Re: cups security

To: debian-security@lists.debian.org
Subject: Re: cups security
From: Dale Southard <southard1@llnl.gov>
Date: 11 Apr 2002 11:15:57 -0700
Message-id: <[🔎] ub6g022t82q.fsf@zonker.llnl.gov>
In-reply-to: <[🔎] 1018545014.749.9.camel@adelita>
References: <[🔎] Pine.LNX.4.44.0204110950150.1890-100000@westhost38.westhost.net> <[🔎] 1018545014.749.9.camel@adelita>

Luis Gómez Miralles <lgomez@infoemergencias.com> writes:

> El jue, 11-04-2002 a las 16:56, Torrin escribió:
> > Good morning everybody, well at least morning over here in Cali.  For
> > everybody else, Good afternoon, good evening and good night.
> > 
> > I just installed cups and I was wondering if it's possible to have cups
> > run properly without having port 631 open.  I don't like having ports
> > open, especially since this computer will be the only one printing to
> > this printer.  I looked at some of the doc on http://www.cups.org and
> > didn't see anything.  Any ideas?
> 
> Why don't you cut access to that port via tcp wrappers? At least in my
> Woody, cups is in inetd.conf:
> #:OTHER: Other services
> printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd
> (actually i'm not sure whether this corresponds to cups or to lpr)

It corresponds to the cups server that accepts lpd jobs on port 515,
which is an optional part of cups.  The primary part of cups is a
daemon that accepts IPP jobs (and serves html documentation) on port
631.

> so you could add
> "printer: ALL BUT LOCAL" [or something like that]
> to /etc/hosts.deny

If you are not accepting lpd print jobs from other hosts, there is no
reason I am aware of to run cups-lpd.

Securing cups itself is done though the /etc/cups/cupsd.conf file.  In
particular, something like the following will limit access of the
printers and documentation to localhost:

 <Location />
 Order Deny,Allow
 Deny From All
 Allow From 127.0.0.1
 </Location>

The cupsd.conf file has lots of goodies that are not turned on by
default, including things like SSL/TLS certificates and crypto,
restricting of the daemon binding, and lots of other hooks.  The
manuals are avaiable at http://localhost:631/ or at cups.org.

> > 
> > route add -net 224.0.0.0 netmask 240.0.0.0 dev <interface>
> > 
> > What's up with that?  I didn't see anything in the doc about that
> > either.

Google for the term ``multicast'' and you'll find the answer.  It has
(to the best of my knowledge, nothing to do with CUPS.

-- 

/*  Dale Southard Jr.  dsouth@llnl.gov  925-422-1463, fax 422-9429  */
/*  Computer Scientist, Accelerated Strategic Computing Initiative  */
/*  L-073,  Lawrence Livermore National Lab,  Livermore CA   94551  */
/*  AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving  */

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- cups security
  - From: Torrin <torrin@torrin.net>
- Re: cups security
  - From: Luis Gómez Miralles <lgomez@infoemergencias.com>

Prev by Date: Re: cups security
Next by Date: Re: cups security
Previous by thread: Re: cups security
Next by thread: Re: cups security
Index(es):
- Date
- Thread