Re: cups security summary
Torrin <torrin@torrin.net> writes:
> OK, in summary.
>
> 1. I should set it to listen only on the local interface by setting
>
> Listen 127.0.0.1:631
>
> in the cupsd.conf file.
>
> 2. I should firewall off the port. This part is already done, I just
> don't like to have ports open.
>
> So from what people have said, I guess there isn't a way to run cups and
> close the port.
Step 1 causes cups to bind to only to the loopback interface. After
making the change, restart the cupsd and nmap scan your loopback
(localhost) and public interfaces -- you shouldn't see 631 open on
anything but the loopback.
If you've done step 1, step 2 is redundant protection. There
shouldn't be anything listening on 631 anyplace except loopback.
> Is the open port essential to it's operation, like open
> port 22 is essential to the operation of ssh?
In any unix printing architecture, there has to be a way to get the
client's data to the host's print server. In traditional lpr and lp,
the client command copies or symlinks the data into the spool
directory (which is why lp/lpr is usually SUID or SGID).
In cups, the print data is transferred to the server via http
protocol. This means the client program doesn't need any special
privileges, but does require that the server be listening on a port
somewhere.
Which is ultimately a better idea from a security perspective is a
matter of opinion and situation....
--
/* Dale Southard Jr. dsouth@llnl.gov 925-422-1463, fax 422-9429 */
/* Computer Scientist, Accelerated Strategic Computing Initiative */
/* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */
/* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: