Bug 864522

Summary: Reduce cupsd attack surface
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 18CC: jpopelka, twaugh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cups-1.6.1-9.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-07 16:50:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 853068    

Description Steve Grubb 2012-10-09 13:51:47 UTC 
Description of problem:
We would like to lower the attack surface of the OS. We would like to see the default configuration no longer listen on port 631. As I understand it, the desktop uses the af_unix socket for its printing. So this should not affect any desktop users. A lot of printers are networked these days so hopefully there is not much need to be a print server.

Separately, I am also wondering why the web interface is turned on by default? It seems like extra attack surface for a root running process.

Thanks.
Comment 1 Tim Waugh 2012-10-10 14:59:56 UTC 
In the default configuration for cups-1.5.4-5.fc18 (containing "Listen localhost:631"), I only see TCP sockets bound to localhost:ipp:

$ netstat -tlp | grep -w ipp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:ipp           *:*                     LISTEN      -                   
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      -                   

I'm pretty sure you had indicated that "Listen localhost:631" caused a socket bound to [::]:ipp.

Could you please re-test and verify?  Thanks.
Comment 2 Steve Grubb 2012-11-05 14:20:29 UTC 
Yes, it does appear to be local. What's your thoughts on disabling the web server interface by default? Thanks.
Comment 3 Tim Waugh 2012-11-06 16:06:40 UTC 
CUPS provides a web of just serving a stub page saying "this is not enabled" with instructions on how to enable the web interface.  How about if we try that in rawhide?

i.e. the result of "cupsctl WebInterface=no"
Comment 4 Tim Waugh 2012-11-19 17:17:51 UTC 
It turns out (see bug #878090) that the web interface is required in order to adjust server settings in system-config-printer.  This is because server settings adjustment is performed by first fetching cupsd.conf via HTTP GET, then making adjustments, and finally replacing the config file using HTTP PUT.
Comment 5 Steve Grubb 2013-03-07 16:50:58 UTC 
Closing this bug as all that can be done is done. Thanks for looking at it.