Bug 864522
Summary: | Reduce cupsd attack surface | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Grubb <sgrubb> |
Component: | cups | Assignee: | Tim Waugh <twaugh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 18 | CC: | jpopelka, twaugh |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | cups-1.6.1-9.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-03-07 16:50:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 853068 |
Description
Steve Grubb
2012-10-09 13:51:47 UTC
In the default configuration for cups-1.5.4-5.fc18 (containing "Listen localhost:631"), I only see TCP sockets bound to localhost:ipp: $ netstat -tlp | grep -w ipp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 localhost:ipp *:* LISTEN - tcp6 0 0 localhost:ipp [::]:* LISTEN - I'm pretty sure you had indicated that "Listen localhost:631" caused a socket bound to [::]:ipp. Could you please re-test and verify? Thanks. Yes, it does appear to be local. What's your thoughts on disabling the web server interface by default? Thanks. CUPS provides a web of just serving a stub page saying "this is not enabled" with instructions on how to enable the web interface. How about if we try that in rawhide? i.e. the result of "cupsctl WebInterface=no" It turns out (see bug #878090) that the web interface is required in order to adjust server settings in system-config-printer. This is because server settings adjustment is performed by first fetching cupsd.conf via HTTP GET, then making adjustments, and finally replacing the config file using HTTP PUT. Closing this bug as all that can be done is done. Thanks for looking at it. |