within a system to listen on a single socket.  The
recommendations from that draft say to avoid generating or receiving
IPv6 packets on the wire that contain v4mapped addresses, and that same
draft says "IPv4-mapped addresses are exclusively for uses local to a
node as specified in the basic API".

That said, I'd still like to see systemd capable of producing both a v4
and v6 listening socket, for whichever stacks the local system has,
omitting any that cannot exist because the stack doesn't exist.
(Ideally, systemd should only allow a ListenStream to fail because of a
missing stack, while still erroring on failures such as port conflicts.)

> Let's state it clearly: the core of the problem is that I think that
> "http://localhost:631/"; is a standard CUPS user interface and I'm not
> ready to make sure users (starting with me) change their muscle memory
> to use "http://ip6-localhost:631/"; or "http://[::1]:631/"; instead. How
> can we make this happen?

On a closely related note, I think we should fix hostname resolution so
that "localhost" resolves to both 127.0.0.1 and ::1, and vice versa,
with ip6-localhost remaining only as a compatibility fallback, if at
all.  http://localhost:631/ should work just fine over IPv6, just as any
other http or https URL does; if it doesn't, let's fix that.

- Josh Triplett

Reply to:

Follow-Ups:
- Bug#747073: [cups-daemon] Doesn't work with systemd
  - From: Didier 'OdyX' Raboud <odyx@debian.org>

Prev by Date: cups_1.7.5-4.1_amd64.changes REJECTED
Next by Date: Bug#747073: [cups-daemon] Doesn't work with systemd
Previous by thread: cups_1.7.5-4.1_amd64.changes REJECTED
Next by thread: Bug#747073: [cups-daemon] Doesn't work with systemd
Index(es):
- Date
- Thread