Bug 220886 - RFE: Disable cups IPP broadcasting by default.
RFE: Disable cups IPP broadcasting by default.
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-28 06:35 EST by Gilboa Davara
Modified: 2008-11-29 09:44 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-24 13:42:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 3020 None None None Never

  None (edit)
Description Gilboa Davara 2006-12-28 06:35:29 EST
Description of problem:
By default, once you enable printer sharing in system-config-printer, cups
starts broadcasting IPP packets on all available subnets.
Most users are unaware of this behaviour and might unknowingly send IPP messages
over insecure cable/ADSL lines.

Version-Release number of selected component (if applicable):
system-config-printer-0.7.40-1.fc6.x86_64

Relates to bug 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220884

- Gilboa
Comment 1 Tim Waugh 2007-01-04 11:49:45 EST
This is a limitation of how CUPS's 'Share published printers connected to this
system' checkbox works on http://localhost:631/admin.  system-config-printer
uses the same mechanism.
Comment 2 Tim Waugh 2007-01-04 11:51:29 EST
I'm not sure I see the difference between this bug and bug #220884.  The default
"as-shipped" state is not to publish printers at all.

What default are you proposing to change?
Comment 3 Gilboa Davara 2007-01-06 10:10:07 EST
Simple.
220884 is an RFE, 220886 is a bug report.
IMHO, having cups broadcast IPP packets by default, without the user knowing
about it (or needing it), is both a security and a network traffic issue. (886).
I may be wrong, but accepting network requests (over IPP, lpr, samba, etc) is
radically different then having the cups send IPP packets to all available
sub-nets - especially if the host is also connected to the Internet over a
L2TP/PPTP DSL/cable line.

On the other hand, having a way to enable it when you need it, or disable it
when you don't need it without breaking the tool-chain (by editing the
cupsd.conf by hand) is an RFE (884).

- Gilboa
Comment 4 Tim Waugh 2007-01-07 07:54:08 EST
By default, we already avoid broadcasting IPP packets by default.  You have to
explicitly enable shared queue publishing in the Server Settings.

So I don't see anything to change here.
Comment 5 Gilboa Davara 2008-11-22 01:37:56 EST
Still seeing the same problem in F9.
By default, "Browsing" is enabled once you share a print - causing cups to broadcast IPP packets.
Again, should system-config-printer have an an opt-in option to enable broadcast once you enable sharing?

- Gilboa
Comment 6 Tim Waugh 2008-11-24 13:42:35 EST
Immediately after installing F-9, only the 'Show printers shared by other systems' option is enabled.

The 'Share published printers connected to this system' option is not enabled.  This is the option that controls whether, on the one hand, no local printers are accessible to the network, or on the other hand, all local printers marked as shared are accessible to the network and IPP broadcasts are made to advertise them on local network interfaces (i.e. 'BrowseAddress @LOCAL', all non-loopback network interfaces that do not have IFF_POINTOPOINT set).

There is no CUPS option in the http://localhost:631/admin interface to individually control the cupsd.conf 'BrowseAddress' directive, separately from the 'Port'/'Listen' directives.

It sounds like that's what you're asking for.  I've filed this upstream as STR #3020.
Comment 7 Gilboa Davara 2008-11-29 09:44:23 EST
Thanks.

Just for the archives.
http://cups.org/str.php?L3020+P0+S-2+C0+I0+E0+M1000+Q

- Gilboa

Note You need to log in before you can comment on or make changes to this bug.